先决条件
如果集群中只有一个节点,则至少需要 6 个 CPU、6 GB 内存和 30 GB 磁盘存储。
如果集群中有多个节点,则每个节点至少需要 2 个 CPU、4 GB 内存和 20 GB 磁盘存储。
您有一个使用 Kubernetes v1.25 或更高版本的集群。
部署 Knative Serving 流程
1. 部署Service自定义资源
2. 部署Serving核心组件
3. 部署网络层(networking layer)组件
1. Istio、Contour和Kourier三选一
4. (可选)配置DNS
5. (可选)部署Serving扩展
1. HPA:用于支持Kubernetes的HPA
2. Cert Manager:用于为工作负载自动签发TLS证书
3. Encrypt HTTP01:用于为工作负载自动签发TLS证书
6. 部署kn
部署 Knative Serving 自定义资源
# kubectl apply -f https://github.com/knative/serving/releases/download/knative-v1.11.1/serving-crds.yaml
customresourcedefinition.apiextensions.k8s.io/certificates.networking.internal.knative.dev created
customresourcedefinition.apiextensions.k8s.io/configurations.serving.knative.dev created
customresourcedefinition.apiextensions.k8s.io/clusterdomainclaims.networking.internal.knative.dev created
customresourcedefinition.apiextensions.k8s.io/domainmappings.serving.knative.dev created
customresourcedefinition.apiextensions.k8s.io/ingresses.networking.internal.knative.dev created
customresourcedefinition.apiextensions.k8s.io/metrics.autoscaling.internal.knative.dev created
customresourcedefinition.apiextensions.k8s.io/podautoscalers.autoscaling.internal.knative.dev created
customresourcedefinition.apiextensions.k8s.io/revisions.serving.knative.dev created
customresourcedefinition.apiextensions.k8s.io/routes.serving.knative.dev created
customresourcedefinition.apiextensions.k8s.io/serverlessservices.networking.internal.knative.dev created
customresourcedefinition.apiextensions.k8s.io/services.serving.knative.dev created
customresourcedefinition.apiextensions.k8s.io/images.caching.internal.knative.dev created
部署 Knative Serving 核心组件
下载 Knative Serving 核心组件
# wget https://github.com/knative/serving/releases/download/knative-v1.11.1/serving-core.yaml
替换 gcr.io
# sed -i 's@gcr.io@gcr.dockerproxy.com@g' serving-core.yaml
部署 Knative Serving 核心组件
# kubectl apply -f serving-core.yaml
namespace/knative-serving created
role.rbac.authorization.k8s.io/knative-serving-activator created
clusterrole.rbac.authorization.k8s.io/knative-serving-activator-cluster created
clusterrole.rbac.authorization.k8s.io/knative-serving-aggregated-addressable-resolver created
clusterrole.rbac.authorization.k8s.io/knative-serving-addressable-resolver created
clusterrole.rbac.authorization.k8s.io/knative-serving-namespaced-admin created
clusterrole.rbac.authorization.k8s.io/knative-serving-namespaced-edit created
clusterrole.rbac.authorization.k8s.io/knative-serving-namespaced-view created
clusterrole.rbac.authorization.k8s.io/knative-serving-core created
clusterrole.rbac.authorization.k8s.io/knative-serving-podspecable-binding created
serviceaccount/controller created
clusterrole.rbac.authorization.k8s.io/knative-serving-admin created
clusterrolebinding.rbac.authorization.k8s.io/knative-serving-controller-admin created
clusterrolebinding.rbac.authorization.k8s.io/knative-serving-controller-addressable-resolver created
serviceaccount/activator created
rolebinding.rbac.authorization.k8s.io/knative-serving-activator created
clusterrolebinding.rbac.authorization.k8s.io/knative-serving-activator-cluster created
customresourcedefinition.apiextensions.k8s.io/images.caching.internal.knative.dev unchanged
customresourcedefinition.apiextensions.k8s.io/certificates.networking.internal.knative.dev unchanged
customresourcedefinition.apiextensions.k8s.io/configurations.serving.knative.dev unchanged
customresourcedefinition.apiextensions.k8s.io/clusterdomainclaims.networking.internal.knative.dev unchanged
customresourcedefinition.apiextensions.k8s.io/domainmappings.serving.knative.dev unchanged
customresourcedefinition.apiextensions.k8s.io/ingresses.networking.internal.knative.dev unchanged
customresourcedefinition.apiextensions.k8s.io/metrics.autoscaling.internal.knative.dev unchanged
customresourcedefinition.apiextensions.k8s.io/podautoscalers.autoscaling.internal.knative.dev unchanged
customresourcedefinition.apiextensions.k8s.io/revisions.serving.knative.dev unchanged
customresourcedefinition.apiextensions.k8s.io/routes.serving.knative.dev unchanged
customresourcedefinition.apiextensions.k8s.io/serverlessservices.networking.internal.knative.dev unchanged
customresourcedefinition.apiextensions.k8s.io/services.serving.knative.dev unchanged
secret/serving-certs-ctrl-ca created
secret/knative-serving-certs created
secret/control-serving-certs created
secret/routing-serving-certs created
image.caching.internal.knative.dev/queue-proxy created
configmap/config-autoscaler created
configmap/config-defaults created
configmap/config-deployment created
configmap/config-domain created
configmap/config-features created
configmap/config-gc created
configmap/config-leader-election created
configmap/config-logging created
configmap/config-network created
configmap/config-observability created
configmap/config-tracing created
horizontalpodautoscaler.autoscaling/activator created
poddisruptionbudget.policy/activator-pdb created
deployment.apps/activator created
service/activator-service created
deployment.apps/autoscaler created
service/autoscaler created
deployment.apps/controller created
service/controller created
horizontalpodautoscaler.autoscaling/webhook created
poddisruptionbudget.policy/webhook-pdb created
deployment.apps/webhook created
service/webhook created
validatingwebhookconfiguration.admissionregistration.k8s.io/config.webhook.serving.knative.dev created
mutatingwebhookconfiguration.admissionregistration.k8s.io/webhook.serving.knative.dev created
validatingwebhookconfiguration.admissionregistration.k8s.io/validation.webhook.serving.knative.dev created
secret/webhook-certs created
查看 Knative Serving 资源
# kubectl get pods,deployment,services -n knative-serving -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
pod/activator-dd44fd6b9-wp598 1/1 Running 0 3m22s 172.20.154.234 192.168.174.106 <none> <none>
pod/autoscaler-b9bc5b6c9-96zgw 1/1 Running 0 3m22s 172.20.89.188 192.168.174.108 <none> <none>
pod/controller-697c467585-df4ll 1/1 Running 0 3m22s 172.20.154.205 192.168.174.106 <none> <none>
pod/webhook-748476cd69-qtxb6 1/1 Running 0 3m22s 172.20.89.129 192.168.174.108 <none> <none>
NAME READY UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR
deployment.apps/activator 1/1 1 1 3m22s activator gcr.dockerproxy.com/knative-releases/knative.dev/serving/cmd/activator@sha256:8e81f9c6646454b5e50557458768b8bfe369a21bb5362598d53644155c5676db app=activator,role=activator
deployment.apps/autoscaler 1/1 1 1 3m22s autoscaler gcr.dockerproxy.com/knative-releases/knative.dev/serving/cmd/autoscaler@sha256:a03abaec850ae278b9c06139604d360ffa581880c504034826bbc2352b6f07ec app=autoscaler
deployment.apps/controller 1/1 1 1 3m22s controller gcr.dockerproxy.com/knative-releases/knative.dev/serving/cmd/controller@sha256:47460cec5d9e3320a7e715b0b94e95da2332d604bc858dc314aa7c41916f181d app=controller
deployment.apps/webhook 1/1 1 1 3m22s webhook gcr.dockerproxy.com/knative-releases/knative.dev/serving/cmd/webhook@sha256:e947a39d22e4aa94e72352be6eaee7261f25a438293274616d9d98f7d7a5ff85 app=webhook,role=webhook
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
service/activator-service ClusterIP 10.100.202.84 <none> 9090/TCP,8008/TCP,80/TCP,81/TCP,443/TCP 3m22s app=activator
service/autoscaler ClusterIP 10.100.105.5 <none> 9090/TCP,8008/TCP,8080/TCP 3m22s app=autoscaler
service/autoscaler-bucket-00-of-01 ClusterIP 10.100.54.171 <none> 8080/TCP 3m20s <none>
service/controller ClusterIP 10.100.172.145 <none> 9090/TCP,8008/TCP 3m22s app=controller
service/webhook ClusterIP 10.100.153.232 <none> 9090/TCP,8008/TCP,443/TCP 3m22s app=webhook,role=webhook
查看集群 domain
# kubectl run client --image=ikubernetes/admin-box -it --rm --restart=Never --command -- cat /etc/resolv.conf
search default.svc.wgs.local svc.wgs.local wgs.local localdomain
nameserver 10.100.0.2
options ndots:5
部署 Istio
下载 Istio
# export ISTIO_VERSION=1.18.0
# wget https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux-amd64.tar.gz
# tar xf istio-${ISTIO_VERSION}-linux-amd64.tar.gz
部署 Istio
# istioctl install --set profile=default --set values.global.proxy.clusterDomain=wgs.local -y
部署 Knative Istio 控制器
# kubectl apply -f https://github.com/knative/net-istio/releases/download/knative-v1.11.0/net-istio.yaml
clusterrole.rbac.authorization.k8s.io/knative-serving-istio created
gateway.networking.istio.io/knative-ingress-gateway created
gateway.networking.istio.io/knative-local-gateway created
service/knative-local-gateway created
configmap/config-istio created
peerauthentication.security.istio.io/webhook created
peerauthentication.security.istio.io/net-istio-webhook created
deployment.apps/net-istio-controller created
deployment.apps/net-istio-webhook created
secret/net-istio-webhook-certs created
service/net-istio-webhook created
mutatingwebhookconfiguration.admissionregistration.k8s.io/webhook.istio.networking.internal.knative.dev created
validatingwebhookconfiguration.admissionregistration.k8s.io/config.webhook.istio.networking.internal.knative.dev created
启用sidecar自动注入功能
# kubectl label namespace knative-serving istio-injection=enabled
Istio mTLS 功能与 Knative 结合
istio-PeerAuthentication-knative.yaml
apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
metadata:
name: "default"
namespace: "knative-serving"
spec:
mtls:
mode: PERMISSIVE
创建资源
# kubectl apply -f istio-PeerAuthentication-knative.yaml
查看istio资源
istio-system名称空间资源
# kubectl get pods,deployment,service,gateway -n istio-system
NAME READY STATUS RESTARTS AGE
pod/istio-ingressgateway-568ffb9976-lk455 1/1 Running 0 58s
pod/istiod-7f87bfc564-g9vdn 1/1 Running 0 62s
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/istio-ingressgateway 1/1 1 1 58s
deployment.apps/istiod 1/1 1 1 62s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/istio-ingressgateway LoadBalancer 10.100.132.184 <pending> 15021:31063/TCP,80:56051/TCP,443:33148/TCP 58s
service/istiod ClusterIP 10.100.125.160 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 62s
service/knative-local-gateway ClusterIP 10.100.180.84 <none> 80/TCP 39s
service/istio-ingressgateway: 管理南北向流量。
service/knative-local-gateway: 未启用网格功能(未启用名称空间自动注入功能)时,管理东西向流量。
knative-serving名称空间资源
# kubectl get pods,deployment,service,gateway -n knative-serving
NAME READY STATUS RESTARTS AGE
pod/activator-dd44fd6b9-wp598 1/1 Running 0 10m
pod/autoscaler-b9bc5b6c9-96zgw 1/1 Running 0 10m
pod/controller-697c467585-df4ll 1/1 Running 0 10m
pod/net-istio-controller-7dcc87768c-np699 1/1 Running 0 2m13s
pod/net-istio-webhook-55bb6bd985-625pg 1/1 Running 0 2m13s
pod/webhook-748476cd69-qtxb6 1/1 Running 0 10m
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/activator 1/1 1 1 10m
deployment.apps/autoscaler 1/1 1 1 10m
deployment.apps/controller 1/1 1 1 10m
deployment.apps/net-istio-controller 1/1 1 1 2m13s
deployment.apps/net-istio-webhook 1/1 1 1 2m13s
deployment.apps/webhook 1/1 1 1 10m
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/activator-service ClusterIP 10.100.202.84 <none> 9090/TCP,8008/TCP,80/TCP,81/TCP,443/TCP 10m
service/autoscaler ClusterIP 10.100.105.5 <none> 9090/TCP,8008/TCP,8080/TCP 10m
service/autoscaler-bucket-00-of-01 ClusterIP 10.100.54.171 <none> 8080/TCP 10m
service/controller ClusterIP 10.100.172.145 <none> 9090/TCP,8008/TCP 10m
service/net-istio-webhook ClusterIP 10.100.244.117 <none> 9090/TCP,8008/TCP,443/TCP 2m13s
service/webhook ClusterIP 10.100.153.232 <none> 9090/TCP,8008/TCP,443/TCP 10m
NAME AGE
gateway.networking.istio.io/knative-ingress-gateway 2m13s
gateway.networking.istio.io/knative-local-gateway 2m13s
istio-ingressgateway 添加externalIPs
# kubectl patch svc istio-ingressgateway -n istio-system -p '{"spec":{"externalIPs":["192.168.174.249"]}}'
获取外部 IP 地址
# kubectl --namespace istio-system get service istio-ingressgateway
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingressgateway LoadBalancer 10.100.132.184 192.168.174.249 15021:31063/TCP,80:56051/TCP,443:33148/TCP 111s
验证istio
# istioctl verify-install
1 Istio control planes detected, checking --revision "default" only
✔ ClusterRole: istiod-istio-system.istio-system checked successfully
✔ ClusterRole: istio-reader-istio-system.istio-system checked successfully
✔ ClusterRoleBinding: istio-reader-istio-system.istio-system checked successfully
✔ ClusterRoleBinding: istiod-istio-system.istio-system checked successfully
✔ ServiceAccount: istio-reader-service-account.istio-system checked successfully
✔ Role: istiod-istio-system.istio-system checked successfully
✔ RoleBinding: istiod-istio-system.istio-system checked successfully
✔ ServiceAccount: istiod-service-account.istio-system checked successfully
✔ CustomResourceDefinition: wasmplugins.extensions.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: destinationrules.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: envoyfilters.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: gateways.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: proxyconfigs.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: serviceentries.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: sidecars.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: virtualservices.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: workloadentries.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: workloadgroups.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: authorizationpolicies.security.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: peerauthentications.security.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: requestauthentications.security.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: telemetries.telemetry.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: istiooperators.install.istio.io.istio-system checked successfully
✔ HorizontalPodAutoscaler: istiod.istio-system checked successfully
✔ ClusterRole: istiod-clusterrole-istio-system.istio-system checked successfully
✔ ClusterRole: istiod-gateway-controller-istio-system.istio-system checked successfully
✔ ClusterRoleBinding: istiod-clusterrole-istio-system.istio-system checked successfully
✔ ClusterRoleBinding: istiod-gateway-controller-istio-system.istio-system checked successfully
✔ ConfigMap: istio.istio-system checked successfully
✔ Deployment: istiod.istio-system checked successfully
✔ ConfigMap: istio-sidecar-injector.istio-system checked successfully
✔ MutatingWebhookConfiguration: istio-sidecar-injector.istio-system checked successfully
✔ PodDisruptionBudget: istiod.istio-system checked successfully
✔ ClusterRole: istio-reader-clusterrole-istio-system.istio-system checked successfully
✔ ClusterRoleBinding: istio-reader-clusterrole-istio-system.istio-system checked successfully
✔ Role: istiod.istio-system checked successfully
✔ RoleBinding: istiod.istio-system checked successfully
✔ Service: istiod.istio-system checked successfully
✔ ServiceAccount: istiod.istio-system checked successfully
✔ ValidatingWebhookConfiguration: istio-validator-istio-system.istio-system checked successfully
✔ HorizontalPodAutoscaler: istio-ingressgateway.istio-system checked successfully
✔ Deployment: istio-ingressgateway.istio-system checked successfully
✔ PodDisruptionBudget: istio-ingressgateway.istio-system checked successfully
✔ Role: istio-ingressgateway-sds.istio-system checked successfully
✔ RoleBinding: istio-ingressgateway-sds.istio-system checked successfully
✔ Service: istio-ingressgateway.istio-system checked successfully
✔ ServiceAccount: istio-ingressgateway-service-account.istio-system checked successfully
Checked 15 custom resource definitions
Checked 2 Istio Deployments
✔ Istio is installed and verified successfully
查看 route 信息
# istioctl proxy-config all istio-ingressgateway-568ffb9976-lk455 -n istio-system
SERVICE FQDN PORT SUBSET DIRECTION TYPE DESTINATION RULE
BlackHoleCluster - - - STATIC
activator-service.knative-serving.svc.wgs.local 80 - outbound EDS
activator-service.knative-serving.svc.wgs.local 81 - outbound EDS
activator-service.knative-serving.svc.wgs.local 443 - outbound EDS
activator-service.knative-serving.svc.wgs.local 8008 - outbound EDS
activator-service.knative-serving.svc.wgs.local 9090 - outbound EDS
agent - - - STATIC
autoscaler-bucket-00-of-01.knative-serving.svc.wgs.local 8080 - outbound EDS
autoscaler.knative-serving.svc.wgs.local 8008 - outbound EDS
autoscaler.knative-serving.svc.wgs.local 8080 - outbound EDS
autoscaler.knative-serving.svc.wgs.local 9090 - outbound EDS
controller.knative-serving.svc.wgs.local 8008 - outbound EDS
controller.knative-serving.svc.wgs.local 9090 - outbound EDS
dashboard-metrics-scraper.kubernetes-dashboard.svc.wgs.local 8000 - outbound EDS
istio-ingressgateway.istio-system.svc.wgs.local 80 - outbound EDS
istio-ingressgateway.istio-system.svc.wgs.local 443 - outbound EDS
istio-ingressgateway.istio-system.svc.wgs.local 15021 - outbound EDS
istiod.istio-system.svc.wgs.local 443 - outbound EDS
istiod.istio-system.svc.wgs.local 15010 - outbound EDS
istiod.istio-system.svc.wgs.local 15012 - outbound EDS
istiod.istio-system.svc.wgs.local 15014 - outbound EDS
knative-local-gateway.istio-system.svc.wgs.local 80 - outbound EDS
kube-dns.kube-system.svc.wgs.local 53 - outbound EDS
kube-dns.kube-system.svc.wgs.local 9153 - outbound EDS
kubernetes-dashboard.kubernetes-dashboard.svc.wgs.local 443 - outbound EDS
kubernetes.default.svc.wgs.local 443 - outbound EDS
metrics-server.kube-system.svc.wgs.local 443 - outbound EDS
net-istio-webhook.knative-serving.svc.wgs.local 443 - outbound EDS
net-istio-webhook.knative-serving.svc.wgs.local 8008 - outbound EDS
net-istio-webhook.knative-serving.svc.wgs.local 9090 - outbound EDS
prometheus_stats - - - STATIC
sds-grpc - - - STATIC
webhook.knative-serving.svc.wgs.local 443 - outbound EDS
webhook.knative-serving.svc.wgs.local 8008 - outbound EDS
webhook.knative-serving.svc.wgs.local 9090 - outbound EDS
xds-grpc - - - STATIC
zipkin - - - STRICT_DNS
ADDRESS PORT MATCH DESTINATION
0.0.0.0 8080 ALL Route: http.8080
0.0.0.0 8081 ALL Route: http.8081
0.0.0.0 15021 ALL Inline Route: /healthz/ready*
0.0.0.0 15090 ALL Inline Route: /stats/prometheus*
NAME VHOST NAME DOMAINS MATCH VIRTUAL SERVICE
http.8081 blackhole:8081 * /* 404
http.8080 blackhole:80 * /* 404
backend * /stats/prometheus*
backend * /healthz/ready*
RESOURCE NAME TYPE STATUS VALID CERT SERIAL NUMBER NOT AFTER NOT BEFORE
default Cert Chain ACTIVE true b587dc78aced44be19b1f7a946c23238 2023-09-24T10:19:08Z 2023-09-23T10:17:08Z
ROOTCA CA ACTIVE true 8beb47b811755928c4ea25f569b82f67 2033-09-20T09:58:25Z 2023-09-23T09:58:25Z
部署 HPA 扩展
部署HPA
# kubectl apply -f https://github.com/knative/serving/releases/download/knative-v1.11.0/serving-hpa.yaml
deployment.apps/autoscaler-hpa created
service/autoscaler-hpa created
查看资源
# kubectl get pods,deployment,service,gateway -n knative-serving
NAME READY STATUS RESTARTS AGE
pod/activator-dd44fd6b9-wp598 1/1 Running 0 16m
pod/autoscaler-b9bc5b6c9-96zgw 1/1 Running 0 16m
pod/autoscaler-hpa-77579f8877-cf5zt 0/2 PodInitializing 0 11s
pod/controller-697c467585-df4ll 1/1 Running 0 16m
pod/net-istio-controller-7dcc87768c-np699 1/1 Running 0 8m33s
pod/net-istio-webhook-55bb6bd985-625pg 1/1 Running 0 8m33s
pod/webhook-748476cd69-qtxb6 1/1 Running 0 16m
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/activator 1/1 1 1 16m
deployment.apps/autoscaler 1/1 1 1 16m
deployment.apps/autoscaler-hpa 0/1 1 0 11s
deployment.apps/controller 1/1 1 1 16m
deployment.apps/net-istio-controller 1/1 1 1 8m33s
deployment.apps/net-istio-webhook 1/1 1 1 8m33s
deployment.apps/webhook 1/1 1 1 16m
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/activator-service ClusterIP 10.100.202.84 <none> 9090/TCP,8008/TCP,80/TCP,81/TCP,443/TCP 16m
service/autoscaler ClusterIP 10.100.105.5 <none> 9090/TCP,8008/TCP,8080/TCP 16m
service/autoscaler-bucket-00-of-01 ClusterIP 10.100.54.171 <none> 8080/TCP 16m
service/autoscaler-hpa ClusterIP 10.100.10.222 <none> 9090/TCP,8008/TCP 11s
service/controller ClusterIP 10.100.172.145 <none> 9090/TCP,8008/TCP 16m
service/net-istio-webhook ClusterIP 10.100.244.117 <none> 9090/TCP,8008/TCP,443/TCP 8m33s
service/webhook ClusterIP 10.100.153.232 <none> 9090/TCP,8008/TCP,443/TCP 16m
NAME AGE
gateway.networking.istio.io/knative-ingress-gateway 8m33s
gateway.networking.istio.io/knative-local-gateway 8m33s
参考文档
https://knative.dev/docs/install/yaml-install/serving/install-serving-with-yaml/