Istio CRD 彙總與 Helm Chart 配置解析
摘要:
序號
名稱
用途
分類
歸屬
1
virtualservices.networking.istio.io
用於路由,定義virtual service
...
| 序號 | 名稱 | 用途 | 分類 | 歸屬 |
|---|---|---|---|---|
| 1 | virtualservices.networking.istio.io | 用於路由,定義virtual service | networking | pilot |
| 2 | destinationrules.networking.istio.io | 用於路由,定義destination rule | ||
| 3 | serviceentries.networking.istio.io | 用於路由,定義service entry | ||
| 4 | gateways.networking.istio.io | 用於路由,定義gateway | ||
| 5 | envoyfilters.networking.istio.io | 使用filter為特定envoy新增特定配置 | ||
| 6 | policies.authentication.istio.io | 用於authn,作用域為namespace | authentication | citadel |
| 7 | meshpolicies.authentication.istio.io | 用於authn,作用域為global | ||
| 8 | httpapispecbindings.config.istio.io | apim | mixer | |
| 9 | httpapispecs.config.istio.io | |||
| 10 | quotaspecbindings.config.istio.io | |||
| 11 | quotaspecs.config.istio.io | |||
| 12 | rules.config.istio.io | mixer rule,用於繫結handler和instance | mixer core | |
| 13 | attributemanifests.config.istio.io | 定義envoy傳遞給mixer的用於policy和telemetry的attribute | ||
| 14 | bypasses.config.istio.io | mixer adapter用於處理從envoy收集的資料 | ||
| 15 | circonuses.config.istio.io | 定義circonus adapter | ||
| 16 | deniers.config.istio.io | 定義dinier adapter | ||
| 17 | fluentds.config.istio.io | 定義fluentd adapter | ||
| 18 | kubernetesenvs.config.istio.io | 定義kubernetesenv adapter | ||
| 19 | listcheckers.config.istio.io | 定義list adapter | ||
| 20 | memquotas.config.istio.io | 定義memquota adapter | ||
| 21 | noops.config.istio.io | |||
| 22 | opas.config.istio.io | 定義opa adapter | ||
| 23 | prometheuses.config.istio.io | 定義prometheus adapter | ||
| 24 | rbacs.config.istio.io | 定義rbac adapter | ||
| 25 | redisquotas.config.istio.io | 定義redisquota adapter | ||
| 26 | servicecontrols.config.istio.io | 定義servicecontrol adapter | ||
| 27 | signalfxs.config.istio.io | 定義signalfx adapter | ||
| 28 | solarwindses.config.istio.io | 定義solarwinds adapter | ||
| 29 | stackdrivers.config.istio.io | 定義stackdriver adapter | ||
| 30 | statsds.config.istio.io | 定義statsd adapter | ||
| 31 | stdios.config.istio.io | 定義stdio adapter | ||
| 32 | apikeys.config.istio.io | 定義apikey template | mixer instance用於定義從envoy收集的資料 | |
| 33 | authorizations.config.istio.io | 定義authorization template | ||
| 34 | checknothings.config.istio.io | 定義checknothing template | ||
| 35 | kuberneteses.config.istio.io | 定義kubernetes template | ||
| 36 | listentries.config.istio.io | 定義listentry template | ||
| 37 | logentries.config.istio.io | 定義logentry template | ||
| 38 | edges.config.istio.io | |||
| 39 | metrics.config.istio.io | 定義metric template | ||
| 40 | quotas.config.istio.io | 定義quota template | ||
| 41 | reportnothings.config.istio.io | 定義reportnothing template | ||
| 42 | servicecontrolreports.config.istio.io | 定義servicecontrolreport template | ||
| 43 | tracespans.config.istio.io | 定義tracespan template | ||
| 44 | rbacconfigs.rbac.istio.io | 用於authz,定義istio的rbac策略 | rbac | |
| 45 | serviceroles.rbac.istio.io | 用於authz,定義service role | ||
| 46 | servicerolebindings.rbac.istio.io | 用於authz,定義service role binding | ||
| 47 | adapters.config.istio.io | others | ||
| 48 | instances.config.istio.io | |||
| 49 | templates.config.istio.io | |||
| 50 | handlers.config.istio.io |
Istio Helm Chart 的安裝配置解析
| 序號 | chart | 檔案 | k8s元件型別 | k8s元件名稱 | 用途 |
|---|---|---|---|---|---|
| 1 | main | _affinity.tpl | 無 | 無 | 用於定義各個元件deployment chart中的nodeAffinity |
| _helpers.tpl | 無 | 無 | 用於定義各個元件chart中一些變數的預設值 | ||
| configmap.yaml | ConfigMap | istio | istio主配置configmap | ||
| crds.yaml | CustomResourceDefinition | 共50個 | istio需要的所有的crd資源 | ||
| install-custom-resources.sh.tpl | 無 | 無 | 用於定義grafana和security chart中configmap中所包含的指令碼,驗證istio-galley validatingwebhookconfiguration已經存在並且部署元件相關其他資源 | ||
| sidecar-injector-configmap.yaml | ConfigMap | istio-sidecar-injector | 用於定義sidecar injector的configmap | ||
| 2 | sidecarInjectorWebhook預設開啟 | _helpers.tpl | 無 | 無 | 用於定義sidecarInjectorWebhook chart中一些變數的預設值 |
| clusterrole.yaml | ClusterRole | istio-sidecar-injector-{{ .Release.Namespace }} | 用於定義sidecarInjectorWebhook使用的clusterrole | ||
| clusterrolebinding.yaml | ClusterRoleBinding | istio-sidecar-injector-admin-role-binding-{{ .Release.Namespace }} | 用於定義sidecarInjectorWebhook使用的clusterrolebinding | ||
| deployment.yaml | Deployment | istio-sidecar-injector | 用於定義sidecarInjectorWebhook使用的deployment | ||
| mutatingwebhook.yaml | MutatingWebhookConfiguration | istio-sidecar-injector | 用於定義sidecarInjectorWebhook使用的mutatingwebhookconfiguration | ||
| service.yaml | Service | istio-sidecar-injector | 用於定義sidecarInjectorWebhook使用的service | ||
| serviceaccount.yaml | ServiceAccount | istio-sidecar-injector-service-account | 用於定義sidecarInjectorWebhook使用的serviceaccount | ||
| 3 | security預設開啟 | _helpers.tpl | 無 | 無 | 用於定義security chart中一些變數的預設值 |
| cleanup-secrets.yaml | ServiceAccount | istio-cleanup-secrets-service-account | 在helm刪除istio後對citadel中的secret進行清理 | ||
| ClusterRole | istio-cleanup-secrets-{{ .Release.Namespace }} | ||||
| ClusterRoleBinding | istio-cleanup-secrets-{{ .Release.Namespace }} | ||||
| Job | istio-cleanup-secrets | ||||
| clusterrole.yaml | ClusterRole | istio-citadel-{{ .Release.Namespace }} | 用於定義citadel相關clusterole | ||
| clusterrolebinding.yaml | ClusterRoleBinding | istio-citadel-{{ .Release.Namespace }} | 用於定義citdel相關clusterrolebinding | ||
| configmap.yaml | ConfigMap | istio-security-custom-resources | 用於定義citidel相關configmap,與global values中的mtls.enabled相關,是否啟用全域性的mtls authn | ||
| create-custom-resources-job.yaml | ServiceAccount | istio-security-post-install-account | 在global values的mtls.enabled設定為true後才會生效,建立mtls相關serviceaccount,clusterrole,clusterrolebinding,以及comfigmap中定義的其他相關物件 | ||
| ClusterRole | istio-security-post-install-{{ .Release.Namespace }} | ||||
| ClusterRoleBinding | istio-security-post-install-role-binding-{{ .Release.Namespace }} | ||||
| Job | istio-security-post-install | ||||
| deployment.yaml | Deployment | istio-citadel | 用於定義citadel相關deployment | ||
| enable-mesh-mtls.yaml | MeshPolicy | default | 在global values的mtls.enabled設定為true後,這些資源會寫入configmap | ||
| DestinationRule | default | ||||
| DestinationRule | api-server | ||||
| meshexpansion.yaml | VirtualService | meshexpansion-citadel | 在global values的meshExpansion設定為true後,新建citadel相關virtualservice | ||
| VirtualService | meshexpansion-ilb-citadel | 在global values的meshExpansionILB設定為true後,新建citadel相關virtualservice | |||
| service.yaml | Service | istio-citadel | 用於定義citade相關service | ||
| serviceaccount.yaml | ServiceAccount | istio-citadel-service-account | 用於定義citade相關serviceaccount | ||
| 4 | galley預設開啟 | _helpers.tpl | 無 | 無 | 用於定義galley chart中一些變數的預設值 |
| clusterrole.yaml | ClusterRole | istio-galley-{{ .Release.Namespace }} | 用於定義galley相關clusterrole | ||
| clusterrolebinding.yaml | ClusterRoleBinding | istio-galley-admin-role-binding-{{ .Release.Namespace }} | 用於定義galley相關clusterrolebinding | ||
| configmap.yaml | ConfigMap | istio-galley-configuration | 用於定義galley相關configmap | ||
| deployment.yaml | Deployment | istio-galley | 用於定義galley相關deployment | ||
| service.yaml | Service | istio-galley | 用於定義galley相關service | ||
| serviceaccount.yaml | ServiceAccount | istio-galley-service-account | 用於定義galley相關serviceaccount | ||
| validatingwehookconfiguration.yaml.tpl | ValidatingWebhookConfiguration | istio-galley | 用於定義對pilot和mixer的配置進行驗證,與galley deployment關聯 | ||
| 5 | mixer預設開啟 | _helpers.tpl | 無 | 無 | 用於定義mixer chart中一些變數的預設值 |
| autoscale.yaml | HorizontalPodAutoscaler | istio-policy | 用於定義mixer,包括policy和telemetry的horizontalpodautoscaler | ||
| HorizontalPodAutoscaler | istio-telemetry | ||||
| clusterrole.yaml | ClusterRole | istio-mixer-{{ .Release.Namespace }} | 用於定義mixer相關clusterole | ||
| clusterrolebinding.yaml | ClusterRoleBinding | istio-mixer-admin-role-binding-{{ .Release.Namespace }} | 用於定義mixer相關clusterolebinding | ||
| config.yaml | attributemanifest | istioproxy | 用於定義從envoy到mixer的attributemanifest | ||
| attributemanifest | kubernetes | 用於定義從k8s到mixer的attributemanifest | |||
| stdio | handler | 用於定義stdio handler | |||
| logentry | accesslog | 用於定義http logentry instance | |||
| logentry | tcpaccesslog | 用於定義tcp logentry instance | |||
| rule | stdio | 用於定義從accesslog.logentry到handler.stdio的rule,將accesslog傳送至stdio | |||
| rule | stdiotcp | 用於定義從tcpaccesslog.logentry到handler.stdio的rule,將tcpaccesslog傳送至stdio | |||
| metric | requestcount | 用於定義requestcount metric instance | |||
| metric | requestduration | 用於定義requestduration metric instance | |||
| metric | requestsize | 用於定義requestsize metric instance | |||
| metric | responsesize | 用於定義responsesize metric instance | |||
| metric | tcpbytesent | 用於定義tcpbytesent metric instance | |||
| metric | tcpbytereceived | 用於定義tcpbytereceived metric instance | |||
| prometheus | handler | 用於定義prometheus handler | |||
| rule | promhttp | 用於定義從requestcount.metric,requestduration.metric,requestsize.metric和responsesize.metric到handler.prometheus的rule,將http metric傳送至prometheus | |||
| rule | promtcp | 用於定義從tcpbytesent.metric和tcpbytereceived.metric到handler.prometheus的rule,將tcp metric傳送至prometheus | |||
| kubernetesenv | handler | 用於定義kubernetesenv handler | |||
| rule | kubeattrgenrulerule | 用於定義從attributes.kubernetes到handler.kubernetesenv的rule,生成kubernetes相關attribute | |||
| rule | tcpkubeattrgenrulerule | 用於定義從attributes.kubernetes到handler.kubernetesenv的rule,生成kubernetes tcp相關attribute | |||
| kubernetes | attributes | 用於定義kubernetes相關attribute instance | |||
| DestinationRule | istio-policy | 用於定義istio-policy相關destinationrule | |||
| DestinationRule | istio-telemetry | 用於定義istio-telemetry相關destinationrule | |||
| configmap.yaml | ConfigMap | istio-statsd-prom-bridge | 用於定義istio-statsd-prom-bridge相關configmap | ||
| deployment.yaml | Deployment | istio-policy | 用於定義istio-policy相關deployment | ||
| Deployment | istio-telemetry | 用於定義istio-telemetry相關deployment | |||
| service.yaml | Service | istio-policy | 用於定義istio-policy相關service | ||
| Service | istio-telemetry | 用於定義istio-telemetry相關service | |||
| serviceaccount.yaml | ServiceAccount | istio-mixer-service-account | 用於定義mixer相關serviceaccount | ||
| statsdtoprom.yaml | Service | istio-statsd-prom-bridge | 用於定義istio-statsd-prom-bridge相關service | ||
| Deployment | istio-statsd-prom-bridge | 用於定義istio-statsd-prom-bridge相關deployment | |||
| 6 | pilot預設開啟 | autoscale.yaml | horizontalPodAutoscaler | istio-pilot | 用於定義pilot相關horizontalpodautoscaler |
| clusterrole.yaml | ClusterRole | istio-pilot | 用於定義pilot相關clusterrole | ||
| clusterrolebinding.yaml | ClusterRoleBinding | istio-pilot | 用於定義pilot相關clusterrolebinding | ||
| deployment.yaml | Deployment | istio-pilot | 用於定義pilot相關deployment | ||
| gateway.yaml | Gateway | istio-autogenerated-k8s-ingress | 用於定義pilot相關gateway,預設向前相容,使用ingress | ||
| Gateway | meshexpansion-gateway | 用於定義pilot相關gateway,如果global.meshExpansion設定為true,則將pilot暴露在gateway | |||
| Gateway | meshexpansion-ilb-gateway | 用於定義pilot相關gateway,如果global.meshExpansionILB設定為true,則將pilot暴露在internal gateway | |||
| meshexpansion.yaml | VirtualService | meshexpansion-pilot | 在global values的meshExpansion設定為true後,新建pilot相關virtualservice | ||
| VirtualService | ilb-meshexpansion-pilot | 在global values的meshExpansionILB設定為true後,新建pilot相關virtualservice | |||
| service.yaml | Service | istio-pilot | 用於定義pilot相關service | ||
| serviceaccount.yaml | ServiceAccount | istio-pilot-service-account | 用於定義pilot相關serviceaccount | ||
| 7 | gateways預設開啟 | autoscale.yaml | horizontalPodAutoscaler | istio-ingressgateway | 用於定義ingressgateway相關horizontalpodautoscaler |
| horizontalPodAutoscaler | istio-egressgateway | 用於定義egressgateway相關horizontalpodautoscaler | |||
| horizontalPodAutoscaler | istio-ilbgateway | 用於定義ilbgateway相關horizontalpodautoscaler,預設關閉,只支援gcp | |||
| clusterrole.yaml | ClusterRole | istio-ingressgateway-{{ $.Release.Namespace }} | 用於定義ingressgateway相關clusterrole | ||
| ClusterRole | istio-egressgateway-{{ $.Release.Namespace }} | 用於定義egressgateway相關clusterrole | |||
| ClusterRole | istio-ilbgateway-{{ $.Release.Namespace }} | 用於定義ilbgateway相關clusterrole,預設關閉,只支援gcp | |||
| clusterrolebinding.yaml | ClusterRoleBinding | istio-ingressgateway-{{ $.Release.Namespace }} | 用於定義ingressgateway相關clusterrolebinding | ||
| ClusterRoleBinding | istio-egressgateway-{{ $.Release.Namespace }} | 用於定義egressgateway相關clusterrolebinding | |||
| ClusterRoleBinding | istio-ilbgateway-{{ $.Release.Namespace }} | 用於定義ilbgateway相關clusterrolebindig,預設關閉,只支援gcp | |||
| deployment.yaml | Deployment | istio-ingressgateway | 用於定義ingressgateway相關deployment | ||
| Deployment | istio-egressgateway | 用於定義egressgateway相關deployment | |||
| Deployment | istio-ilbgateway | 用於定義ilbgateway相關deployment,預設關閉,只支援gcp | |||
| service.yaml | Service | istio-ingressgateway | 用於定義ingressgateway相關service | ||
| Service | istio-egressgateway | 用於定義egressgateway相關service | |||
| Service | istio-ilbgateway | 用於定義ilbgateway相關service,預設關閉,只支援gcp | |||
| serviceaccount.yaml | ServiceAccount | istio-ingressgateway-service-account | 用於定義ingressgateway相關serviceaccount | ||
| ServiceAccount | istio-egressgateway-service-account | 用於定義egressgateway相關serviceaccount | |||
| ServiceAccount | istio-ilbgateway-service-account | 用於定義ilbgateway相關serviceaccount,預設關閉,只支援gcp | |||
| 8 | prometheus預設開啟 | _helpers.tpl | 無 | 無 | 用於定義prometheus chart中一些變數的預設值 |
| clusterrole.yaml | ClusterRole | prometheus-{{ .Release.Namespace }} | 用於定義prometheus相關clusterrole | ||
| clusterrolebinding.yaml | ClusterRoleBinding | prometheus-{{ .Release.Namespace }} | 用於定義prometheus相關clusterrolebinding | ||
| configmap.yaml | ConfigMap | prometheus | 用於定義prometheus相關configmap | ||
| deployment.yaml | Deployment | prometheus | 用於定義prometheus相關deployment | ||
| service.yaml | Service | prometheus | 用於定義prometheus相關service | ||
| serviceaccount.yaml | ServiceAccount | prometheus | 用於定義prometheus相關serviceaccount | ||
| 9 | telemetry-gateway預設關閉 | gateway.yaml | Gateway | istio-telemetry-gateway | 用於定義prometheus和grafana的gateway,如果prometheusEnabled設定為true,則新增prometheus相關gateway配置,如果grafanaEnabled設定為true,則新增grafana相關gateway配置 |
| DestinationRule | grafana | 定義prometheus相關destinationrule | |||
| DestinationRule | prometheus | 定義grafana相關destinationrule | |||
| VirtualService | telemetry-virtual-service | 用於定義prometheus和grafana的virtualservice,如果prometheusEnabled設定為true,則新增prometheus相關virtualservice配置,如果grafanaEnabled設定為true,則新增grafana相關virtualservice配置 | |||
| 10 | ingress預設關閉legacy ingress support | autoscale.yaml | HorizontalPodAutoscaler | istio-ingress | 用於定義ingress相關horizontalpodautoscaler |
| clusterrole.yaml | ClusterRole | istio-ingress-{{ .Release.Namespace }} | 用於定義ingress相關clusterrole | ||
| clusterrolebinding.yaml | ClusterRoleBinding | istio-ingress-{{ .Release.Namespace }} | 用於定義ingress相關clusterrolebinding | ||
| deployment.yaml | Deployment | istio-ingress | 用於定義ingress相關deployment | ||
| service.yaml | Service | istio-ingress | 用於定義ingress相關service | ||
| serviceaccount.yaml | ServiceAccount | istio-ingress-service-account | 用於定義ingress相關serviceaccount | ||
| 11 | grafana預設關閉 | _helpers.tpl | 無 | 無 | 用於定義grafana chart中一些變數的預設值 |
| configmap.yaml | ConfigMap | istio-grafana-custom-resources | 用於定義grafana相關configmap | ||
| create-custom-resources-job.yaml | ServiceAccount | istio-grafana-post-install-account | 用於定義grafana post install相關serviceaccount | ||
| ClusterRole | istio-grafana-post-install-{{ .Release.Namespace }} | 用於定義grafana post install相關clusterrole | |||
| ClusterRoleBinding | istio-grafana-post-install-role-binding-{{ .Release.Namespace }} | 用於定義grafana post install相關clusterrolebinding | |||
| Job | istio-grafana-post-install | 用於定義grafana post install相關job | |||
| deployment.yaml | Deployment | grafana | 用於定義grafana相關deployment | ||
| grafana-ports-mtls.yaml | Policy | grafana-ports-mtls-disabled | 對grafana訪問開啟mtls | ||
| pvc.yaml | PersistentVolumeClaim | istio-grafana-pvc | 如果persist設定為true,則為grafana新建pvc和pv | ||
| secret.yaml | Secret | grafana | 如果security.enabled設定為true,則為grafana啟用authn | ||
| service.yaml | Service | grafana | 用於定義grafana相關service | ||
| 12 | servicegraph預設關閉 | _helpers.tpl | 無 | 無 | 用於定義servicegraph chart中一些變數的預設值 |
| deployment.yaml | Deployment | servicegraph | 用於定義servicegraph相關deployment | ||
| ingress.yaml | Ingress | servicegraph | 用於定義servicegraph相關ingress | ||
| service.yaml | Service | servicegraph | 用於定義servicegraph相關service | ||
| 13 | tracing預設關閉 | _helpers.tpl | 無 | 無 | 用於定義tracing chart中一些變數的預設值 |
| deployment.yaml | Deployment | istio-tracing | 用於定義jaeger tracing相關deployment | ||
| ingress-jaeger.yaml | Ingress | jaeger-query | 用於定義jaeger tracing相關ingress | ||
| ingress.yaml | Ingress | tracing | 用於定義zipkin tracing相關ingress | ||
| service-jaeger.yaml | Service | jaeger-query | 用於定義jaeger tracing query相關service | ||
| Service | jaeger-collector | 用於定義jaeger tracing collector相關service | |||
| Service | jaeger-agent | 用於定義jaeger tracing agent相關service | |||
| service.yaml | Service | zipkin | 用於定義zipkin tracing相關service | ||
| Service | tracing | 用於定義jaeger tracing相關service | |||
| 14 | kiali預設關閉 | clusterrole.yaml | ClusterRole | kiali | 用於定義kiali相關clusterrole |
| clusterrolebinding.yaml | ClusterRoleBinding | istio-kiali-admin-role-binding-{{ .Release.Namespace }} | 用於定義kiali相關clusterrolebinding | ||
| configmap.yaml | ConfigMap | kiali | 用於定義kiali相關configmap | ||
| deployment.yaml | Deployment | kiali | 用於定義kiali相關deployment | ||
| ingress.yaml | Ingress | kiali | 用於定義kiali相關ingress | ||
| secrets.yaml | Secret | kiali | 用於定義kiali相關secret | ||
| service.yaml | Service | kiali | 用於定義kiali相關service | ||
| serviceaccount.yaml | ServiceAccount | kiali-service-account | 用於定義kiali相關serviceaccount | ||
| 15 | certmanager預設關閉 | _helpers.tpl | 無 | 無 | 用於定義certmanager chart中一些變數的預設值 |
| crds.yaml | CustomResourceDefinition | clusterissuers.certmanager.k8s.io | 用於定義certmanager相關crd | ||
| CustomResourceDefinition | issuers.certmanager.k8s.io | ||||
| CustomResourceDefinition | certificates.certmanager.k8s.io | ||||
| deployment.yaml | Deployment | certmanager | 用於定義certmanager相關deployment | ||
| issuer.yaml | ClusterIssuer | letsencrypt-staging | 用於定義certmanager相關clusterissuer | ||
| ClusterIssuer | letsencrypt | ||||
| rbac.yaml | ClusterRole | certmanager | 用於定義certmanager相關clusterrole | ||
| ClusterRoleBinding | certmanager | 用於定義certmanager相關clusterrolebinding | |||
| certmanager | ServiceAccount | certmanager | 用於定義certmanager相關serviceaccount |