倍受关注的 Cilium Service Mesh 到底怎么玩？ 上手实践

namespace/metallb-system created

➜ cilium-mesh kubectl create secret generic -n metallb-system memberlist --from-literal=secretkey=“$(openssl rand -base64 128)”

secret/memberlist created

➜ cilium-mesh kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/master/manifests/metallb.yaml

Warning: policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+

podsecuritypolicy.policy/controller created

podsecuritypolicy.policy/speaker created

serviceaccount/controller created

serviceaccount/speaker created

clusterrole.rbac.authorization.k8s.io/metallb-system:controller created

clusterrole.rbac.authorization.k8s.io/metallb-system:speaker created

role.rbac.authorization.k8s.io/config-watcher created

role.rbac.authorization.k8s.io/pod-lister created

role.rbac.authorization.k8s.io/controller created

clusterrolebinding.rbac.authorization.k8s.io/metallb-system:controller created

clusterrolebinding.rbac.authorization.k8s.io/metallb-system:speaker created

rolebinding.rbac.authorization.k8s.io/config-watcher created

rolebinding.rbac.authorization.k8s.io/pod-lister created

rolebinding.rbac.authorization.k8s.io/controller created

daemonset.apps/speaker created

deployment.apps/controller created

➜ cilium-mesh docker network inspect -f ‘{ {.IPAM.Config}}’ kind

[{172.18.0.0/16 172.18.0.1 map[]} {fc00:f853:ccd:e793::/64 fc00:f853:ccd:e793::1 map[]}]

➜ cilium-mesh vim kind-lb-cm.yaml

➜ cilium-mesh cat kind-lb-cm.yaml

apiVersion: v1

kind: ConfigMap

metadata:

namespace: metallb-system

name: config

data:

config: |

address-pools:

• name: default

protocol: layer2

addresses:

• 172.18.255.200-172.18.255.250

➜ cilium-mesh kubectl apply -f kind-lb-cm.yaml

configmap/config created

复制代码

加载镜像

这里我们使用 hashicorp/http-echo:0.2.3作为示例程序，它们可以按照启动参数的不同响应不同的内容。

➜ cilium-mesh docker pull hashicorp/http-echo:0.2.3

0.2.3: Pulling from hashicorp/http-echo

86399148984b: Pull complete

Digest: sha256:ba27d460cd1f22a1a4331bdf74f4fccbc025552357e8a3249c40ae216275de96

Status: Downloaded newer image for hashicorp/http-echo:0.2.3

docker.io/hashicorp/http-echo:0.2.3

➜ cilium-mesh kind load docker-image hashicorp/http-echo:0.2.3

Image: “hashicorp/http-echo:0.2.3” with ID “sha256:a6838e9a6ff6ab3624720a7bd36152dda540ce3987714398003e14780e61478a” not yet present on node “kind-worker”, loading…

Image: “hashicorp/http-echo:0.2.3” with ID “sha256:a6838e9a6ff6ab3624720a7bd36152dda540ce3987714398003e14780e61478a” not yet present on node “kind-worker2”, loading…

Image: “hashicorp/http-echo:0.2.3” with ID “sha256:a6838e9a6ff6ab3624720a7bd36152dda540ce3987714398003e14780e61478a” not yet present on node “kind-control-plane”, loading…

Image: “hashicorp/http-echo:0.2.3” with ID “sha256:a6838e9a6ff6ab3624720a7bd36152dda540ce3987714398003e14780e61478a” not yet present on node “kind-worker3”, loading…

复制代码

部署测试服务

本文中的所有配置文件均可在 github.com/tao12345666… 代码仓库中获取。

我们使用如下配置进行测试服务的部署：

apiVersion: v1

kind: Pod

metadata:

labels:

run: foo-app

name: foo-app

spec:

containers:

• image: hashicorp/http-echo:0.2.3

args:

• “-text=foo”

name: foo-app

ports:

• containerPort: 5678

resources: {}

dnsPolicy: ClusterFirst

restartPolicy: Always

status: {}

---

apiVersion: v1

kind: Service

metadata:

labels:

run: foo-app

name: foo-app

spec:

ports:

• port: 5678

protocol: TCP

targetPort: 5678

selector:

run: foo-app

---

apiVersion: v1

kind: Pod

metadata:

labels:

run: bar-app

name: bar-app

spec:

containers:

• image: hashicorp/http-echo:0.2.3

args:

• “-text=bar”

name: bar-app

ports:

• containerPort: 5678

resources: {}

dnsPolicy: ClusterFirst

restartPolicy: Always

---

apiVersion: v1

kind: Service

metadata:

labels:

run: bar-app

name: bar-app

spec:

ports:

• port: 5678

protocol: TCP

targetPort: 5678

selector:

run: bar-app

复制代码

新建如下的 Ingress 资源文件：

apiVersion: networking.k8s.io/v1

kind: Ingress

metadata:

name: cilium-ingress

namespace: default

spec:

ingressClassName: cilium

rules:

• http:

paths:

• backend:

service:

name: foo-app

port:

number: 5678

path: /foo

pathType: Prefix

• backend:

service:

name: bar-app

port:

number: 5678

path: /bar

pathType: Prefix

复制代码

创建 Ingress 资源，然后可以看到产生了一个新的 LoadBalancer 类型的 svc 。

➜ cilium-mesh kubectl apply -f cilium-ingress.yaml

ingress.networking.k8s.io/cilium-ingress created

➜ cilium-mesh kubectl get svc

NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE

bar-app ClusterIP 10.96.229.141 5678/TCP 106s

cilium-ingress-cilium-ingress LoadBalancer 10.96.161.128 172.18.255.200 80:31643/TCP 4s

foo-app ClusterIP 10.96.166.212 5678/TCP 106s

kubernetes ClusterIP 10.96.0.1 443/TCP 81m

➜ cilium-mesh kubectl get ing

NAME CLASS HOSTS ADDRESS PORTS AGE

cilium-ingress cilium * 172.18.255.200 80 1m

复制代码

测试

使用 curl 命令进行测试访问，发现可以按照 Ingress 资源中的配置得到正确的响应。查看响应头，我们会发现这里的代理实际上还是使用的 Envoy 来完成的。

➜ cilium-mesh curl 172.18.255.200

➜ cilium-mesh curl 172.18.255.200/foo

foo

➜ cilium-mesh curl 172.18.255.200/bar

bar

➜ cilium-mesh curl -I 172.18.255.200/bar

HTTP/1.1 200 OK

Content-Length: 4

Connection: keep-alive

Content-Type: text/plain; charset=ut