红帽全球峰会6.4. 部署多个 control plane
对于多个 control plane,您可以扩展支持。单个集群中的服务网格的最大数量取决于可用的集群资源。
6.4.1. 部署第一个 control plane
您可以通过创建分配的命名空间来部署第一个 control plane。
步骤
运行以下命令,为名为
istio-system-1的第一个 Istio control plane 创建命名空间:$ oc new-project istio-system-1运行以下命令,在第一个命名空间中添加以下标签,该命名空间与 Istio
discoverySelectors字段一起使用:$ oc label namespace istio-system-1 istio-discovery=mesh-1创建名为
istio-1.yaml的 YAML 文件,名称为mesh-1,discoverySelector为mesh-1:配置示例
kind: Istio apiVersion: sailoperator.io/v1 metadata: name: mesh-1 spec: namespace: istio-system-1 values: meshConfig: discoverySelectors: - matchLabels: istio-discovery: mesh-1 # ...运行以下命令来创建第一个
Istio资源:$ oc apply -f istio-1.yaml要限制
mesh-1中的工作负载与网格之间的解密流量自由通信,请部署PeerAuthentication资源来强制实施mesh-1数据平面中的 mutual TLS (mTLS)流量。使用配置文件(如peer-auth-1.yaml)在istio-system-1命名空间中应用PeerAuthentication资源:$ oc apply -f peer-auth-1.yaml配置示例
apiVersion: security.istio.io/v1 kind: PeerAuthentication metadata: name: "mesh-1-peerauth" namespace: "istio-system-1" spec: mtls: mode: STRICT
6.4.2. 部署第二个 control plane
部署第一个 control plane 后,您可以通过创建分配的命名空间来部署第二个 control plane。
步骤
运行以下命令,为名为
istio-system-2的第二个 Istio control plane 创建一个命名空间:$ oc new-project istio-system-2运行以下命令,在第二个命名空间中添加以下标签,该命名空间与 Istio
discoverySelectors字段一起使用:$ oc label namespace istio-system-2 istio-discovery=mesh-2创建名为
istio-2.yaml的 YAML 文件:配置示例
kind: Istio apiVersion: sailoperator.io/v1 metadata: name: mesh-2 spec: namespace: istio-system-2 values: meshConfig: discoverySelectors: - matchLabels: istio-discovery: mesh-2 # ...运行以下命令来创建第二个
Istio资源:$ oc apply -f istio-2.yaml运行以下命令,为
istio-system-2命名空间中的工作负载部署策略,使其只接受 mutual TLS 流量peer-auth-2.yaml:$ oc apply -f peer-auth-2.yaml配置示例
apiVersion: security.istio.io/v1 kind: PeerAuthentication metadata: name: "mesh-2-peerauth" namespace: "istio-system-2" spec: mtls: mode: STRICT
6.4.3. 验证多个 control plane
验证 Istio control plane 都已部署并运行。您可以验证 istiod pod 是否在每个 Istio 系统命名空间中运行。
运行以下命令,验证工作负载是否已分配给
istio-system-1中的 control plane:$ oc get pods -n istio-system-1输出示例
NAME READY STATUS RESTARTS AGE istiod-mesh-1-b69646b6f-kxrwk 1/1 Running 0 4m14s运行以下命令,验证工作负载是否已分配给
istio-system-2中的 control plane:$ oc get pods -n istio-system-2输出示例
NAME READY STATUS RESTARTS AGE istiod-mesh-2-8666fdfc6-mqp45 1/1 Running 0 118s
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}