istio
- sidecar模式: 向父应用无感知的添加功能,类似第三方包、中间件
- service mesh服务网格: 服务与代理对应,服务之间通信通过代理来转发,比如kong网关等
使用istio原因
- 网络流量控制
- 可观测性,监控
- 故障注入,测试
- 安全,认证管理
- 平台广泛性
基本概念
- Gateway: 外部服务访问接入
- virtualservice: 定义接入的路由规则
- destinationrule 路由处理之后的流量访问策略
- serviceentry 外部服务接入到,一般用于sidecar访问外部流量
组件
istio_frame.png
istio分为数据面板和控制面板
- Envoy: 高性能代理,依赖sidecar
- Mixer: 监控和路由策略管理
- Pilot: 配置规则到Envoy
- Citadel: 安全相关,比如下发证书等
- Galley: 对用户规则,平台规则(k8s等)进行检测
安装
1、下载安装包:
curl -L https://git.io/getLatestIstio | sh -
2、进入目录,并设置路径
cd istio-xxx
export PATH=$PWD/bin:$PATH
3、在k8s(>=1.9)安装
3.1 设置用户授权
kubectl apply -f install/kubernetes/helm/istio/templates/crds.yaml
kubectl apply -f install/kubernetes/helm/istio/charts/certmanager/templates/crds.yaml
3.2 使用helm安装,中间需要一些镜像,如果不能下载可以使用aliyun的,文章结尾有。
helm template install/kubernetes/helm/istio --name istio --namespace istio-system > $HOME/istio.yaml
kubectl create namespace istio-system
kubectl apply -f $HOME/istio.yaml
4、设置边车注入,为每一个服务注入sidecar,这里选择自动注入
4.1 首先判断apiserver的配置是否合法,有输出及合法
kubectl api-versions | grep admissionregistration
4.2 添加一个空间的label即可
kubectl label namespace default istio-injection=enabled
查看安装结果
image.png
images.png1
使用istio作负载:
istio使用gateway来实现负载均衡,对应了原来的ingress,gateway和virtualservice搭配使用。
ingress和istio作负载时的对比:
ingress:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: kong-test
namespace: default
spec:
rules:
- host: example.com
http:
paths:
- path: /
backend:
serviceName: app-test
servicePort: 5000
istio:
Untitled Diagram.jpg
具体脚本
- ingressgateway使用默认的
- 注册gatewaay到ingressgateway
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: httpsleep-gateway
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
- 根据VirtualService来匹配service,可以没有subnet,没有则表示没有destinationrule。
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: httpsleep
spec:
hosts:
- "test.istio.local.thundersdata.com"
gateways:
- httpsleep-gateway
http:
- match:
- uri:
prefix: /
route:
- destination:
port:
number: 30012
host: test-web-svc
subset: v1
- route:
- destination:
host: test-web-svc
port:
number: 30012
subset: v1
- 匹配destinationrule
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: test
spec:
host: test-web-svc
trafficPolicy:
loadBalancer:
simple: RANDOM
subsets:
- name: v1
labels:
version: v1
其中istio中需要注意:
- Gateway.hosts和VirtualService.hosts一样。
- Gateway.name和VirtualService.gateways一样。
- /headers路径在httpbin的service中必须有
访问外部路由
据说使用serviceentry可以实现注册访问,但是我的一直可以访问,还有待补充
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: sleep-entry
spec:
ports:
- number: 80
name: http
protocol: HTTP
hosts:
- "www.baidu.com"
resolution: DNS
Untitled Diagram.jpg
具体脚本
ingressgateway使用默认的
注册gatewaay到ingressgateway
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: httpsleep-gateway
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
根据VirtualService来匹配service,可以没有subnet,没有则表示没有destinationrule。
Untitled Diagram.jpg
具体脚本
ingressgateway使用默认的
注册gatewaay到ingressgateway
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: httpsleep-gateway
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
根据VirtualService来匹配service,可以没有subnet,没有则表示没有destinationrule。
Untitled Diagram.jpg
具体脚本
ingressgateway使用默认的
注册gatewaay到ingressgateway
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: httpsleep-gateway
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
根据VirtualService来匹配service,可以没有subnet,没有则表示没有destinationrule。
这里附一个阿里云的istio.yaml的关键镜像文件,由于不知道简书怎么传附件,望哪个书友知道告诉我
image: "registry.cn-hangzhou.aliyuncs.com/aliacs-app-catalog/hyperkube:v1.7.6_coreos.0"
image: "registry.cn-hangzhou.aliyuncs.com/aliacs-app-catalog/hyperkube:v1.7.6_coreos.0"
image: "registry.cn-hangzhou.aliyuncs.com/aliacs-app-catalog/hyperkube:v1.7.6_coreos.0"
image: "registry.cn-hangzhou.aliyuncs.com/aliacs-app-catalog/galley:1.0.5"
image: "registry.cn-hangzhou.aliyuncs.com/aliacs-app-catalog/proxyv2:1.0.5"
image: "registry.cn-hangzhou.aliyuncs.com/aliacs-app-catalog/proxyv2:1.0.5"
image: "registry.cn-hangzhou.aliyuncs.com/aliacs-app-catalog/grafana:5.2.3"
image: "registry.cn-hangzhou.aliyuncs.com/aliacs-app-catalog/mixer:1.0.5"
image: "registry.cn-hangzhou.aliyuncs.com/aliacs-app-catalog/proxyv2:1.0.5"
image: "registry.cn-hangzhou.aliyuncs.com/aliacs-app-catalog/mixer:1.0.5"
image: "registry.cn-hangzhou.aliyuncs.com/aliacs-app-catalog/proxyv2:1.0.5"
image: "registry.cn-hangzhou.aliyuncs.com/aliacs-app-catalog/pilot:1.0.5"
image: "registry.cn-hangzhou.aliyuncs.com/aliacs-app-catalog/proxyv2:1.0.5"
image: "registry.cn-hangzhou.aliyuncs.com/aliacs-app-catalog/prometheus:v2.3.1"
image: "registry.cn-hangzhou.aliyuncs.com/aliacs-app-catalog/citadel:1.0.5"
image: "registry.cn-hangzhou.aliyuncs.com/aliacs-app-catalog/sidecar_injector:1.0.5"
* istio详细概述,持续更新中
[istio概括]([https://www.jianshu.com/p/ed0a0b1029db](https://www.jianshu.com/p/ed0a0b1029db)
)
网友评论