1. 개요
- Istio 설치 방법이다.
- 설치 환경은 EKS이다.
2. 다운로드 및 설치
$ curl -sL https://istio.io/downloadIstioctl | sh - Downloading istioctl-1.14.1 from https://github.com/istio/istio/releases/download/1.14.1/istioctl-1.14.1-linux-amd64.tar.gz ... istioctl-1.14.1-linux-amd64.tar.gz download complete! Add the istioctl to your path with: export PATH=$PATH:$HOME/.istioctl/bin Begin the Istio pre-installation check by running: istioctl x precheck Need more information? Visit https://istio.io/docs/reference/commands/istioctl/
정상적으로 다운로드하고 나면 다음과 같이 어딘가에 복사해준다.
$ sudo cp ~/.istioctl/bin/istioctl /usr/local/bin
3. YAML 파일 설정
3.1. YAML 파일
apiVersion: install.istio.io/v1alpha1 kind: IstioOperator metadata: namespace: istio-system name: istiocontrolplane spec: profile: default components: egressGateways: - name: istio-egressgateway enabled: true k8s: hpaSpec: minReplicas: 2 ingressGateways: - name: istio-ingressgateway enabled: true k8s: hpaSpec: minReplicas: 2 pilot: enabled: true k8s: hpaSpec: minReplicas: 2 meshConfig: enableTracing: true defaultConfig: holdApplicationUntilProxyStarts: true accessLogFile: /dev/stdout outboundTrafficPolicy: mode: REGISTRY_ONLY
3.2. YAML 파일 설치
$ istioctl install -f istio.yaml This will install the Istio 1.14.1 default profile with ["Istio core" "Istiod" "Ingress gateways" "Egress gateways"] components into the cluster. Proceed? (y/N) y ✔ Istio core installed - Processing resources for Istiod. Waiting for Deployment/istio-system/istiod
하지만 정상적으로 설치되지 않았다.
3.3. 트러블 슈팅
$ istioctl install -f istio.yaml This will install the Istio 1.14.1 default profile with ["Istio core" "Istiod" "Ingress gateways" "Egress gateways"] components into the cluster. Proceed? (y/N) y ✔ Istio core installed ✘ Istiod encountered an error: failed to wait for resource: resources not ready after 5m0s: timed out waiting for the condition ✘ Egress gateways encountered an error: failed to wait for resource: resources not ready after 5m0s: timed out waiting for the condition Deployment/istio-system/istio-egressgateway (container failed to start: ContainerCreating: ) ✘ Ingress gateways encountered an error: failed to wait for resource: resources not ready after 5m0s: timed out waiting for the condition Deployment/istio-system/istio-ingressgateway (container failed to start: ContainerCreating: ) - Pruning removed resources Error: failed to install manifests: errors occurred during operation
하지만 Namespace나 Pod를 확인하면 일단 리소스는 생성되는 상태이다. 파드 생성 중 걸린 상황으로 추정.
$ kubectl get ns NAME STATUS AGE default Active 5h11m istio-system Active 12m kube-node-lease Active 5h11m kube-public Active 5h11m kube-system Active 5h11m $ kubectl get pods -A NAMESPACE NAME READY STATUS RESTARTS AGE istio-system istio-egressgateway-f48d65b7b-9wxrk 0/1 ContainerCreating 0 7m29s istio-system istio-egressgateway-f48d65b7b-f7ldf 0/1 ContainerCreating 0 7m44s istio-system istio-ingressgateway-778f44479-6ql4q 0/1 ContainerCreating 0 7m44s istio-system istio-ingressgateway-778f44479-dvgzr 0/1 ContainerCreating 0 7m29s istio-system istiod-6d67d84bc7-4mn82 0/1 Pending 0 12m istio-system istiod-6d67d84bc7-5zksw 0/1 Pending 0 12m kube-system aws-node-5wz6c 1/1 Running 0 5h2m kube-system aws-node-r6dbq 1/1 Running 0 5h2m kube-system coredns-6dbb778559-wk9w2 1/1 Running 0 5h11m kube-system coredns-6dbb778559-z5ckv 1/1 Running 0 5h11m kube-system kube-proxy-2k56c 1/1 Running 0 5h2m kube-system kube-proxy-7v9fb 1/1 Running 0 5h2m
컨테이너 시작 단계에 있는 Pod 상태를 확인해보았다.
Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Scheduled 10m default-scheduler Successfully assigned istio-system/istio-egressgateway-f48d65b7b-9wxrk to ip-10-21-130-46.ap-northeast-2.compute.internal Warning FailedMount 8m40s kubelet Unable to attach or mount volumes: unmounted volumes=[istiod-ca-cert], unattached volumes=[workload-socket egressgateway-ca-certs workload-certs istio-envoy config-volume egressgateway-certs podinfo kube-api-access-kmrb7 istio-token istio-data istiod-ca-cert]: timed out waiting for the condition Warning FailedMount 6m25s kubelet Unable to attach or mount volumes: unmounted volumes=[istiod-ca-cert], unattached volumes=[egressgateway-ca-certs workload-certs istiod-ca-cert config-volume workload-socket istio-token istio-data egressgateway-certs istio-envoy podinfo kube-api-access-kmrb7]: timed out waiting for the condition Warning FailedMount 4m9s kubelet Unable to attach or mount volumes: unmounted volumes=[istiod-ca-cert], unattached volumes=[workload-certs kube-api-access-kmrb7 config-volume istiod-ca-cert istio-token istio-data workload-socket egressgateway-certs egressgateway-ca-certs istio-envoy podinfo]: timed out waiting for the condition Warning FailedMount 112s kubelet Unable to attach or mount volumes: unmounted volumes=[istiod-ca-cert], unattached volumes=[egressgateway-ca-certs podinfo workload-socket istio-token istio-data istio-envoy egressgateway-certs kube-api-access-kmrb7 workload-certs config-volume istiod-ca-cert]: timed out waiting for the condition Warning FailedMount 27s (x13 over 10m) kubelet MountVolume.SetUp failed for volume "istiod-ca-cert" : configmap "istio-ca-root-cert" not found
자, 문제는 istiod가 실행되어 있지 않아서이다. 펜딩 걸려있는 istiod 상태를 보자.
QoS Class: Burstable Node-Selectors: Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s node.kubernetes.io/unreachable:NoExecute op=Exists for 300s Events: Type Reason Age From Message ---- ------ ---- ---- ------- Warning FailedScheduling 17s (x20 over 18m) default-scheduler 0/2 nodes are available: 2 Insufficient memory.
메모리 부족으로 스케줄링이 안되었다.
메모리 상태를 확인하였다.
$ kubectl edit replicaset/istiod-6d67d84bc7 -n istio-system
resources: requests: cpu: 500m memory: 2Gi
2G 메모리를 512M로 변경하였다.
$ kubectl get pods -A NAMESPACE NAME READY STATUS RESTARTS AGE istio-system istio-egressgateway-f48d65b7b-9wxrk 1/1 Running 0 21m istio-system istio-egressgateway-f48d65b7b-f7ldf 1/1 Running 0 22m istio-system istio-ingressgateway-778f44479-6ql4q 1/1 Running 0 22m istio-system istio-ingressgateway-778f44479-dvgzr 1/1 Running 0 21m istio-system istiod-5c6c78b9f6-gq924 0/1 Pending 0 65s istio-system istiod-5c6c78b9f6-v4rqv 0/1 Pending 0 65s kube-system aws-node-5wz6c 1/1 Running 0 5h17m kube-system aws-node-r6dbq 1/1 Running 0 5h17m kube-system coredns-6dbb778559-wk9w2 1/1 Running 0 5h25m kube-system coredns-6dbb778559-z5ckv 1/1 Running 0 5h25m kube-system kube-proxy-2k56c 1/1 Running 0 5h17m kube-system kube-proxy-7v9fb 1/1 Running 0 5h17m
전체 Running으로 전환 완료.
4. 특정 Namespace에 Istio 설정
$ kubectl label namespace <네임스페이스이름> istio-injection=enabled namespace/community labeled