Shared control plane (single-network)

Follow this guide to install an Istio multicluster service meshwhere the Kubernetes cluster services and the applications in each clusterhave the capability to expose their internal Kubernetes network to otherclusters.

In this configuration, multiple Kubernetes clusters runninga remote configuration connect to a shared Istiocontrol plane.Once one or more remote Kubernetes clusters are connected to theIstio control plane, Envoy can then form a mesh network across multiple clusters.

Istio mesh spanning multiple Kubernetes clusters with direct network access to remote pods over VPN

Istio mesh spanning multiple Kubernetes clusters with direct network access to remote pods over VPN

Prerequisites

  • Two or more clusters running a supported Kubernetes version (1.13, 1.14, 1.15).

  • The ability to deploy the Istio control planeon one of the clusters.

  • A RFC1918 network, VPN, or an alternative more advanced network techniquemeeting the following requirements:

    • Individual cluster Pod CIDR ranges and service CIDR ranges must be uniqueacross the multicluster environment and may not overlap.

    • All pod CIDRs in every cluster must be routable to each other.

    • All Kubernetes control plane API servers must be routable to each other.

  • Helm 2.10 or newer. The use of Tiller is optional.

This guide describes how to install a multicluster Istio topology using themanifests and Helm charts provided within the Istio repository.

Deploy the local control plane

Install the Istio control planeon one Kubernetes cluster.

Install the Istio remote

You must deploy the istio-remote component to each remote Kubernetescluster. You can install the component in one of two ways:

  • Use the following command on the remote cluster to installthe Istio control plane service endpoints:
  1. $ istioctl manifest apply \
  2. --set profile=remote \
  3. --set values.global.remotePilotAddress=${PILOT_POD_IP} \
  4. --set values.global.remotePolicyAddress=${POLICY_POD_IP} \
  5. --set values.global.remoteTelemetryAddress=${TELEMETRY_POD_IP}

All clusters must have the same namespace for the Istiocomponents. It is possible to override the istio-system name on the maincluster as long as the namespace is the same for all Istio components inall clusters.

  • The following command example labels the default namespace. Use similarcommands to label all the remote cluster’s namespaces requiring automaticsidecar injection.
  1. $ kubectl label namespace default istio-injection=enabled

Repeat for all Kubernetes namespaces that need to setup automatic sidecarinjection.

相关内容

Google Kubernetes Engine

Set up a multicluster mesh over two GKE clusters.

IBM Cloud Private

Example multicluster mesh over two IBM Cloud Private clusters.

Shared control plane (multi-network)

Install an Istio mesh across multiple Kubernetes clusters using a shared control plane for disconnected cluster networks.

控制平面副本集

通过控制平面副本集实例,在多个 Kubernetes 集群上安装 Istio 网格。

Multi-mesh deployments for isolation and boundary protection

Deploy environments that require isolation into separate meshes and enable inter-mesh communication by mesh federation.

Version Routing in a Multicluster Service Mesh

Configuring Istio route rules in a multicluster service mesh.