Istio简介
摘自官网:
Istio 是一个开源服务网格,它透明地分层到现有的分布式应用程序上。Istio 的强大功能提供了一种统一且更有效的方式来保护、连接和监控服务。Istio 是负载均衡、服务到服务身份验证和监控的途径——几乎不需要更改服务代码。其强大的控制平面带来了重要的功能,包括:
使用 TLS 加密、强大的基于身份的身份验证和授权来保护集群中的服务到服务通信
HTTP、gRPC、WebSocket 和 TCP 流量的自动负载平衡
通过丰富的路由规则、重试、故障转移和故障注入对流量行为进行细粒度控制
支持访问控制、速率限制和配额的可插拔策略层和配置 API
集群内所有流量的自动指标、日志和跟踪,包括集群入口和出口
Istio 专为可扩展性而设计,可以处理各种部署需求。Istio 的控制平面在 Kubernetes 上运行,您可以将部署在该集群中的应用程序添加到您的网格中,将网格扩展到其他集群,甚至连接虚拟机或在 Kubernetes 之外运行的其他端点。
下载Istio
可以从github上下载相应的版本Istio版本列表
具体下载哪个版本,需要根据k8s的版本来选择,他们之间的关系可以从以下Istio网站获取
Istio与k8s版本映射关系
安装
[root@host15 install]# pwd
/opt/install
[root@host15 install]# tar -xvf istio-1.11.5-linux-amd64.tar.gz
将bin目录加入到path中
[root@host15 bin]# pwd
/opt/install/istio-1.11.5/bin
[root@host15 bin]# vi ~/.bash_profile
PATH=$PATH:$HOME/bin:/opt/install/istio-1.11.5/bin
export PATH
[root@host15 bin]#source ~/.bash_profile
[root@host15 bin]# istioctl install --set profile=demo -y
Detected that your cluster does not support third party JWT authentication. Falling back to less secure first party JWT. See https://istio.io/v1.11/docs/ops/best-practices/security/#configure-third-party-service-account-tokens for details.
! values.global.jwtPolicy is deprecated; use Values.global.jwtPolicy=third-party-jwt. See http://istio.io/latest/docs/ops/best-practices/security/#configure-third-party-service-account-tokens for more information instead
✔ Istio core installed
✘ Istiod encountered an error: failed to wait for resource: resources not ready after 5m0s: timed out waiting for the condition
Deployment/istio-system/istiod (container failed to start: ContainerCreating: )
✘ Egress gateways encountered an error: failed to wait for resource: resources not ready after 5m0s: timed out waiting for the conditionsyst...
Deployment/istio-system/istio-egressgateway (container failed to start: ContainerCreating: )
✘ Ingress gateways encountered an error: failed to wait for resource: resources not ready after 5m0s: timed out waiting for the condition
Deployment/istio-system/istio-ingressgateway (container failed to start: ContainerCreating: )
- Pruning removed resources Error: failed to install manifests: errors occurred during operation
[root@host15 bin]# kc get pod -n istio-system
NAME READY STATUS RESTARTS AGE
istio-egressgateway-5687888d49-7mv6h 0/1 ContainerCreating 0 7m9s
istio-ingressgateway-68d4676d4c-jlt9f 0/1 ContainerCreating 0 7m10s
istiod-79db5565b6-ckz5g 0/1 ContainerCreating 0 12m
[root@host15 bin]# kc describe pod istiod-79db5565b6-ckz5g -n istio-system
....
error: code = Unknown desc = failed to set up sandbox container "b290ad7e4dc0009e27d0132ef355c07800edfdbc525ce2f9c11c6bb60f1c949c" network for pod "istiod-79db5565b6-ckz5g": networkPlugin cni failed to set up pod "istiod-79db5565b6-ckz5g_istio-system" network: open /run/flannel/subnet.env: no such file or directory
从报错信息可以看出缺少/run/flannel/subnet.env文件,从网上找到该文件内容,在k8s集群的master节点执行即可:
kc apply -f kube-flannel.yml
卸载Istio重新安装
[root@host15 flannel]# istioctl manifest generate --set profile=demo | kubectl delete --ignore-not-found=true -f -
......
[root@host15 flannel]# kubectl delete namespace istio-system
namespace "istio-system" deleted
[root@host15 flannel]# istioctl install --set profile=demo -y
Detected that your cluster does not support third party JWT authentication. Falling back to less secure first party JWT. See https://istio.io/v1.11/docs/ops/best-practices/security/#configure-third-party-service-account-tokens for details.
! values.global.jwtPolicy is deprecated; use Values.global.jwtPolicy=third-party-jwt. See http://istio.io/latest/docs/ops/best-practices/security/#configure-third-party-service-account-tokens for more information instead
✔ Istio core installed
✔ Istiod installed
✔ Ingress gateways installed
✔ Egress gateways installed
✔ Installation complete
Thank you for installing Istio 1.11. Please take a few minutes to tell us about your install/upgrade experience! https://forms.gle/kWULBRjUv7hHci7T6
[root@host15 flannel]#
部署bookinfo应用
部署前先将default namespace设置为自动注入envoy
[root@host15 flannel]# kubectl label namespace default istio-injection=enabled
namespace/default labeled
[root@host15 flannel]#
部署bookinfo
[root@host15 istio-1.11.5]# pwd
/opt/install/istio-1.11.5
[root@host15 istio-1.11.5]# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml
service/details created
serviceaccount/bookinfo-details created
deployment.apps/details-v1 created
service/ratings created
serviceaccount/bookinfo-ratings created
deployment.apps/ratings-v1 created
service/reviews created
serviceaccount/bookinfo-reviews created
deployment.apps/reviews-v1 created
deployment.apps/reviews-v2 created
deployment.apps/reviews-v3 created
service/productpage created
serviceaccount/bookinfo-productpage created
deployment.apps/productpage-v1 created
[root@host15 istio-1.11.5]# kubectl get services
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
details ClusterIP 10.1.205.19 <none> 9080/TCP 64s
kubernetes ClusterIP 10.1.0.1 <none> 443/TCP 3h26m
productpage ClusterIP 10.1.46.148 <none> 9080/TCP 64s
ratings ClusterIP 10.1.192.50 <none> 9080/TCP 64s
reviews ClusterIP 10.1.254.170 <none> 9080/TCP 64s
[root@host15 istio-1.11.5]# kubectl get pods
NAME READY STATUS RESTARTS AGE
details-v1-66b6955995-7bv68 2/2 Running 0 87s
productpage-v1-5d9b4c9849-b2l5p 0/2 PodInitializing 0 87s
ratings-v1-fd78f799f-pf6sc 2/2 Running 0 87s
reviews-v1-6549ddccc5-zggpx 2/2 Running 0 87s
reviews-v2-76c4865449-6gdsw 0/2 PodInitializing 0 87s
reviews-v3-6b554c875-zh7lj 0/2 PodInitializing 0 87s
[root@host15 istio-1.11.5]#
验证是否部署成功
[root@host15 istio-1.11.5]# kc get service -n istio-system -o wide
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
istio-egressgateway ClusterIP 10.1.108.168 <none> 80/TCP,443/TCP 29m app=istio-egressgateway,istio=egressgateway
istio-ingressgateway LoadBalancer 10.1.50.232 <pending> 15021:31483/TCP,80:30581/TCP,443:32362/TCP,31400:32397/TCP,15443:30091/TCP 29m app=istio-ingressgateway,istio=ingressgateway
istiod ClusterIP 10.1.242.114 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 29m app=istiod,istio=pilot
[root@host15 istio-1.11.5]# curl http://10.1.50.232/productpage
<!DOCTYPE html>
<html>
<head>
<title>Simple Bookstore App</title>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<!-- Latest compiled and minified CSS -->
<link rel="stylesheet" href="static/bootstrap/css/bootstrap.min.css">
<!-- Optional theme -->
<link rel="stylesheet" href="static/bootstrap/css/bootstrap-theme.min.css">
</head>
<body>
<nav class="navbar navbar-inverse navbar-static-top">
<div class="container">
<div class="navbar-header">
<a class="navbar-brand" href="#">BookInfo Sample</a>
</div>
<button type="button" class="btn btn-default navbar-btn navbar-right" data-toggle="modal" href="#login-modal">Sign
in</button>
</div>
</nav>
我的host16这个node节点虚拟机的IP为192.168.220.16,因此也可以在电脑的浏览器中访问以下地址
http://192.168.220.16:30581/productpage