Open in app

Sign in

Write

Sign in

Using Istio to support Service Mesh on Multiple Alibaba Cloud Kubernetes Clusters

Alibaba Cloud
5 min readSep 14, 2018

An important objective of Istio is to support the hybrid environment. For example, services can run on the Alibaba Cloud Container Service, a local Kubernetes cluster, or other services of the public cloud.Istio can provide a uniform view for the entire service platform, manage connections between these environments, and ensure security of these connections.The Istio multi-cluster feature allows you to add multiple Kubernetes to a single mesh and enable the service discovery function across clusters.According to the official introduction, Istio will also support global cluster-level load balancing and non-flat networks through gateway equivalent interconnection.

This article uses an example to describe how Alibaba Cloud Container Service implements application and service hybrid orchestration in multiple Kubernetes clusters based on Istio.You will see that after the Istio control plane is installed in a Kubernetes cluster and Istio is connected to two Kubernetes clusters, a mesh network is generated across multiple Kubernetes clusters.

Prepare the Kubernetes Clusters

Alibaba Cloud Container Service for Kubernetes V1.10.4 has been released. You can use the container service console to conveniently and quickly create a Kubernetes cluster.For more information about the process, see create a Kubernetes cluster.

Install and configure kubectl. Ensure that kubectl can connect to the Kubernetes clusters and the following network requirements are met:

  1. The pod CIDR range and service CIDR range of each cluster must be unique and cannot overlap with each other.
  2. All pod CIDRs in every cluster must be routable to each other.
  3. All Kubernetes control plane API servers must be routable to each other.
| Cluster | ContainerCIDR | ServiceCIDR | 
| -------------------------| --------------------- | --------------------- | 
| Istio-control-plane | 172.16.0.0/16 |172.19.0.0/20 |
| Istio-remote1 | 172.20.0.0/16 |172.21.0.0/20 |

You can obtain files involved in this example by clicking here.

Remote Cluster Configuration

The Istio control plane needs to access all clusters in the mesh to implement service discovery.The following describes how to create a service account in the remote cluster and grant it essential RBAC permissions. Later, the credential of this service account will be used to generate a kubeconfig file. In this way, the remote cluster can be accessed.

The following process should be executed in every cluster to be added to the service mesh.This process must be completed by the administrator of each cluster.Run the generate-kubeconfig.sh command. The parameter is the unique identifier that describes the related cluster.

./generate-kubeconfig.sh myremote1

After these steps are completed, the kubeconfig file of the remote cluster is created in the current directory.The file name of the cluster is consistent with the cluster name in the original kubeconfig file.

Control Plane Cluster Configuration

In the cluster that runs the Istio control plane, create a secret for each remote cluster:

./create-secret.sh myremote1

Install the Istio Control Plane

You can use the application catalog to conveniently deploy Istio.Click App Catalog on the left-side navigation bar, and select ack-istio on the right side. On the displayed page,select the namespace istio-system, and click Parameters to modify parameter settings for custom installation.

......
   istio-ilbgateway:
      enabled: true
......

Note: This document provides important information for installation and uninstallation, especially frequently-seen custom resource definition (CRD) version problems.

Install the Istio Remote Component

Run the following script to obtain the connection information of the control plane:

export PILOT_POD_IP=$(kubectl -n istio-system get pod -l istio=pilot -o jsonpath='{.items[0].status.podIP}')
export POLICY_POD_IP=$(kubectl -n istio-system get pod -l istio=mixer -o jsonpath='{.items[0].status.podIP}')
export STATSD_POD_IP=$(kubectl -n istio-system get pod -l istio=statsd-prom-bridge -o jsonpath='{.items[0].status.podIP}')
export TELEMETRY_POD_IP=$(kubectl -n istio-system get pod -l istio-mixer-type=telemetry -o jsonpath='{.items[0].status.podIP}')
export ZIPKIN_POD_IP=$(kubectl -n istio-system get pod -l app=jaeger -o jsonpath='{.items[0].status.podIP}')
echo "remotePilotAddress: $PILOT_POD_IP"
echo "remotePolicyAddress: $POLICY_POD_IP"
echo "remoteStatsdPromBridge: $STATSD_POD_IP"
echo "remoteTelemetryAddress: $TELEMETRY_POD_IP"
echo "remoteZipkinAddress: $ZIPKIN_POD_IP"

Click App Catalog on the left-side navigation bar, and select ack-istio-remote on the right side. On the displayed page,select the namespace istio-system, and click Parameters to modify parameter settings based on the obtained information for custom installation.

envoyStatsd:
      enabled: false
      host: "$remoteStatsdPromBridge"
  # Remote Istio endpoints.Can be hostnames or IP addresses
  # The Pilot address is required.The others are optional.
  remotePilotAddress: "$remotePilotAddress"
  remotePolicyAddress: "$remotePolicyAddress"
  remoteTelemetryAddress: "$remoteTelemetryAddress"
  remoteZipkinAddress: "$remoteZipkinAddress"

Install the Example in the Cluster Istio-control-plane

Use the following command line or console to create a namespace bookinfo, and deploy the modified application.In the modified version, the details component is deleted, and ingressgateway is defined.

You can obtain files involved in this example by clicking here.

kubectl create ns bookinfo

kubectl label namespace bookinfo istio-injection=enabled
kubectl apply -n bookinfo -f ./bookinfo/bookinfo-without-details.yaml
kubectl apply -n bookinfo -f ./bookinfo/bookinfo-gateway.yaml

For the deployment modified based on the official example, the details component runs in the Kubernetes cluster Istio-control-plane that is installed on the Istio local control plane, and the details component runs in another Kubernetes cluster Istio-remote-1.

After the application runs normally, use the address exposed by ingressgateway to visit the /productpage page. The page should look similar to the following figure, where the details part cannot be displayed normally. This is because the details component is not installed in the cluster Istio-remote-1 and added to the same mesh yet.

Install the Example in the Cluster Istio-remote-1

Use the same method to install the details part of the example application in the cluster Istio-remote-1. You can obtain the YAML file by clicking here.

kubectl apply -n bookinfo -f ./bookinfo/bookinfo-details.yaml

Then, the details service is registered on the control plane. You can check whether the response of {pilot-ipAddress}:8080/v1/registration contains the details service:

Visit the /productpage page again. The page should look similar to the following figure, where the details part should be displayed normally:

Summary

This article uses an official example to describe how Alibaba Cloud Container Service implements application and service hybrid orchestration in multiple Kubernetes clusters based on Istio.You will see that after the Istio control plane is installed in a Kubernetes cluster and Istio is connected to two Kubernetes clusters, a mesh network is generated across multiple Kubernetes clusters.

You are welcome to use Alibaba Cloud Container Service for Kubernetes to quickly build an Istio open platform and integrate Istio to microservice development in your project.

Reference:

https://www.alibabacloud.com/blog/using-istio-to-support-service-mesh-on-multiple-alibaba-cloud-kubernetes-clusters_593913?spm=a2c4.12014617.0.0

Alibabacloud
Container Service
Ecs
Kubernetes
Istio

--

--

Alibaba Cloud

Written by Alibaba Cloud

5.5K Followers

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams