Kubernetes使用Istio
1、基本概念
1.1、流量方向
南北流量(NORTH-SOURTH-TRAFFIC):客户端到服务器之间通信的流量
东西流量(EAST-WEST-TRAFFIC):指的是服务器和服务器之间的流量
1.2、Service Mesh
2、安装Istio
2.1、下载
# wget https://github.com/istio/istio/releases/download/1.18.0/istio-1.18.0-linux-amd64.tar.gz
curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.18.0 TARGET_ARCH=x86_64 sh -
tar -zxvf istio-1.18.0-linux-amd64.tar.gz
cd istio-1.18.0/
mv bin/istioctl /usr/local/bin/
istioctl version
2.2、安装Istio Operator
# 有可能镜像下载失败,可使用下面的镜像修改tag
# docker tag registry.cn-hangzhou.aliyuncs.com/ialso/istio-operator:1.18.0 istio/operator:1.18.0
istioctl operator init
kubectl get all -n istio-operator
2.3、安装Istio
官方已经预定义了一些配置文件,这里我们使用minimal
# 有可能镜像下载失败,可使用下面的镜像修改tag
# docker tag registry.cn-hangzhou.aliyuncs.com/ialso/istio-pilot:1.18.0 istio/pilot:1.18.0
# docker tag registry.cn-hangzhou.aliyuncs.com/ialso/istio-proxyv2:1.18.0 istio/proxyv2:1.18.0
# 导出minimal配置文件,根据自己的需要修改配置文件
istioctl profile dump minimal > minimal.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
# 组件镜像的仓库
hub: docker.io/istio
profile: minimal
tag: 1.18.0
# 自定义Istio组件
components:
base:
enabled: true
cni:
enabled: false
egressGateways:
- enabled: true
name: istio-egressgateway
ingressGateways:
- enabled: true
name: istio-ingressgateway
k8s:
service:
ports:
- name: status-port
port: 15021
targetPort: 15021
- name: http2
port: 80
targetPort: 8080
- name: https
port: 443
targetPort: 8443
- name: tcp
port: 31400
targetPort: 31400
- name: tls
port: 15443
targetPort: 15443
istiodRemote:
enabled: false
pilot:
enabled: true
# 网格(数据平面)相关的配置参数
meshConfig:
defaultConfig:
proxyMetadata: {}
enablePrometheusMerge: true
# 传递给Chart的各参数值
values:
base:
enableCRDTemplates: false
validationURL: ""
defaultRevision: ""
gateways:
istio-egressgateway:
autoscaleEnabled: true
env: {}
name: istio-egressgateway
secretVolumes:
- mountPath: /etc/istio/egressgateway-certs
name: egressgateway-certs
secretName: istio-egressgateway-certs
- mountPath: /etc/istio/egressgateway-ca-certs
name: egressgateway-ca-certs
secretName: istio-egressgateway-ca-certs
type: ClusterIP
istio-ingressgateway:
autoscaleEnabled: true
env: {}
name: istio-ingressgateway
secretVolumes:
- mountPath: /etc/istio/ingressgateway-certs
name: ingressgateway-certs
secretName: istio-ingressgateway-certs
- mountPath: /etc/istio/ingressgateway-ca-certs
name: ingressgateway-ca-certs
secretName: istio-ingressgateway-ca-certs
type: LoadBalancer
global:
configValidation: true
defaultNodeSelector: {}
defaultPodDisruptionBudget:
enabled: true
defaultResources:
requests:
cpu: 10m
imagePullPolicy: ""
imagePullSecrets: []
istioNamespace: istio-system
istiod:
enableAnalysis: false
jwtPolicy: third-party-jwt
logAsJson: false
logging:
level: default:info
meshNetworks: {}
mountMtlsCerts: false
multiCluster:
clusterName: ""
enabled: false
network: ""
omitSidecarInjectorConfigMap: false
oneNamespace: false
operatorManageWebhooks: false
pilotCertProvider: istiod
priorityClassName: ""
proxy:
autoInject: enabled
clusterDomain: cluster.local
componentLogLevel: misc:error
enableCoreDump: false
excludeIPRanges: ""
excludeInboundPorts: ""
excludeOutboundPorts: ""
image: proxyv2
includeIPRanges: '*'
logLevel: warning
privileged: false
readinessFailureThreshold: 30
readinessInitialDelaySeconds: 1
readinessPeriodSeconds: 2
resources:
limits:
cpu: 2000m
memory: 1024Mi
requests:
cpu: 100m
memory: 128Mi
statusPort: 15020
tracer: zipkin
proxy_init:
image: proxyv2
sds:
token:
aud: istio-ca
sts:
servicePort: 0
tracer:
datadog: {}
lightstep: {}
stackdriver: {}
zipkin: {}
useMCP: false
istiodRemote:
injectionURL: ""
pilot:
autoscaleEnabled: true
autoscaleMax: 5
autoscaleMin: 1
configMap: true
cpu:
targetAverageUtilization: 80
enableProtocolSniffingForInbound: true
enableProtocolSniffingForOutbound: true
env: {}
image: pilot
keepaliveMaxServerConnectionAge: 30m
nodeSelector: {}
podLabels: {}
replicaCount: 1
traceSampling: 1
telemetry:
enabled: true
v2:
enabled: true
metadataExchange:
wasmEnabled: false
prometheus:
enabled: true
wasmEnabled: false
stackdriver:
configOverride: {}
enabled: false
logging: false
monitoring: false
topology: false
[root@kubernetes1 ~]# kubectl get po -n istio-system
NAME READY STATUS RESTARTS AGE
istio-egressgateway-55bf95754-s7mjq 1/1 Running 0 44s
istio-ingressgateway-5576d7f7c4-lv7s4 1/1 Running 0 44s
istiod-5855798659-j848t 1/1 Running 0 48s
[root@kubernetes1 ~]# istioctl version
client version: 1.18.0
control plane version: 1.18.0
data plane version: 1.18.0 (2 proxies)
3、示例
3.1、准备工作
kubectl create ns istio-demo
# 配置命名空间自动sidecar注入
kubectl label namespace istio-demo istio-injection=enabled
3.2、部署项目
这里使用官方提供的Bookinfo项目
- roductpage:productpage微服务调用details和reviews微服务来填充页面
- details:details微服务包含图书信息
- reviews:reviews微服务包含了书评。它也称为ratings微服务
- ratings:ratings微服务包含伴随书评书排名信息
# 有可能镜像下载失败,可使用下面的镜像修改tag
# docker tag registry.cn-hangzhou.aliyuncs.com/ialso/istio-examples-bookinfo-details-v1 istio/examples-bookinfo-details-v1:1.17.0
# docker tag registry.cn-hangzhou.aliyuncs.com/ialso/istio-examples-bookinfo-productpage-v1 istio/examples-bookinfo-productpage-v1:1.17.0
# docker tag registry.cn-hangzhou.aliyuncs.com/ialso/istio-examples-bookinfo-ratings-v1 istio/examples-bookinfo-ratings-v1:1.17.0
# docker tag registry.cn-hangzhou.aliyuncs.com/ialso/istio-examples-bookinfo-reviews-v1 istio/examples-bookinfo-reviews-v1:1.17.0
# docker tag registry.cn-hangzhou.aliyuncs.com/ialso/istio-examples-bookinfo-reviews-v2 istio/examples-bookinfo-reviews-v2:1.17.0
# docker tag registry.cn-hangzhou.aliyuncs.com/ialso/istio-examples-bookinfo-reviews-v3 istio/examples-bookinfo-reviews-v3:1.17.0
kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml --namespace=istio-demo
