1.k8s部署,可以参考 k8s部署
2.下载istio
curl -L https://istio.io/downloadIstio | sh -
将istio的bin加入到环境变量
[root@master ~]# cat ~/.bash_profile |grep istio
PATH=/home/yunwei/istio-1.5.1/bin:$PATH:$HOME/bin
3.安装istio
istioctl manifest apply --set profile=demo
执行结束后,会增加一个namespace
[root@master yunwei]# kubectl get ns
NAME STATUS AGE
default Active 3h31m
istio-system Active 41m
kube-node-lease Active 3h31m
kube-public Active 3h31m
kube-system Active 3h31m
b.查看istio-system下的pod
[root@master yunwei]# kubectl get pods -n istio-system
NAME READY STATUS RESTARTS AGE
grafana-78bc994d79-wr2m8 1/1 Running 0 3m13s //监控展示
istio-egressgateway-5b5d88f7ff-dl696 1/1 Running 0 3m14s //出口网关
istio-ingressgateway-75877dc5bf-lgk7r 1/1 Running 0 3m14s //入口网关
istio-tracing-c7b59f68f-bmt6n 1/1 Running 0 3m13s //trace
istiod-6b69865db8-gxjgg 1/1 Running 0 3m24s //控制面
kiali-7ff568c949-fqrlm 1/1 Running 0 3m13s //控制台
prometheus-584757d974-q2rn2 2/2 Running 0 3m13s //监控
c.查看crd
[root@master yunwei]# kubectl get crd|grep istio
adapters.config.istio.io 2020-12-27T06:57:23Z
attributemanifests.config.istio.io 2020-12-27T06:57:23Z
authorizationpolicies.security.istio.io 2020-12-27T06:57:23Z
clusterrbacconfigs.rbac.istio.io 2020-12-27T06:57:23Z
destinationrules.networking.istio.io 2020-12-27T06:57:23Z
envoyfilters.networking.istio.io 2020-12-27T06:57:23Z
gateways.networking.istio.io 2020-12-27T06:57:23Z
handlers.config.istio.io 2020-12-27T06:57:24Z
httpapispecbindings.config.istio.io 2020-12-27T06:57:24Z
httpapispecs.config.istio.io 2020-12-27T06:57:24Z
instances.config.istio.io 2020-12-27T06:57:24Z
meshpolicies.authentication.istio.io 2020-12-27T06:57:24Z
peerauthentications.security.istio.io 2020-12-27T06:57:24Z
policies.authentication.istio.io 2020-12-27T06:57:24Z
quotaspecbindings.config.istio.io 2020-12-27T06:57:24Z
quotaspecs.config.istio.io 2020-12-27T06:57:24Z
rbacconfigs.rbac.istio.io 2020-12-27T06:57:24Z
requestauthentications.security.istio.io 2020-12-27T06:57:24Z
rules.config.istio.io 2020-12-27T06:57:24Z
serviceentries.networking.istio.io 2020-12-27T06:57:24Z
servicerolebindings.rbac.istio.io 2020-12-27T06:57:24Z
serviceroles.rbac.istio.io 2020-12-27T06:57:24Z
sidecars.networking.istio.io 2020-12-27T06:57:24Z
templates.config.istio.io 2020-12-27T06:57:24Z
virtualservices.networking.istio.io 2020-12-27T06:57:24Z
d.api资源
[root@master yunwei]# kubectl api-resources|grep istio
meshpolicies authentication.istio.io false MeshPolicy
policies authentication.istio.io true Policy
adapters config.istio.io true adapter
attributemanifests config.istio.io true attributemanifest
handlers config.istio.io true handler
httpapispecbindings config.istio.io true HTTPAPISpecBinding
httpapispecs config.istio.io true HTTPAPISpec
instances config.istio.io true instance
quotaspecbindings config.istio.io true QuotaSpecBinding
quotaspecs config.istio.io true QuotaSpec
rules config.istio.io true rule
templates config.istio.io true template
destinationrules dr networking.istio.io true DestinationRule
envoyfilters networking.istio.io true EnvoyFilter
gateways gw networking.istio.io true Gateway
serviceentries se networking.istio.io true ServiceEntry
sidecars networking.istio.io true Sidecar
virtualservices vs networking.istio.io true VirtualService
clusterrbacconfigs rbac.istio.io false ClusterRbacConfig
rbacconfigs rbac.istio.io true RbacConfig
servicerolebindings rbac.istio.io true ServiceRoleBinding
serviceroles rbac.istio.io true ServiceRole
authorizationpolicies security.istio.io true AuthorizationPolicy
peerauthentications security.istio.io true PeerAuthentication
requestauthentications security.istio.io true RequestAuthentication
概念很多,不一一解释了
启动kiali
从外网访问,进行端口映射.
kubectl port-forward --address 0.0.0.0 kiali-7ff568c949-fqrlm 20001 -n istio-system
Forwarding from 0.0.0.0:20001 -> 20001
http://10.160.92.104:20001/kiali/
admin admin
4.部署booinfo应用
1.设置自动注入
kubectl get namespace -L istio-injection
[root@master istio-1.5.1]# kubectl label namespace default istio-injection=enabled namespace/default labeled
sidecar的原理是什么呢?admitionController+webhook. 大概原理就是在创建一个pod的时候,会动态设置一个 sidecar的容器进去.
2.部署bookinfo服务
[root@master istio-1.5.1]# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml
service/details created
serviceaccount/bookinfo-details created
deployment.apps/details-v1 created
service/ratings created
serviceaccount/bookinfo-ratings created
deployment.apps/ratings-v1 created
service/reviews created
serviceaccount/bookinfo-reviews created
deployment.apps/reviews-v1 created
deployment.apps/reviews-v2 created
deployment.apps/reviews-v3 created
service/productpage created
serviceaccount/bookinfo-productpage created
deployment.apps/productpage-v1 created
我们查看下pod最终的描述信息
kubectl describe po details-v1-74f858558f-m7gbf
5.流量管控能力
1.网格内部访问,是通过sidecar的.启动时,添加iptables规则,使得所有流量能够通过sidecar进行拦截
2.外部访问内部.可以通过ingress.
例子.为bookinfo服务配置gateway
[root@master networking]# kubectl apply -f bookinfo-gateway.yaml
gateway.networking.istio.io/bookinfo-gateway created
virtualservice.networking.istio.io/bookinfo created
查看gateway的配置文件
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: bookinfo-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: bookinfo
spec:
hosts:
- "*"
gateways:
- bookinfo-gateway
http:
- match:
- uri:
exact: /productpage
- uri:
prefix: /static
- uri:
exact: /login
- uri:
exact: /logout
- uri:
prefix: /api/v1/products
route:
- destination:
host: productpage
port:
number: 9080
可以看到有两个
1.GateWay的自定义类型
2.VirtualService的自定义类型
gateway是什么呢?gateway只是一个定义了网关的配置,告诉istio的ingress这个pod,什么样的流量应该怎么走什么样的规则.
virtualServie是虚拟服务的意思.这里就是和gateway进行绑定了,定义了/productpage应该走destination:productpage这个规则.可以看到还有一个 destination资源.
Destination Rule:描述了,流量应该去哪里.和virtualService搭配使用.
注意GateWay只是一个配置,其实接受流量的还是ingress这个pod.可以看到ingressgateway是一个loadBalancer对象
[root@master test-gateway]# kubectl get svc --all-namespaces|grep ingress
istio-system istio-ingressgateway LoadBalancer 10.1.196.149 <pending> 15020:31097/TCP,80:31353/TCP,443:32251/TCP,15029:31309/TCP,15030:30376/TCP,15031:30842/TCP,15032:30399/TCP,31400:31155/TCP,15443:30343/TCP 135m
那么根据这个配置,就可以做灰度发布,蓝绿发布等.
ingress:
入口网关.
Istio 的 Ingress gateway 和 Kubernetes Ingress 的区别
- Kubernetes: 针对L7协议(资源受限),可定义路由规则
- Istio: 针对 L4-6 协议,只定义接入点,复用 Virtual Service 的 L7 路由定义
极客时间的一个评论我觉得不错:
ingress是不是只是一个抽象概念,可以通过gateway这个实际api实现,不知道我这样理解对不对?
k8s里面没有virtualService的概念,其后端的realserver就是K8s的service.
istio不仅抽象出了virtualService, 还提供了subSet, 控制平面修改这俩抽象,从而能够实现前面几讲中的功能
我是这样理解的这个设计差异的:istio是专注于服务网格的,必然为了提供servicemesh相关的灵活功能要多进行抽象。
而k8s专注于容器编排,只提供了服务方面基本的功能,高级功能依托于master代码之外的插件实现。现在是servcie mesh活,过几年不知道又是什么了,所以k8s的设计我觉得还是符合设计原则,职责单一,对扩展开放。
engress:
出口流量,可以搭配virtualService使用.配置规则.
超时配置
重试配置
熔断配置
熔断是使用状态机来做的
配置也很简单
故障注入
有目的的给系统搞破坏,用于验证健壮性.
流量镜像
目的:1.线上问题排查 2.压测 3.复制请求信息用于分析
由此,istio就完成了流量控制.
6.可观察性
kiali
Prometheus
grafana
一般公司都有自己的监控
jeager 调用链的监控