Istio概述
• 连接(Connect)
- 流量管理
- 负载均衡
- 灰度发布
• 安全(Secure)
- 认证
- 鉴权
• 控制(Control)
- 限流
- ACL
• 观察(Observe)
- 监控
- 调用链
部署Istio
tar zxvf istio-1.8.2-linux.tar.gz
cd istio-1.8.2
cp bin/istioctl /usr/bin
istioctl install
kubectl get pods -n istio-system
kubectl get svc -n istio-system
#卸载:
istioctl manifest generate | kubectl delete -f -
Sidercar注入-部署httpbin Web示例
部署
cd istio-1.8.2/samples/httpbin
# 手动注入
istioctl kube-inject -f httpbin-nodeport.yaml |kubectl apply -f -
[root@k8s-m1 httpbin]# kubectl get pod
NAME READY STATUS RESTARTS AGE
httpbin-db6dd7888-rp7cm 2/2 Running 0 4m12s
# 自动注入(给命名空间打指定标签,启用自动注入)
[root@k8s-m1 httpbin]# kubectl create ns test
namespace/test created
[root@k8s-m1 httpbin]# kubectl label namespace test istio-injection=enabled
namespace/test labeled
[root@k8s-m1 httpbin]# kubectl create deployment web --image=nginx -n test
deployment.apps/web created
[root@k8s-m1 httpbin]# kubectl get pod -n test
NAME READY STATUS RESTARTS AGE
web-96d5df5c8-fr2cq 2/2 Running 0 3m10s
#部署网关
[root@k8s-m1 httpbin]# kubectl apply -f httpbin-gateway.yaml
[root@k8s-m1 httpbin]# kubectl get svc -n istio-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingressgateway LoadBalancer 10.0.0.136 <pending> 15021:30103/TCP,80:32110/TCP,443:32181/TCP,15012:31888/TCP,15443:30731/TCP 40m
istiod ClusterIP 10.0.0.7 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP
http://192.168.153.25:32110/
1640612451663.png
访问流程图
1640613125637.png
Istio流量管理核心资源
VirtualService
VirtualService(虚拟服务)
• 定义路由规则
• 描述满足条件的请求去哪里
--------------------------------------------------------------------------------
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: httpbin
spec:
hosts:
- "*"
gateways:
- httpbin-gateway
http:
- route:
- destination:
host: httpbin # 指定Service名称
port:
number: 8000 # service端口
--------------------------------------------------------------------------------
# 查看已创建的虚拟服务
[root@k8s-m1 httpbin]# kubectl get vs
NAME GATEWAYS HOSTS AGE
httpbin ["httpbin-gateway"] ["*"] 19m
DestinationRule
DestinationRule(目标规则):定义虚拟服务路由目标地址的真实地址,即子集(subset)
支持多种负载均衡策略:
• 随机
• 权重
• 最小请求数
---------------------------------------------------------------------------
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: nginx
spec:
host: nginx
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2
Gateway
目前Gateway支持的功能:
• 支持L4-L7的负载均衡
• 支持HTTPS和mTLS
• 支持流量镜像、熔断等
---------------------------------------------------------------------------
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: httpbin-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
灰度发布:部署Bookinfo微服务项目
概述
| 服务 | 说明 | 调用服务 |
|---|---|---|
| productpage | 主页 | reviews、details |
| reviews | 评论内容 | ratings |
| details | 详细内容 | |
| ratings | 评分 |
1640655443368.png
部署
#创建命名空间并开启自动注入
kubectl create ns bookinfo
kubectl label namespace bookinfo istio-injection=enabled
#部署应用YAML
cd istio-1.8.2/samples/bookinfo
kubectl apply -f platform/kube/bookinfo.yaml -n bookinfo
kubectl get pod -n bookinfo
[root@k8s-m1 kube]# kubectl get pod -n bookinfo
NAME READY STATUS RESTARTS AGE
details-v1-79c697d759-kqktb 2/2 Running 0 17m
productpage-v1-65576bb7bf-tdt8g 2/2 Running 0 17m
ratings-v1-7d99676f7f-b975f 2/2 Running 0 17m
reviews-v1-987d495c-ldzhs 2/2 Running 0 17m
reviews-v2-6c5bf657cf-xpzrv 2/2 Running 0 17m
reviews-v3-5f7b9f4f77-wsdps 2/2 Running 0 17m
#创建Ingress网关
kubectl apply -f networking/bookinfo-gateway.yaml -n bookinfo
kubectl get pods,svc -n istio-system
访问地址:http://192.168.153.25:32110/productpage
基于权重的路由
1. 流量全部发送到reviews v1版本(不带五角星)
2. 将90%的流量发送到reviews v1版本,另外10%的流量发送到reviews v2版本(5个黑色五角星),最后完全切换到v2版本
3. 将50%的流量发送到v2版本,另外50%的流量发送到v3版本(5个红色五角星)
kubectl apply -f networking/virtual-service-all-v1.yaml -n bookinfo
kubectl apply -f networking/destination-rule-all.yaml -n bookinfo
kubectl apply -f networking/virtual-service-reviews-90-10.yaml -n bookinfo
kubectl apply -f networking/virtual-service-reviews-v2-v3.yaml -n bookinfo
基于请求内容的路由
1. 将特定用户的请求发送到reviews v2版本(5个黑色五角星),其他用户则不受影响(v3)
kubectl apply -f networking/virtual-service-reviews-jason-v2-v3.yaml -n bookinfo
工作流程
1640670381081.png
总结
1、将deployment里pod标签增加一个"version:v1"
2、部署deployment介入到istio
3、目标规则管理服务版本标签
4、虚拟服务实现灰度发布
流量镜像
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: nginx
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "nginx.aliangedu.cn"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: nginx
spec:
hosts:
- "nginx.aliangedu.cn"
gateways:
- nginx
http:
- route:
- destination:
host: nginx
subset: v1
weight: 100
mirror:
host: nginx
subset: v2
mirror_percent: 100
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: nginx
spec:
host: nginx
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2
将应用暴露到互联网
配置nginx
server {
listen 80 default_server;
server_name _;
location / {
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_pass http://192.168.153.25:32110;
}
}
配置Gateway
kind: Gateway
metadata:
name: httpbin-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "httpbin.aliangedu.cn"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: httpbin
spec:
hosts:
- "httpbin.aliangedu.cn"
gateways:
- httpbin-gateway
http:
- route:
- destination:
host: httpbin
port:
number: 8000
--------------------------------------------------------------------
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: nginx
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "nginx.aliangedu.cn"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: nginx
spec:
hosts:
- "nginx.aliangedu.cn"
gateways:
- nginx
http:
- route:
- destination:
host: nginx
subset: v1
weight: 100
mirror:
host: nginx
subset: v2
mirror_percent: 100
访问网站
http://httpbin.aliangedu.cn/
http://nginx.aliangedu.cn/
http://bookinfo.aliangedu.cn/productpage
可视化监控
crds.yaml
[root@k8s-m1 addons]# pwd
/root/istio/istio-1.8.2/samples/addons
#先发布
/istio-1.8.2/samples/addons
---
# Source: crds/crds.yaml
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: monitoringdashboards.monitoring.kiali.io
spec:
group: monitoring.kiali.io
names:
kind: MonitoringDashboard
listKind: MonitoringDashboardList
plural: monitoringdashboards
singular: monitoringdashboard
scope: Namespaced
versions:
- name: v1alpha1
served: true
storage: true
修改NodePort
kiali.yaml
spec:
ports:
- name: http
protocol: TCP
port: 20001
- name: http-metrics
protocol: TCP
port: 9090
selector:
app.kubernetes.io/name: kiali
app.kubernetes.io/instance: kiali-server
type: NodePort
------------------------------------------------------------------------------
grafana.yaml
app.kubernetes.io/managed-by: Helm
spec:
type: NodePort
ports:
- name: service
port: 3000
protocol: TCP
targetPort: 3000
------------------------------------------------------------------------------
jaeger.yaml
spec:
type: NodePort
ports:
- name: http-query
port: 80
protocol: TCP
targetPort: 16686
selector:
app: jaeger
发布服务
kubectl apply -f crds.yaml -n istio-system
kubectl apply -f prometheus.yaml -n istio-system
kubectl apply -f grafana.yaml -n istio-system
kubectl apply -f jaeger.yaml -n istio-system
kubectl apply -f kiali.yaml -n istio-system
service/grafana NodePort 10.0.0.70 <none> 3000:31397/TCP
service/kiali NodePort 10.0.0.26 <none> 9090:30584/TCP
service/tracing NodePort 10.0.0.177 <none> 80:31205/TCP
kiali
http://192.168.153.25:30235/
1640744478728.png
grafana
http://192.168.153.25:31397/
1640744611642.png
jaeger
http://192.168.153.25:31205/
1640744700687.png
示例:微服务订单管理istio
order.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: order
namespace: ms
spec:
replicas: 1
selector:
matchLabels:
project: ms
app: order
version: v1
template:
metadata:
labels:
project: ms
app: order
version: v1
spec:
imagePullSecrets:
- name: registry-pull-secret
containers:
- name: order
image: 192.168.153.20/ms/order:v1
ports:
- protocol: TCP
containerPort: 8020
resources:
requests:
cpu: 0.5
memory: 256Mi
limits:
cpu: 2
memory: 2Gi
readinessProbe:
tcpSocket:
port: 8020
initialDelaySeconds: 60
periodSeconds: 10
livenessProbe:
tcpSocket:
port: 8020
initialDelaySeconds: 60
periodSeconds: 10
----------------------------------------------------------------------------
#含有版本version;
#委托istioctl管理
[root@k8s-m1 order]# istioctl kube-inject -f order.yaml |kubectl apply -f -
service.yaml
[root@k8s-m1 order]# vi service.yaml
spec:
apiVersion: v1
kind: Service
metadata:
labels:
app: order
name: order
spec:
ports:
- port: 8020
protocol: TCP
targetPort: 8020
selector:
app: order
----------------------------------------------------------------------------------
[root@k8s-m1 order]# kubectl apply -f service.yaml -n ms
curl 10.0.0.153:8020/queryAllOrder
验证
[root@k8s-m1 order]# kubectl get pod,svc -n ms
NAME READY STATUS RESTARTS AGE
pod/eureka-0 1/1 Running 1 85m
pod/eureka-1 1/1 Running 0 84m
pod/eureka-2 1/1 Running 1 83m
pod/mysql-85ff654cdf-gk4dm 1/1 Running 1 4h4m
pod/order-5446c6b8fd-prs4r 2/2 Running 0 17m
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/eureka ClusterIP None <none> 8888/TCP 85m
service/mysql ClusterIP 10.0.0.40 <none> 3306/TCP 4h4m
service/order ClusterIP 10.0.0.153 <none> 8020/TCP 36m
[root@k8s-m1 order]# curl 10.0.0.153:8020/queryAllOrder
{"status":200,"msg":"success","result":[{"id":1,"orderNumber":"0j889r86wo0tng9x","orderProductName":"美女","orderPrice":999.0,"count":1,"buyDate":"2021-12-21T03:40:32.000+0000"},{"id":2,"orderNumber":"9ep7iugx2topgwe9","orderProductName":"貂皮大衣很厚很厚的那种","orderPrice":9999.0,"count":1,"buyDate":"2021-12-22T12:25:42.000+0000"},{"id":3,"orderNumber":"cb30ynaukc61riu1","orderProductName":"测试商品1","orderPrice":99.99,"count":1,"buyDate":"2021-12-22T12:31:23.000+0000"}]}
Gateway
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: order
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "order.aliangedu.cn"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: order
spec:
hosts:
- "order.aliangedu.cn"
gateways:
- order
http:
- route:
- destination:
host: order
subset: v1
weight: 100
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: order
spec:
host: order
subsets:
- name: v1
labels:
version: v1
------------------------------------------------------------------------------
http://order.aliangedu.cn/queryAllOrder
1640762656150.png
