Shared control plane (single-network)
Follow this guide to install an Istio multicluster service meshwhere the Kubernetes cluster services and the applications in each clusterhave the capability to expose their internal Kubernetes network to otherclusters.
In this configuration, multiple Kubernetes clusters runninga remote configuration connect to a shared Istiocontrol plane.Once one or more remote Kubernetes clusters are connected to theIstio control plane, Envoy can then form a mesh network across multiple clusters.
Prerequisites
Two or more clusters running a supported Kubernetes version (1.13, 1.14, 1.15).
The ability to deploy the Istio control planeon one of the clusters.
A RFC1918 network, VPN, or an alternative more advanced network techniquemeeting the following requirements:
Individual cluster Pod CIDR ranges and service CIDR ranges must be uniqueacross the multicluster environment and may not overlap.
All pod CIDRs in every cluster must be routable to each other.
All Kubernetes control plane API servers must be routable to each other.
Helm 2.10 or newer. The use of Tiller is optional.
This guide describes how to install a multicluster Istio topology using themanifests and Helm charts provided within the Istio repository.
Deploy the local control plane
Install the Istio control planeon one Kubernetes cluster.
Install the Istio remote
You must deploy the istio-remote
component to each remote Kubernetescluster. You can install the component in one of two ways:
- Use the following command on the remote cluster to installthe Istio control plane service endpoints:
$ istioctl manifest apply \
--set profile=remote \
--set values.global.remotePilotAddress=${PILOT_POD_IP} \
--set values.global.remotePolicyAddress=${POLICY_POD_IP} \
--set values.global.remoteTelemetryAddress=${TELEMETRY_POD_IP}
All clusters must have the same namespace for the Istiocomponents. It is possible to override the istio-system
name on the maincluster as long as the namespace is the same for all Istio components inall clusters.
- The following command example labels the
default
namespace. Use similarcommands to label all the remote cluster’s namespaces requiring automaticsidecar injection.
$ kubectl label namespace default istio-injection=enabled
Repeat for all Kubernetes namespaces that need to setup automatic sidecarinjection.
相关内容
Set up a multicluster mesh over two GKE clusters.
Example multicluster mesh over two IBM Cloud Private clusters.
Shared control plane (multi-network)
Install an Istio mesh across multiple Kubernetes clusters using a shared control plane for disconnected cluster networks.
通过控制平面副本集实例,在多个 Kubernetes 集群上安装 Istio 网格。
Multi-mesh deployments for isolation and boundary protection
Deploy environments that require isolation into separate meshes and enable inter-mesh communication by mesh federation.
Version Routing in a Multicluster Service Mesh
Configuring Istio route rules in a multicluster service mesh.