K8s 生产环境中运行 Istio 得到的经验

0 点赞

0 收藏

0下载

ccone

发布于

1862

人观看

信息技术

挪威福利管理局已经从现有的Kubernestes集群转变为在公共云中运行生产应用程序。在这次旅程中，我们将Istio带入了我们的开源平台。在本演示中，我们将讨论我们在多云生产环境中运行Istio的经验，这些环境包括内部集群和Google Kubernetes Engine。我们将关注如何使用Istio来控制服务之间的流量，相互TLS，Istio RBAC，描述我们在路上遇到的挑战以及我们如何解决它们。

展开查看详情

1. Experiences from running Istio in a k8s production environment Line Moseng Johnny Horvi @linemoseng Norwegian Labour and Welfare Administration

2.5,2 million

6.nais.io github.com/nais

7.CD

8. logs metrics alerts events secrets cache app storage runtime deploy

10.

11.internal external gke dev dev dev prod prod prod on-prem public cloud

12.internal external dev dev prod prod on-prem

13.internal external DMZ internet

14. Zone app app app app app app

15. app app app app app app

16.

17.mTLS as a service Telemetry

18.

19.0.5

20.0.8

21.app

22.

23.app

24.app

25. apiVersion: "nais.io/v1alpha1" kind: "Application" metadata: name: app labels: team: pension app spec: image: navikt/app:1 port: 8080 replicas: { min: 2, max: 4 } probes: { liveness: … } ingresses: - app.dev-gke.nais.io egresses: - svc-not-in-mesh.nav.local secrets: true accessPolicy: inbound: - name: consumer-a

26. apiVersion: "nais.io/v1alpha1" kind: "Application" metadata: name: app labels: team: pension app spec: image: navikt/app:1 m l port: 8080 . ya is replicas: { min: 2, max: 4 } a probes: { liveness: … } n ingresses: - app.dev-gke.nais.io egresses: - svc-not-in-mesh.nav.local secrets: true accessPolicy: inbound: - name: consumer-a

27. deployment cluster virtualservice autoscaler service application serviceentry kubectl apply -f nais.yaml networkpolicy servicerole servicerolebinding

28.apiVersion: "nais.io/v1alpha1" kind: "Application" metadata: name: app labels: team: pension spec: image: navikt/app:1 port: 8080 replicas: { min: 2, max: 4 } Ro probes: { liveness: … } ing ingresses: le ind - app.dev-gke.nais.io egresses: leB - svc-not-in-mesh.nav.local secrets: true Ro accessPolicy: inbound: - name: consumer-a

29.apiVersion: "nais.io/v1alpha1" deployment kind: "Application" metadata: name: app virtualservice labels: team: pension spec: autoscaler image: navikt/app:1 port: 8080 service replicas: { min: 2, max: 4 } probes: { liveness: … } ingresses: serviceentry - app.dev-gke.nais.io egresses: networkpolicy - svc-not-in-mesh.nav.local secrets: true accessPolicy: servicerole inbound: - name: consumer-a servicerolebinding

0 点赞

0 收藏

0下载