K8s 生产环境中运行 Istio 得到的经验

ccone

发布于

1968

人观看

挪威福利管理局已经从现有的Kubernestes集群转变为在公共云中运行生产应用程序。在这次旅程中，我们将Istio带入了我们的开源平台。在本演示中，我们将讨论我们在多云生产环境中运行Istio的经验，这些环境包括内部集群和Google Kubernetes Engine。我们将关注如何使用Istio来控制服务之间的流量，相互TLS，Istio RBAC，描述我们在路上遇到的挑战以及我们如何解决它们。

展开查看详情

1 . Experiences from running Istio in a k8s production environment Line Moseng Johnny Horvi @linemoseng Norwegian Labour and Welfare Administration

2 .5,2 million

3 .

4 .

5 .

6 .nais.io github.com/nais

7 .CD

8 . logs metrics alerts events secrets cache app storage runtime deploy

9 .

10 .

11 .internal external gke dev dev dev prod prod prod on-prem public cloud

12 .internal external dev dev prod prod on-prem

13 .internal external DMZ internet

14 . Zone app app app app app app

15 . app app app app app app

16 .

17 .mTLS as a service Telemetry

18 .

19 .0.5

20 .0.8

21 .app

22 .

23 .app

24 .app

25 . apiVersion: "nais.io/v1alpha1" kind: "Application" metadata: name: app labels: team: pension app spec: image: navikt/app:1 port: 8080 replicas: { min: 2, max: 4 } probes: { liveness: … } ingresses: - app.dev-gke.nais.io egresses: - svc-not-in-mesh.nav.local secrets: true accessPolicy: inbound: - name: consumer-a

26 . apiVersion: "nais.io/v1alpha1" kind: "Application" metadata: name: app labels: team: pension app spec: image: navikt/app:1 m l port: 8080 . ya is replicas: { min: 2, max: 4 } a probes: { liveness: … } n ingresses: - app.dev-gke.nais.io egresses: - svc-not-in-mesh.nav.local secrets: true accessPolicy: inbound: - name: consumer-a

27 . deployment cluster virtualservice autoscaler service application serviceentry kubectl apply -f nais.yaml networkpolicy servicerole servicerolebinding

28 .apiVersion: "nais.io/v1alpha1" kind: "Application" metadata: name: app labels: team: pension spec: image: navikt/app:1 port: 8080 replicas: { min: 2, max: 4 } Ro probes: { liveness: … } ing ingresses: le ind - app.dev-gke.nais.io egresses: leB - svc-not-in-mesh.nav.local secrets: true Ro accessPolicy: inbound: - name: consumer-a

29 .apiVersion: "nais.io/v1alpha1" deployment kind: "Application" metadata: name: app virtualservice labels: team: pension spec: autoscaler image: navikt/app:1 port: 8080 service replicas: { min: 2, max: 4 } probes: { liveness: … } ingresses: serviceentry - app.dev-gke.nais.io egresses: networkpolicy - svc-not-in-mesh.nav.local secrets: true accessPolicy: servicerole inbound: - name: consumer-a servicerolebinding

0 点赞

0 收藏

0下载