这篇是istio流量治理的部分配置记录一下,主要还是参考官方文档
流量管理
连接池管理、熔断
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
annotations:
meta.helm.sh/release-name: mesh-demo
meta.helm.sh/release-namespace: istio-system
creationTimestamp: "2022-07-13T07:37:22Z"
generation: 7
labels:
app.kubernetes.io/managed-by: Helm
name: consumer
namespace: demo-dubbo
resourceVersion: "18084867"
uid: 556f20f9-379e-4e1b-bb80-2f2206b0ffa4
spec:
host: consumer
subsets:
- labels:
version: v1
name: v1
- labels:
version: v1
name: baseline
- labels:
version: "655"
name: "655"
trafficPolicy:
connectionPool: ##连接池配置
http:
http1MaxPendingRequests: 6
http2MaxRequests: 4
maxRequestsPerConnection: 9
maxRetries: 3
tcp:
connectTimeout: 2000ms
maxConnections: 11
loadBalancer: ##负载均衡算法
simple: LEAST_CONN
outlierDetection: ##熔断配置
baseEjectionTime: 4s
consecutive5xxErrors: 2
consecutiveErrors: 2
interval: 3s
maxEjectionPercent: 30
重试、超时
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
annotations:
baseline: v1
gray: "655"
creationTimestamp: "2022-07-20T09:04:40Z"
generation: 3
name: consumer
namespace: demo-dubbo
resourceVersion: "17269866"
uid: d9988797-445a-4cdb-9b3e-68856ff1bfe0
spec:
hosts:
- consumer
http:
- name: base
retries: ##重试
attempts: 3
retryOn: retriable-4xx,5xx
route:
- destination:
host: consumer
subset: baseline
timeout: 1000ms ##超时时间
零信任安全
定义:在不信任的网络上建立安全。
双向身份认证:
定义:开启双向TLS身份认证功能,组件之间通过密文通信
使用DestinationRule来定义启用或禁用双向TLS认证
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
annotations:
meta.helm.sh/release-name: mesh-demo
meta.helm.sh/release-namespace: istio-system
creationTimestamp: "2022-07-13T07:37:22Z"
generation: 10
labels:
app.kubernetes.io/managed-by: Helm
name: provider
namespace: demo
resourceVersion: "18085099"
uid: 1c3e0ef6-1751-4a68-8d5e-b7d487f2d1bd
spec:
host: providers
subsets:
- labels:
appversion: v1
name: v1
- labels:
appversion: v2
name: v2
- labels:
appversion: v22
name: v22
trafficPolicy:
tls:
mode: ISTIO_MUTUAL. ### DISABLE=关闭 ISTIO_MUTUAL=开启
PeerAuthentication
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
creationTimestamp: "2022-08-04T09:37:05Z"
generation: 1
name: consumer
namespace: demo-dubbo
resourceVersion: "18084866"
uid: 4535fea1-4d0d-46e9-8ae9-8eac7f4d8a40
spec:
mtls:
mode: STRICT
selector:
matchLabels:
app: consumer
请求认证:
定义:创建JWT请求认证策略,可以定义请求头中的ACCESS TOKEN,以及JWT TOKEN 生成的相关信息
RequestAuthentication
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
creationTimestamp: "2022-08-04T02:21:38Z"
generation: 1
name: consumer
namespace: demo-dubbo
resourceVersion: "17962899"
uid: a63a0c33-cd8b-4c13-93e3-c4ae40f6cce0
spec:
jwtRules:
- issuer: testing@service.istio.co
jwks: "{\n\t\"keys\": [{\n\t\t\"e\": \"AQBQ\",\n\t\t\"kid\": \"DHFbpolUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_envvQ\",\n\t\t\"kty\":
\"RSA\",\n\t\t\"n\": \"xAE7B6qugXyCAG3yhh7pkDkT65pHym\"\n\t}]\n}"
selector:
matchLabels:
app: consumer
授权策略:
定义:用于认证请求头中的ACCESS TOKEN 是否可信,并授权给来源合法的请求
AuthorizationPolicy
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
creationTimestamp: "2022-08-04T02:21:38Z"
generation: 2
name: consumer
namespace: demo-dubbo
resourceVersion: "18057826"
uid: 4c088af6-a510-4651-8883-383e3e47874d
spec:
action: DENY
rules:
- from:
- source:
principals:
- 1=1
to:
- operation:
paths:
- /add
when:
- key: destination.port
values:
- "8080"
selector:
matchLabels:
app: consumer