diff options
| author |   QiLiang <liangqi1@huawei.com> | 2018-03-07 14:45:30 +0800 |
|---|---|---|
| committer | QiLiang <liangqi1@huawei.com> | 2018-03-08 09:09:03 +0800 |
| commit | cf66279af8fb33c9bb410777c16218cadbf4dcd6 (patch) | |
| tree | 63de6e29d6125e9b1e2631f170a462ee983b52bc | |
| parent | d96399015d64132b24f43a7fdd376a6fb109e28a (diff) | |
Basic setup for istio sidecar auto injection
To enable auto sidecar injection on specific namespace,
you only need label the namespace with `istio-injection=enabled`, e.g.:
kubectl label namespace default istio-injection=enabled
For details please refer:
https://istio.io/docs/setup/kubernetes/sidecar-injection.html#automatic-sidecar-injection
Change-Id: I2059aa0be2ab3f4f942342850d286281c5f940d4
Signed-off-by: QiLiang <liangqi1@huawei.com>
| -rwxr-xr-x | src/vagrant/kubeadm_istio/istio/deploy.sh | 21 | ||||
| -rw-r--r-- | src/vagrant/kubeadm_istio/master_setup.sh | 23 |
2 files changed, 41 insertions, 3 deletions
diff --git a/src/vagrant/kubeadm_istio/istio/deploy.sh b/src/vagrant/kubeadm_istio/istio/deploy.sh index 051497c..3dd1426 100755 --- a/src/vagrant/kubeadm_istio/istio/deploy.sh +++ b/src/vagrant/kubeadm_istio/istio/deploy.sh @@ -37,15 +37,30 @@ source ~/.bashrc kubectl apply -f install/kubernetes/istio.yaml +# Install the sidecar injection configmap +./install/kubernetes/webhook-create-signed-cert.sh \ + --service istio-sidecar-injector \ + --namespace istio-system \ + --secret sidecar-injector-certs +kubectl apply -f install/kubernetes/istio-sidecar-injector-configmap-release.yaml + +# Install the sidecar injector webhook +cat install/kubernetes/istio-sidecar-injector.yaml | \ + ./install/kubernetes/webhook-patch-ca-bundle.sh > \ + install/kubernetes/istio-sidecar-injector-with-ca-bundle.yaml +kubectl apply -f install/kubernetes/istio-sidecar-injector-with-ca-bundle.yaml +kubectl -n istio-system get deployment -listio=sidecar-injector + # Validate the installation kubectl get svc -n istio-system kubectl get pods -n istio-system +kubectl get namespace -L istio-injection -r="0" -while [ $r -ne "4" ] +r="1" +while [ $r -ne "0" ] do kubectl get pods -n istio-system - r=$(kubectl get pods -n istio-system | grep Running | wc -l) + r=$(kubectl get pods -n istio-system | egrep -v 'NAME|Running' | wc -l) sleep 60 done diff --git a/src/vagrant/kubeadm_istio/master_setup.sh b/src/vagrant/kubeadm_istio/master_setup.sh index b181582..f308244 100644 --- a/src/vagrant/kubeadm_istio/master_setup.sh +++ b/src/vagrant/kubeadm_istio/master_setup.sh @@ -2,9 +2,32 @@ set -ex +ADMISSION_CONTROL="Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,NodeRestriction,ResourceQuota" +KUBE_APISERVER_CONF="/etc/kubernetes/manifests/kube-apiserver.yaml" + sudo kubeadm init --apiserver-advertise-address=192.168.1.10 --service-cidr=10.96.0.0/16 --pod-network-cidr=10.32.0.0/12 --token 8c5adc.1cec8dbf339093f0 mkdir ~/.kube sudo cp /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u):$(id -g) $HOME/.kube/config kubectl apply -f http://git.io/weave-kube-1.6 + +# Enable mutating webhook admission controller +# kube-apiserver will be automatically restarted by kubelet when its manifest file update. +# https://istio.io/docs/setup/kubernetes/sidecar-injection.html +sudo sed -i "s/admission-control=.*/admission-control=$ADMISSION_CONTROL/g" $KUBE_APISERVER_CONF + +set +e +# wait for kube-apiserver restart +r="1" +while [ $r -ne "0" ] +do + sleep 2 + kubectl version > /dev/null + r=$? +done +set -e + +# check if admissionregistration.k8s.io/v1beta1 API is enabled +kubectl api-versions | grep admissionregistration + |