Versions Compared

Version Old Version 13 New Version 14
Changes made by

Huabing Zhao

Huabing Zhao

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

...

This script will create a Kubernetes master node with Kubeadm and install calico network plugin. Some other needed tools such as Docker, Kubectl and Helm will be installed as well.

From the output of the script, you should see a command on how to join a node to the created Kubernets cluster. Note that this is an example, the token and cert-hash of your installation will be different, please copy & paste the command to somewhere, we will need it later.

Code Block
languagebash
themeRDark
You can now join any number of machines by running the following on each node
as root:

  kubeadm join 10.12.5.104:6443 --token 1x62yf.60ys5p2iw13tx2t8 --discovery-token-ca-cert-hash sha256:f06628c7cee002b262e69f3f9efadf47bdec125e19606ebff743a3e514a8383b

Kubernetes worker Node

Log in the worker node machine, run this script to create a kubernetes worker node:

Code Block
languagebash
themeRDark
./2_install_k8s_minion.sh

...

http://${INGRESS_IP}:${INGRESS_PORT}/api/multicloud/v0/swagger.jsonhttp://${INGRESS_IP}:${INGRESS_PORT}/api/multicloud-vio/v0/swagger.json

http://${INGRESS_IP}:${INGRESS_PORT}/api/multicloud-ocata/v0/swagger.json

Then open your browser at http://tracing_node_ip:tracing_node_port/, you should see something similar to the following:

Note

  • Tracing_node_port can be found by 'kubctl get svc -n istio-system'.
  • ONAP microservices need to propagate the appropriate HTTP headers so that when the proxies send span information, the spans can be correlated correctly into a single trace.

Service Graph

Istio provides a Servicegraph service which generates and visualizes graph representations of the services in the mesh.

Open your browser at http://node_ip:30088/dotviz or http://node_ip:30088/force/forcegraph.html, you should see the service graph:

 Image Modified


Metrics Visualization

Istio automatically gathers telemetry for services in a mesh. A Prometheus adapter is plugged into Mixer to serve the generated metric data. A Grafana addon is pre-configured with a Prometheus data source and has an Istio dashboard installed for the metric visualization.

Open your browser at http://node_ip:30300, you should see the Grafana Istio dashboard:

What's the next? we will leverage Istio RBAC for ONAP inter-services authorization, and provide a user

Authorization(RBAC)

Istio authorization is disabled by default, running the following command to enable it for onap namespace:

Code Block
languagebash
themeRDark
cd /service-mesh/install
kubectl apply -f enable-rbac.yaml

Point your browser at the msb portal or multicloud swagger file:

http://${INGRESS_IP}:${INGRESS_PORT}/msb

http://${INGRESS_IP}:${INGRESS_PORT}/api/multicloud-vio/v0/swagger.json

Now you should see "RBAC: access denied". This is because Istio authorization is “deny by default”, which means that you need to explicitly define access control policy to grant access to any service. Note: There may be some delays due to caching and other propagation overhead.

Running the following command to allow Istio Ingress gateway read access to onap Namespace:

Code Block
languagebash
themeRDark
cd /service-mesh/install
kubectl apply -f apply -f enable-istio-ingress-gateway-access.yaml

Now if you point your browser at the msb portal  (http://${INGRESS_IP}:${INGRESS_PORT}/msb). You should see the msb portal page with registered services.

Note: There may be some delays due to caching and other propagation overhead.


If you try to access http://${INGRESS_IP}:${INGRESS_PORT}/api/multicloud-vio/v0/swagger.json, you should still see "RBAC: access denied". What's happening?  This request actually goes through browser->Istio-ingress->MSB->multicloud, even now Istio-ingress can access MSB, MSB is not allowed to access multicloud. So we need to create another RBAC rule to grant the access permission of multicloud to MSB.

Running the following command to grant access of multicloud to MSB: 

Code Block
languagebash
themeRDark
cd /service-mesh/install
kubectl apply -f msb-rbac.yaml

Try to access http://${INGRESS_IP}:${INGRESS_PORT}/api/multicloud-vio/v0/swagger.json again, you should be able to see the swagger file return from multicloud microservice.

Note: There may be some delays due to caching and other propagation overhead.

What's the next? we will provide a user-friendly Istio UI to manage Istio rules and policies. Comment here to leave your thoughts or join our weekly project meeting if you're interested.