使用Operator部署IstioIstio部署
使用Operator部署Istio
下载安装包
官网链接:https://github.com/istio/istio/releases
我选择的版本:Istio 1.19.1
解压
tar -xvf istio-1.19.1-linux-amd64.tar.gz
将解压之后的bin目录下的istioctl复制到/usr/local/bin
cp istioctl /usr/local/bin/
验证
istioctl version
一键部署
istioctl operator init
查看pod是否Runing
kubectl get po -n istio-operator
定义yaml文件
vim istio-operator.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
values:
global:
proxy:
autoInject: disabled
addonComponents:
pilot:
enabled: true
components:
ingressGateways:
- name: istio-ingressgateway
enabled: true
k8s:
service:
type: NodePort
ports:
- port: 15020
nodePort: 30020
name: status-port
- port: 80
nodePort: 30080
name: http2
- port: 443
nodePort: 30443
name: https
istioctl manifest apply -f istio-operator.yaml --set values.gateways.istio-ingressgateway.runAsRoot=true
kubectl get svc,po -n istio-system
配置自动注入
vim /etc/kubernetes/manifests/kube-apiserver.yaml
- --enable-admission-plugins=MutatingAdmissionWebhook,ValidatingAdmissionWebhook
#检查默认策略
root@k8s-master01:~/istio-1.19.1# kubectl -n istio-system get configmap istio-sidecar-injector -o jsonpath='{.data.config}' | grep policy:
policy: disabled
#如果为disabled修改为enabled
kubectl -n istio-system edit configmap istio-sidecar-injector
kubectl create ns istio-test
kubectl label namespace istio-test istio-injection=enabled
kubectl apply -f samples/sleep/sleep.yaml -n istio-test
安装可视化工具Kiali
#修改kiali.yaml配置外部的prometheus配置
vim samples/addons/kiali.yaml
#找到external_services:部分
external_services:
custom_dashboards:
enabled: true
istio:
root_namespace: istio-system
#添加外部的prometheus,如果没有则不需要设置
#http://<ServiceName>.monitoring.svc.cluster.local:<Port>
#<ServiceName>:这是Prometheus服务的名称
#<Namespace>:这是Prometheus服务所在的命名空间
external_services:
custom_dashboards:
enabled: true
istio:
root_namespace: istio-system
prometheus:
url: http://prometheus-operated.monitoring.svc.cluster.local:9090
namespace: monitoring
kubectl create -f samples/addons/kiali.yaml
需要修改svc为NodePort(kubectl edit svc)
kubectl get pod,svc -n istio-system -l app=kiali
安装链路工具
kubectl create -f samples/addons/jaeger.yaml
安装Prometheus和Grafana(外部没有的情况下部署)
kubectl create -f samples/addons/prometheus.yaml
kubectl create -f samples/addons/grafana.yaml
kubectl get pod,svc -n istio-system
Istio流量治理实践
部署测试用例
kubectl create ns bookinfo
kubectl label ns bookinfo istio-injection=enabled
kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -n bookinfo
kubectl get pod -n bookinfo
kubectl get svc -n bookinfo
#修改bookinfo-gateway.yaml
vim samples/bookinfo/networking/bookinfo-gateway.yaml
#将8080改为80
#将hosts为bookinfo.kubeasy.com
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: bookinfo-gateway
spec:
# The selector matches the ingress gateway pod labels.
# If you installed Istio using Helm following the standard documentation, this would be "istio=ingress"
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "bookinfo.kubeasy.com"
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: bookinfo
spec:
hosts:
- "bookinfo.kubeasy.com"
kubectl create -f samples/bookinfo/networking/bookinfo-gateway.yaml -n bookinfo
kubectl get gw,vs -n bookinfo
#配置域名解析到任意一个安装了kube-proxy的节点IP
192.168.46.3 bookinfo.kubeasy.com
#通过ingressgateway的Service的NodePort即可访问Bookinfo
root@k8s-master01:~/istio-1.19.1# kubectl get svc -n istio-system istio-ingressgateway
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingressgateway NodePort 10.0.90.134 <none> 15020:30020/TCP,80:30080/TCP,443:30443/TCP 34h
#访问如下url
http://bookinfo.kubeasy.com:30080/productpage
#通过kiali的Graph选择namespace为bookinfo即可查看bookinfo的调用链路
Istio实现灰度部署
bookinfo有3个版本的reviews服务
假设v1是当前版本,v2,v3是迭代版本,采用灰度的方式将流量慢慢地导向新版本
首先将所有流量指向v1版本
vim reviews-dr.yaml
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: reviews
spec:
host: reviews
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2
- name: v3
labels:
version: v3
kubectl create -f reviews-dr.yaml -n bookinfo
kubectl get dr -n bookinfo
vim reviews-v1-all.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: reviews
spec:
hosts:
- reviews
http:
- route:
- destination:
host: reviews
subset: v1
kubectl create -f reviews-v1-all.yaml -n bookinfo
将20%的流量引向v2,80%的流量依旧指向v1
vim review-20v2-80v1.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: reviews
spec:
hosts:
- reviews
http:
- route:
- destination:
host: reviews
subset: v1
weight: 80
- destination:
host: reviews
subset: v2
weight: 20
kubectl replace -f review-20v2-80v1.yaml -n bookinfo
将流量全部指向v2
vim reviews-v2-all.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: reviews
spec:
hosts:
- reviews
http:
- route:
- destination:
host: reviews
subset: v2
kubectl replace -f reviews-v2-all.yaml -n bookinfo
Istio实现AB测试
限制指定用户访问新版本,待新版本无问题后才让所有的用户使用新版本
假设v3版本只对登录用户jason开发
vim reviews-jasonv3.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: reviews
spec:
hosts:
- reviews
http:
- match:
- headers:
end-user:
exact: jason
route:
- destination:
host: reviews
subset: v3
- route:
- destination:
host: reviews
subset: v2
kubectl replace -f reviews-jasonv3.yaml -n bookinfo
#未登录只显示黑色的星星
#登录用户为jason 密码随机
#登录成功后只显示红色星星
Istio注入延迟故障
vim details-delay.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: details
spec:
hosts:
- details
http:
- fault: #添加一个错误
delay: #添加类型为delay大的故障
percentage: #故障注入的百分比
value: 100 #对所有请求注入故障
fixedDelay: 5s #注入的延迟时间
route:
- destination:
host: details
kubectl create -f details-delay.yaml -n bookinfo
kubectl delete -f details-delay.yaml -n bookinfo
Istio注入中断故障
vim details-abort.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: details
spec:
hosts:
- details
http:
- fault: #添加一个错误
abort: #添加类型为abort大的故障
percentage: #故障注入的百分比
value: 100 #对所有请求注入故障
httpStatus: 400 #故障状态码
route:
- destination:
host: details
kubectl create -f details-abort.yaml -n bookinfo
Istio快速超时配置
用于请求某个服务没有在限定的时间内得到回应放弃请求或者再次请求
首先向ratints服务注入一个5秒的延迟模拟
vim ratints-delay.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ratings-delay
spec:
hosts:
- ratings
http:
- fault: #添加一个错误
delay: #添加类型为delay大的故障
percentage: #故障注入的百分比
value: 100 #对所有请求注入故障
fixedDelay: 5s #注入的延迟时间
route:
- destination:
host: ratings
kubectl create -f ratints-delay.yaml -n bookinfo
此时浏览器访问整个页面变得缓慢
向调用ratings服务的reviews服务添加一个1秒超时,不等待ratings响应
kubectl edit vs reviews -n bookinfo
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
creationTimestamp: "2023-10-14T11:56:16Z"
generation: 4
name: reviews
namespace: bookinfo
resourceVersion: "44803"
uid: 32b6bb78-e0a0-43a0-9fe9-79a557507a26
spec:
hosts:
- reviews
http:
- match:
- headers:
end-user:
exact: jason
route:
- destination:
host: reviews
subset: v3
timeout: 1s #添加超时
- route:
- destination:
host: reviews
subset: v2
Istio地址重写和重定向
重定向
kubectl edit vs bookinfo -n bookinfo
- match:
- uri:
prefix: /gx #匹配/gx
redirect:
authority: ke.qq.com #跳转的域名
uri: /course/2738602 #跳转的路径
重写
kubectl edit vs bookinfo -n bookinfo
- match:
- uri:
exact: / #匹配根路径
rewrite:
uri: /productpage #重写为/productpage
route:
- destination:
host: productpage
port:
number:9080
Istio负载均衡算法
- ROUND_ROBIN:默认轮询算法 将请求依次分配给每一个实例
- LEAST_CONN:最小连接数,随机选择两个健康实例,将请求分配给两个健康实例中连接数少的那个
- RANDOM:随机算法,将请求随机分配给其中一个实例
- PASSTHROUGH:将连接转发到调用者请求的原始IP地址,不进行任何负载均衡
kubectl edit dr reviews -n bookinfo
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
creationTimestamp: "2023-10-14T11:45:44Z"
generation: 1
name: reviews
namespace: bookinfo
resourceVersion: "39389"
uid: 17130a51-381f-4849-a57d-0722082feab7
spec:
trafficPolicy: #添加路由策略
loadBalancer: #配置负载均衡
simple: RANDOM #策略为RANDOM
host: reviews
subsets:
- labels:
version: v1
name: v1
- labels:
version: v2
name: v2
- labels:
version: v3
name: v3
Istio熔断
假设对ratings进行熔断,希望在并发请求数超过3并且存在1个以上的待处理请求时出发熔断
vim ratings-dr.yaml
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: ratings
namespace: bookinfo
spec:
host: ratings
trafficPolicy: #trafficPolicy配置,可以配置在subsets级别
connectionPool: #连接池配置,可以单独使用限制程序的并发数
tcp:
maxConnections: 3 #最大并发数
http:
http1MaxPendingRequests: 1 #最大的待处理请求
maxRequestsPerConnection: 1 #每个请求的最大连接数
outlierDetection: #熔断探测配置
consecutiveErrors: 1 #如果连续出现的错误超过1次,就会被熔断
interval: 10s #没10秒探测一次后端实例
baseEjectionTime: 3m #被熔断实例的最小隔离时间
maxEjectionPercent: 100 #被熔断实例最大的百分比
subsets:
- labels:
version: v1
name: v1
kubectl -n bookinfo apply -f samples/httpbin/sample-client/fortio-deploy.yaml
FORTIO_POD=$(kubectl get pod -n bookinfo | grep fortio | awk '{print $1}')
kubectl exec -ti $FORTIO_POD -n bookinfo -- fortio load -curl http://ratings:9080/ratings/0
kubectl exec -ti $FORTIO_POD -n bookinfo -- fortio load -c 2 -qps 0 -n 20 -loglevel Warning http://ratings:9080/ratings/0 | grep Code
root@k8s-master01:~# kubectl exec -ti $FORTIO_POD -n bookinfo -- fortio load -c 10 -qps 0 -n 20 -loglevel Warning http://ratings:9080/ratings/0 | grep Code
Code 200 : 4 (20.0 %)
Code 503 : 16 (80.0 %)