K8s 生产环境中运行 Istio 得到的经验
展开查看详情
1. Experiences from running Istio in a k8s production environment Line Moseng Johnny Horvi @linemoseng Norwegian Labour and Welfare Administration
2.5,2 million
3.
4.
5.
6.nais.io github.com/nais
7.CD
8. logs metrics alerts events secrets cache app storage runtime deploy
9.
10.
11.internal external gke dev dev dev prod prod prod on-prem public cloud
12.internal external dev dev prod prod on-prem
13.internal external DMZ internet
14. Zone app app app app app app
15. app app app app app app
16.
17.mTLS as a service Telemetry
18.
19.0.5
20.0.8
21.app
22.
23.app
24.app
25. apiVersion: "nais.io/v1alpha1" kind: "Application" metadata: name: app labels: team: pension app spec: image: navikt/app:1 port: 8080 replicas: { min: 2, max: 4 } probes: { liveness: … } ingresses: - app.dev-gke.nais.io egresses: - svc-not-in-mesh.nav.local secrets: true accessPolicy: inbound: - name: consumer-a
26. apiVersion: "nais.io/v1alpha1" kind: "Application" metadata: name: app labels: team: pension app spec: image: navikt/app:1 m l port: 8080 . ya is replicas: { min: 2, max: 4 } a probes: { liveness: … } n ingresses: - app.dev-gke.nais.io egresses: - svc-not-in-mesh.nav.local secrets: true accessPolicy: inbound: - name: consumer-a
27. deployment cluster virtualservice autoscaler service application serviceentry kubectl apply -f nais.yaml networkpolicy servicerole servicerolebinding
28.apiVersion: "nais.io/v1alpha1" kind: "Application" metadata: name: app labels: team: pension spec: image: navikt/app:1 port: 8080 replicas: { min: 2, max: 4 } Ro probes: { liveness: … } ing ingresses: le ind - app.dev-gke.nais.io egresses: leB - svc-not-in-mesh.nav.local secrets: true Ro accessPolicy: inbound: - name: consumer-a
29.apiVersion: "nais.io/v1alpha1" deployment kind: "Application" metadata: name: app virtualservice labels: team: pension spec: autoscaler image: navikt/app:1 port: 8080 service replicas: { min: 2, max: 4 } probes: { liveness: … } ingresses: serviceentry - app.dev-gke.nais.io egresses: networkpolicy - svc-not-in-mesh.nav.local secrets: true accessPolicy: servicerole inbound: - name: consumer-a servicerolebinding