Istio CRD 汇总与 Helm Chart 配置解析


两个神奇的表格

Istio CRD 汇总与 Helm Chart 配置解析

两个神奇的表格

Tue Sep 18, 2018

7000 Words|Read in about 14 Min
Tags: istio   service mesh  

表格来源:Kube:使用Helm安装Istio

Istio 中包含的 CRD(总共 50 个) 及其分类和用途

序号 名称 用途 分类 归属
1 virtualservices.networking.istio.io 用于路由,定义virtual service networking pilot
2 destinationrules.networking.istio.io 用于路由,定义destination rule
3 serviceentries.networking.istio.io 用于路由,定义service entry
4 gateways.networking.istio.io 用于路由,定义gateway
5 envoyfilters.networking.istio.io 使用filter为特定envoy添加特定配置
6 policies.authentication.istio.io 用于authn,作用域为namespace authentication citadel
7 meshpolicies.authentication.istio.io 用于authn,作用域为global
8 httpapispecbindings.config.istio.io apim mixer
9 httpapispecs.config.istio.io
10 quotaspecbindings.config.istio.io
11 quotaspecs.config.istio.io
12 rules.config.istio.io mixer rule,用于绑定handler和instance mixer core
13 attributemanifests.config.istio.io 定义envoy传递给mixer的用于policy和telemetry的attribute
14 bypasses.config.istio.io mixer adapter用于处理从envoy收集的数据
15 circonuses.config.istio.io 定义circonus adapter
16 deniers.config.istio.io 定义dinier adapter
17 fluentds.config.istio.io 定义fluentd adapter
18 kubernetesenvs.config.istio.io 定义kubernetesenv adapter
19 listcheckers.config.istio.io 定义list adapter
20 memquotas.config.istio.io 定义memquota adapter
21 noops.config.istio.io
22 opas.config.istio.io 定义opa adapter
23 prometheuses.config.istio.io 定义prometheus adapter
24 rbacs.config.istio.io 定义rbac adapter
25 redisquotas.config.istio.io 定义redisquota adapter
26 servicecontrols.config.istio.io 定义servicecontrol adapter
27 signalfxs.config.istio.io 定义signalfx adapter
28 solarwindses.config.istio.io 定义solarwinds adapter
29 stackdrivers.config.istio.io 定义stackdriver adapter
30 statsds.config.istio.io 定义statsd adapter
31 stdios.config.istio.io 定义stdio adapter
32 apikeys.config.istio.io 定义apikey template mixer instance用于定义从envoy收集的数据
33 authorizations.config.istio.io 定义authorization template
34 checknothings.config.istio.io 定义checknothing template
35 kuberneteses.config.istio.io 定义kubernetes template
36 listentries.config.istio.io 定义listentry template
37 logentries.config.istio.io 定义logentry template
38 edges.config.istio.io
39 metrics.config.istio.io 定义metric template
40 quotas.config.istio.io 定义quota template
41 reportnothings.config.istio.io 定义reportnothing template
42 servicecontrolreports.config.istio.io 定义servicecontrolreport template
43 tracespans.config.istio.io 定义tracespan template
44 rbacconfigs.rbac.istio.io 用于authz,定义istio的rbac策略 rbac
45 serviceroles.rbac.istio.io 用于authz,定义service role
46 servicerolebindings.rbac.istio.io 用于authz,定义service role binding
47 adapters.config.istio.io others
48 instances.config.istio.io
49 templates.config.istio.io
50 handlers.config.istio.io
## Istio Helm Chart 的安装配置解析
序号 chart 文件 k8s组件类型 k8s组件名称 用途
1 main _affinity.tpl 用于定义各个组件deployment chart中的nodeAffinity
_helpers.tpl 用于定义各个组件chart中一些变量的默认值
configmap.yaml ConfigMap istio istio主配置configmap
crds.yaml CustomResourceDefinition 共50个 istio需要的所有的crd资源
install-custom-resources.sh.tpl 用于定义grafana和security chart中configmap中所包含的脚本,验证istio-galley validatingwebhookconfiguration已经存在并且部署组件相关其他资源
sidecar-injector-configmap.yaml ConfigMap istio-sidecar-injector 用于定义sidecar injector的configmap
2 sidecarInjectorWebhook默认开启 _helpers.tpl 用于定义sidecarInjectorWebhook chart中一些变量的默认值
clusterrole.yaml ClusterRole istio-sidecar-injector-{{ .Release.Namespace }} 用于定义sidecarInjectorWebhook使用的clusterrole
clusterrolebinding.yaml ClusterRoleBinding istio-sidecar-injector-admin-role-binding-{{ .Release.Namespace }} 用于定义sidecarInjectorWebhook使用的clusterrolebinding
deployment.yaml Deployment istio-sidecar-injector 用于定义sidecarInjectorWebhook使用的deployment
mutatingwebhook.yaml MutatingWebhookConfiguration istio-sidecar-injector 用于定义sidecarInjectorWebhook使用的mutatingwebhookconfiguration
service.yaml Service istio-sidecar-injector 用于定义sidecarInjectorWebhook使用的service
serviceaccount.yaml ServiceAccount istio-sidecar-injector-service-account 用于定义sidecarInjectorWebhook使用的serviceaccount
3 security默认开启 _helpers.tpl 用于定义security chart中一些变量的默认值
cleanup-secrets.yaml ServiceAccount istio-cleanup-secrets-service-account 在helm删除istio后对citadel中的secret进行清理
ClusterRole istio-cleanup-secrets-{{ .Release.Namespace }}
ClusterRoleBinding istio-cleanup-secrets-{{ .Release.Namespace }}
Job istio-cleanup-secrets
clusterrole.yaml ClusterRole istio-citadel-{{ .Release.Namespace }} 用于定义citadel相关clusterole
clusterrolebinding.yaml ClusterRoleBinding istio-citadel-{{ .Release.Namespace }} 用于定义citdel相关clusterrolebinding
configmap.yaml ConfigMap istio-security-custom-resources 用于定义citidel相关configmap,与global values中的mtls.enabled相关,是否启用全局的mtls authn
create-custom-resources-job.yaml ServiceAccount istio-security-post-install-account 在global values的mtls.enabled设置为true后才会生效,建立mtls相关serviceaccount,clusterrole,clusterrolebinding,以及comfigmap中定义的其他相关对象
ClusterRole istio-security-post-install-{{ .Release.Namespace }}
ClusterRoleBinding istio-security-post-install-role-binding-{{ .Release.Namespace }}
Job istio-security-post-install
deployment.yaml Deployment istio-citadel 用于定义citadel相关deployment
enable-mesh-mtls.yaml MeshPolicy default 在global values的mtls.enabled设置为true后,这些资源会写入configmap
DestinationRule default
DestinationRule api-server
meshexpansion.yaml VirtualService meshexpansion-citadel 在global values的meshExpansion设置为true后,新建citadel相关virtualservice
VirtualService meshexpansion-ilb-citadel 在global values的meshExpansionILB设置为true后,新建citadel相关virtualservice
service.yaml Service istio-citadel 用于定义citade相关service
serviceaccount.yaml ServiceAccount istio-citadel-service-account 用于定义citade相关serviceaccount
4 galley默认开启 _helpers.tpl 用于定义galley chart中一些变量的默认值
clusterrole.yaml ClusterRole istio-galley-{{ .Release.Namespace }} 用于定义galley相关clusterrole
clusterrolebinding.yaml ClusterRoleBinding istio-galley-admin-role-binding-{{ .Release.Namespace }} 用于定义galley相关clusterrolebinding
configmap.yaml ConfigMap istio-galley-configuration 用于定义galley相关configmap
deployment.yaml Deployment istio-galley 用于定义galley相关deployment
service.yaml Service istio-galley 用于定义galley相关service
serviceaccount.yaml ServiceAccount istio-galley-service-account 用于定义galley相关serviceaccount
validatingwehookconfiguration.yaml.tpl ValidatingWebhookConfiguration istio-galley 用于定义对pilot和mixer的配置进行验证,与galley deployment关联
5 mixer默认开启 _helpers.tpl 用于定义mixer chart中一些变量的默认值
autoscale.yaml HorizontalPodAutoscaler istio-policy 用于定义mixer,包括policy和telemetry的horizontalpodautoscaler
HorizontalPodAutoscaler istio-telemetry
clusterrole.yaml ClusterRole istio-mixer-{{ .Release.Namespace }} 用于定义mixer相关clusterole
clusterrolebinding.yaml ClusterRoleBinding istio-mixer-admin-role-binding-{{ .Release.Namespace }} 用于定义mixer相关clusterolebinding
config.yaml attributemanifest istioproxy 用于定义从envoy到mixer的attributemanifest
attributemanifest kubernetes 用于定义从k8s到mixer的attributemanifest
stdio handler 用于定义stdio handler
logentry accesslog 用于定义http logentry instance
logentry tcpaccesslog 用于定义tcp logentry instance
rule stdio 用于定义从accesslog.logentry到handler.stdio的rule,将accesslog发送至stdio
rule stdiotcp 用于定义从tcpaccesslog.logentry到handler.stdio的rule,将tcpaccesslog发送至stdio
metric requestcount 用于定义requestcount metric instance
metric requestduration 用于定义requestduration metric instance
metric requestsize 用于定义requestsize metric instance
metric responsesize 用于定义responsesize metric instance
metric tcpbytesent 用于定义tcpbytesent metric instance
metric tcpbytereceived 用于定义tcpbytereceived metric instance
prometheus handler 用于定义prometheus handler
rule promhttp 用于定义从requestcount.metric,requestduration.metric,requestsize.metric和responsesize.metric到handler.prometheus的rule,将http metric发送至prometheus
rule promtcp 用于定义从tcpbytesent.metric和tcpbytereceived.metric到handler.prometheus的rule,将tcp metric发送至prometheus
kubernetesenv handler 用于定义kubernetesenv handler
rule kubeattrgenrulerule 用于定义从attributes.kubernetes到handler.kubernetesenv的rule,生成kubernetes相关attribute
rule tcpkubeattrgenrulerule 用于定义从attributes.kubernetes到handler.kubernetesenv的rule,生成kubernetes tcp相关attribute
kubernetes attributes 用于定义kubernetes相关attribute instance
DestinationRule istio-policy 用于定义istio-policy相关destinationrule
DestinationRule istio-telemetry 用于定义istio-telemetry相关destinationrule
configmap.yaml ConfigMap istio-statsd-prom-bridge 用于定义istio-statsd-prom-bridge相关configmap
deployment.yaml Deployment istio-policy 用于定义istio-policy相关deployment
Deployment istio-telemetry 用于定义istio-telemetry相关deployment
service.yaml Service istio-policy 用于定义istio-policy相关service
Service istio-telemetry 用于定义istio-telemetry相关service
serviceaccount.yaml ServiceAccount istio-mixer-service-account 用于定义mixer相关serviceaccount
statsdtoprom.yaml Service istio-statsd-prom-bridge 用于定义istio-statsd-prom-bridge相关service
Deployment istio-statsd-prom-bridge 用于定义istio-statsd-prom-bridge相关deployment
6 pilot默认开启 autoscale.yaml horizontalPodAutoscaler istio-pilot 用于定义pilot相关horizontalpodautoscaler
clusterrole.yaml ClusterRole istio-pilot 用于定义pilot相关clusterrole
clusterrolebinding.yaml ClusterRoleBinding istio-pilot 用于定义pilot相关clusterrolebinding
deployment.yaml Deployment istio-pilot 用于定义pilot相关deployment
gateway.yaml Gateway istio-autogenerated-k8s-ingress 用于定义pilot相关gateway,缺省向前兼容,使用ingress
Gateway meshexpansion-gateway 用于定义pilot相关gateway,如果global.meshExpansion设置为true,则将pilot暴露在gateway
Gateway meshexpansion-ilb-gateway 用于定义pilot相关gateway,如果global.meshExpansionILB设置为true,则将pilot暴露在internal gateway
meshexpansion.yaml VirtualService meshexpansion-pilot 在global values的meshExpansion设置为true后,新建pilot相关virtualservice
VirtualService ilb-meshexpansion-pilot 在global values的meshExpansionILB设置为true后,新建pilot相关virtualservice
service.yaml Service istio-pilot 用于定义pilot相关service
serviceaccount.yaml ServiceAccount istio-pilot-service-account 用于定义pilot相关serviceaccount
7 gateways默认开启 autoscale.yaml horizontalPodAutoscaler istio-ingressgateway 用于定义ingressgateway相关horizontalpodautoscaler
horizontalPodAutoscaler istio-egressgateway 用于定义egressgateway相关horizontalpodautoscaler
horizontalPodAutoscaler istio-ilbgateway 用于定义ilbgateway相关horizontalpodautoscaler,默认关闭,只支持gcp
clusterrole.yaml ClusterRole istio-ingressgateway-{{ $.Release.Namespace }} 用于定义ingressgateway相关clusterrole
ClusterRole istio-egressgateway-{{ $.Release.Namespace }} 用于定义egressgateway相关clusterrole
ClusterRole istio-ilbgateway-{{ $.Release.Namespace }} 用于定义ilbgateway相关clusterrole,默认关闭,只支持gcp
clusterrolebinding.yaml ClusterRoleBinding istio-ingressgateway-{{ $.Release.Namespace }} 用于定义ingressgateway相关clusterrolebinding
ClusterRoleBinding istio-egressgateway-{{ $.Release.Namespace }} 用于定义egressgateway相关clusterrolebinding
ClusterRoleBinding istio-ilbgateway-{{ $.Release.Namespace }} 用于定义ilbgateway相关clusterrolebindig,默认关闭,只支持gcp
deployment.yaml Deployment istio-ingressgateway 用于定义ingressgateway相关deployment
Deployment istio-egressgateway 用于定义egressgateway相关deployment
Deployment istio-ilbgateway 用于定义ilbgateway相关deployment,默认关闭,只支持gcp
service.yaml Service istio-ingressgateway 用于定义ingressgateway相关service
Service istio-egressgateway 用于定义egressgateway相关service
Service istio-ilbgateway 用于定义ilbgateway相关service,默认关闭,只支持gcp
serviceaccount.yaml ServiceAccount istio-ingressgateway-service-account 用于定义ingressgateway相关serviceaccount
ServiceAccount istio-egressgateway-service-account 用于定义egressgateway相关serviceaccount
ServiceAccount istio-ilbgateway-service-account 用于定义ilbgateway相关serviceaccount,默认关闭,只支持gcp
8 prometheus默认开启 _helpers.tpl 用于定义prometheus chart中一些变量的默认值
clusterrole.yaml ClusterRole prometheus-{{ .Release.Namespace }} 用于定义prometheus相关clusterrole
clusterrolebinding.yaml ClusterRoleBinding prometheus-{{ .Release.Namespace }} 用于定义prometheus相关clusterrolebinding
configmap.yaml ConfigMap prometheus 用于定义prometheus相关configmap
deployment.yaml Deployment prometheus 用于定义prometheus相关deployment
service.yaml Service prometheus 用于定义prometheus相关service
serviceaccount.yaml ServiceAccount prometheus 用于定义prometheus相关serviceaccount
9 telemetry-gateway默认关闭 gateway.yaml Gateway istio-telemetry-gateway 用于定义prometheus和grafana的gateway,如果prometheusEnabled设置为true,则添加prometheus相关gateway配置,如果grafanaEnabled设置为true,则添加grafana相关gateway配置
DestinationRule grafana 定义prometheus相关destinationrule
DestinationRule prometheus 定义grafana相关destinationrule
VirtualService telemetry-virtual-service 用于定义prometheus和grafana的virtualservice,如果prometheusEnabled设置为true,则添加prometheus相关virtualservice配置,如果grafanaEnabled设置为true,则添加grafana相关virtualservice配置
10 ingress默认关闭legacy ingress support autoscale.yaml HorizontalPodAutoscaler istio-ingress 用于定义ingress相关horizontalpodautoscaler
clusterrole.yaml ClusterRole istio-ingress-{{ .Release.Namespace }} 用于定义ingress相关clusterrole
clusterrolebinding.yaml ClusterRoleBinding istio-ingress-{{ .Release.Namespace }} 用于定义ingress相关clusterrolebinding
deployment.yaml Deployment istio-ingress 用于定义ingress相关deployment
service.yaml Service istio-ingress 用于定义ingress相关service
serviceaccount.yaml ServiceAccount istio-ingress-service-account 用于定义ingress相关serviceaccount
11 grafana默认关闭 _helpers.tpl 用于定义grafana chart中一些变量的默认值
configmap.yaml ConfigMap istio-grafana-custom-resources 用于定义grafana相关configmap
create-custom-resources-job.yaml ServiceAccount istio-grafana-post-install-account 用于定义grafana post install相关serviceaccount
ClusterRole istio-grafana-post-install-{{ .Release.Namespace }} 用于定义grafana post install相关clusterrole
ClusterRoleBinding istio-grafana-post-install-role-binding-{{ .Release.Namespace }} 用于定义grafana post install相关clusterrolebinding
Job istio-grafana-post-install 用于定义grafana post install相关job
deployment.yaml Deployment grafana 用于定义grafana相关deployment
grafana-ports-mtls.yaml Policy grafana-ports-mtls-disabled 对grafana访问开启mtls
pvc.yaml PersistentVolumeClaim istio-grafana-pvc 如果persist设置为true,则为grafana新建pvc和pv
secret.yaml Secret grafana 如果security.enabled设置为true,则为grafana启用authn
service.yaml Service grafana 用于定义grafana相关service
12 servicegraph默认关闭 _helpers.tpl 用于定义servicegraph chart中一些变量的默认值
deployment.yaml Deployment servicegraph 用于定义servicegraph相关deployment
ingress.yaml Ingress servicegraph 用于定义servicegraph相关ingress
service.yaml Service servicegraph 用于定义servicegraph相关service
13 tracing默认关闭 _helpers.tpl 用于定义tracing chart中一些变量的默认值
deployment.yaml Deployment istio-tracing 用于定义jaeger tracing相关deployment
ingress-jaeger.yaml Ingress jaeger-query 用于定义jaeger tracing相关ingress
ingress.yaml Ingress tracing 用于定义zipkin tracing相关ingress
service-jaeger.yaml Service jaeger-query 用于定义jaeger tracing query相关service
Service jaeger-collector 用于定义jaeger tracing collector相关service
Service jaeger-agent 用于定义jaeger tracing agent相关service
service.yaml Service zipkin 用于定义zipkin tracing相关service
Service tracing 用于定义jaeger tracing相关service
14 kiali默认关闭 clusterrole.yaml ClusterRole kiali 用于定义kiali相关clusterrole
clusterrolebinding.yaml ClusterRoleBinding istio-kiali-admin-role-binding-{{ .Release.Namespace }} 用于定义kiali相关clusterrolebinding
configmap.yaml ConfigMap kiali 用于定义kiali相关configmap
deployment.yaml Deployment kiali 用于定义kiali相关deployment
ingress.yaml Ingress kiali 用于定义kiali相关ingress
secrets.yaml Secret kiali 用于定义kiali相关secret
service.yaml Service kiali 用于定义kiali相关service
serviceaccount.yaml ServiceAccount kiali-service-account 用于定义kiali相关serviceaccount
15 certmanager默认关闭 _helpers.tpl 用于定义certmanager chart中一些变量的默认值
crds.yaml CustomResourceDefinition clusterissuers.certmanager.k8s.io 用于定义certmanager相关crd
CustomResourceDefinition issuers.certmanager.k8s.io
CustomResourceDefinition certificates.certmanager.k8s.io
deployment.yaml Deployment certmanager 用于定义certmanager相关deployment
issuer.yaml ClusterIssuer letsencrypt-staging 用于定义certmanager相关clusterissuer
ClusterIssuer letsencrypt
rbac.yaml ClusterRole certmanager 用于定义certmanager相关clusterrole
ClusterRoleBinding certmanager 用于定义certmanager相关clusterrolebinding
certmanager ServiceAccount certmanager 用于定义certmanager相关serviceaccount

「真诚赞赏,手留余香」

杨传胜

真诚赞赏,手留余香

使用微信扫描二维码完成支付

See Also