istio微服务
1.istio概述
Istio是Google、IBM和Lyft联合开源的微服务Service Mesh框架,旨在解决大量微服务的发现、连接、管理、监控以及安全等问题。
1.1 istio架构图
Istio 服务网格从逻辑上分为数据平面和控制平面 。
数据平面:由一组被部署为 Sidecar 的智能代理(Envoy) 组成。这些代理负责协调和控制微服务之间的所有网络通信。 它们还收集和报告所有网格流量的遥测数据。
控制平面:管理并配置代理来进行流量路由。
官方文档:https://istio.io/latest/zh/docs/ops/deployment/architecture/#istiod
2.Istio的主要特性包括:
- HTTP、gRPC和TCP网络流量的自动负载均衡
- 丰富的路由规则,细粒度的网络流量行为控制
- 流量加密、服务间认证,以及强身份声明
- 全范围(Fleet-wide)策略执行
- 深度遥测和报告
3.Istio各版本支持的K8S版本:
要选择合适K8S集群的Istio版本进行部署。
官方文档:https://istio.io/latest/docs/releases/supported-releases/#support-status-of-istio-releases
4.部署istio
4.1 下载指定版本的Istio
[root@master115 ~]# curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.17.8 TARGET_ARCH=x86_64 sh
参考文档:https://istio.io/v1.17/zh/docs/setup/getting-started/#download
4.2 解压软件包
[root@master115 istio]# tar xf istio-1.17.8-linux-amd64.tar.gz
[root@master115 istio]#
[root@master115 istio]# ll
total 26504
drwxr-xr-x 3 root root 4096 Sep 23 16:06 ./
drwxr-xr-x 19 root root 4096 Sep 23 16:06 ../
drwxr-x--- 6 root root 4096 Oct 11 2023 istio-1.17.8/
-rw-r--r-- 1 root root 27127663 Jun 21 17:39 istio-1.17.8-linux-amd64.tar.gz
[root@master115 istio]#
4.3 配置Istioctl工具的环境变量
[root@master115 istio]# pwd
/root/cloud-computing-stack/kubernetes/istio
[root@master115 istio]#
[root@master115 istio]# echo 'export PATH="$PATH:/root/cloud-computing-stack/kubernetes/istio/istio-1.17.8/bin"' > /etc/profile.d/istio.sh
[root@master115 istio]#
[root@master115 istio]# source /etc/profile.d/istio.sh
[root@master115 istio]#
[root@master115 istio]# istioctl --help
Istio configuration command line utility for service operators to
debug and diagnose their Istio mesh.
Usage:
istioctl [command]
Available Commands:
admin Manage control plane (istiod) configuration
analyze Analyze Istio configuration and print validation messages
authz (authz is experimental. Use `istioctl experimental authz`)
bug-report Cluster information and log capture support tool.
completion Generate the autocompletion script for the specified shell
create-remote-secret Create a secret with credentials to allow Istio to access remote Kubernetes apiservers
dashboard Access to Istio web UIs
experimental Experimental commands that may be modified or deprecated
help Help about any command
install Applies an Istio manifest, installing or reconfiguring Istio on a cluster.
kube-inject Inject Istio sidecar into Kubernetes pod resources
manifest Commands related to Istio manifests
operator Commands related to Istio operator controller.
profile Commands related to Istio configuration profiles
proxy-config Retrieve information about proxy configuration from Envoy [kube only]
proxy-status Retrieves the synchronization status of each Envoy in the mesh [kube only]
remote-clusters Lists the remote clusters each istiod instance is connected to.
tag Command group used to interact with revision tags
uninstall Uninstall Istio from a cluster
upgrade Upgrade Istio control plane in-place
validate Validate Istio policy and rules files
verify-install Verifies Istio Installation Status
version Prints out build version information
Flags:
--context string The name of the kubeconfig context to use
-h, --help help for istioctl
-i, --istioNamespace string Istio system namespace (default "istio-system")
-c, --kubeconfig string Kubernetes configuration file
-n, --namespace string Config namespace
--vklog Level number for the log level verbosity. Like -v flag. ex: --vklog=9
Additional help topics:
istioctl options Displays istioctl global options
Use "istioctl [command] --help" for more information about a command.
[root@master115 istio]#
4.3 安装Istio
[root@master115 istio]# istioctl install --set profile=demo -y # 安装demo的配置
✔ Istio core installed ✔ Istiod installed
✔ Ingress gateways installed ✔ Egress gateways installed
✔ Installation complete
Making this installation the default for injection and validation.
Thank you for installing Istio 1.17. Please take a few minutes to tell us about your install/upgrade experience! https://forms.gle/hMHGiwZHPU7UQRWe9
[root@master115 istio]#
如果第二步骤镜像下载失败,则需要手动导入镜像或者开启vpv下载镜像
4.4 添加Istioctl客户端工具的自动补全功能
[root@master115 istio]# pwd
/root/cloud-computing-stack/kubernetes/istio
[root@master115 istio]#
[root@master115 istio]# ll istio-1.17.8/tools/istioctl.bash
-rw-r--r-- 1 root root 11294 Oct 11 2023 istio-1.17.8/tools/istioctl.bash
[root@master115 istio]#
[root@master115 istio]# source istio-1.17.8/tools/istioctl.bash
[root@master115 istio]#
[root@master115 istio]# istioctl
admin (Manage control plane (istiod) configuration)
analyze (Analyze Istio configuration and print validation messages)
authz ((authz is experimental. Use `istioctl experimental authz`))
bug-report (Cluster information and log capture support tool.)
completion (Generate the autocompletion script for the specified shell)
create-remote-secret (Create a secret with credentials to allow Istio to access remote Kubernetes apiservers)
dashboard (Access to Istio web UIs)
experimental (Experimental commands that may be modified or deprecated)
help (Help about any command)
install (Applies an Istio manifest, installing or reconfiguring Istio on a cluster.)
kube-inject (Inject Istio sidecar into Kubernetes pod resources)
manifest (Commands related to Istio manifests)
operator (Commands related to Istio operator controller.)
profile (Commands related to Istio configuration profiles)
proxy-config (Retrieve information about proxy configuration from Envoy [kube only])
proxy-status (Retrieves the synchronization status of each Envoy in the mesh [kube only])
remote-clusters (Lists the remote clusters each istiod instance is connected to.)
tag (Command group used to interact with revision tags)
uninstall (Uninstall Istio from a cluster)
upgrade (Upgrade Istio control plane in-place)
validate (Validate Istio policy and rules files)
verify-install (Verifies Istio Installation Status)
version (Prints out build version information)
[root@master115 istio]# istioctl
4.5 查看istio的版本号
[root@master115 istio]# istioctl version
client version: 1.17.8
control plane version: 1.17.8
data plane version: 1.17.8 (2 proxies)
[root@master115 istio]#
5.istio实现手动注入及原理
Pilot组件会从平台获取服务的注册信息,并提供服务发现的接口,Envoy获得这些信息并更新到自己的负载均衡池。Envoy会定期地对池中的实例进行健康检查,剔除离线的实例,保证服务信息的实时性。
默认情况下,Istio 使用轮询的负载均衡策略,实例池中的每个实例依次获取请求。Istio 同时支持随机、权重、最少请求等的负载均衡模型, 可以在 DestinationRule 中为流向某个特定服务或服务子集的流量指定这些模型
6. istio实现灰度发布
6.1 部署环境
[root@master115 case02]# cat 01-deploy-apps.yaml
apiVersion: v1 #创建命名空间
kind: Namespace
metadata:
name: nolen
---
apiVersion: apps/v1
# 注意,创建pod建议使用deploy资源,不要使用rc资源,否则istioctl可能无法手动注入。
kind: Deployment
metadata:
name: apps-v1
namespace: nolen
spec:
replicas: 1
selector:
matchLabels:
app: linux01
version: v1
auther: nolen
template:
metadata:
labels:
app: linux01
version: v1
auther: nolen
spec:
containers:
- name: c1
ports:
- containerPort: 80
image: harbor.nolenlinux.cn/busybox/busybox:1.36.1
command: ["/bin/sh","-c","echo 'c1' > /var/www/index.html;httpd -f -p 80 -h /var/www"]
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: apps-v2
namespace: nolen
spec:
replicas: 1
selector:
matchLabels:
app: linux02
version: v2
auther: nolen
template:
metadata:
labels:
app: linux02
version: v2
auther: nolen
spec:
containers:
- name: c2
ports:
- containerPort: 80
image: harbor.nolenlinux.cn/busybox/busybox:1.36.1
command: ["/bin/sh","-c","echo 'c2' > /var/www/index.html;httpd -f -p 80 -h /var/www"]
---
apiVersion: v1
kind: Service
metadata:
name: apps-svc-v1
namespace: nolen
spec:
selector:
version: v1
ports:
- protocol: TCP
port: 80
targetPort: 80
name: http
---
apiVersion: v1
kind: Service
metadata:
name: apps-svc-v2
namespace: nolen
spec:
selector:
version: v2
ports:
- protocol: TCP
port: 80
targetPort: 80
name: http
---
apiVersion: v1
kind: Service
metadata:
name: apps-svc-all
namespace: nolen
spec:
selector:
auther: nolen
ports:
- protocol: TCP
port: 80
targetPort: 80
name: http
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: apps-client
namespace: nolen
spec:
replicas: 1
selector:
matchLabels:
app: client-test
template:
metadata:
labels:
app: client-test
spec:
containers:
- name: c1
image: registry.cn-hangzhou.aliyuncs.com/nolen_linux/test:v1
command:
- tail
- -f
- /etc/hosts
[root@master115 case02]#
[root@master115 case02]#
[root@master115 case02]# cat 02-apps-vs.yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: apps-svc-all-vs
namespace: nolen
spec:
# 指定vs关联的后端svc名称
hosts:
- apps-svc-all
# 配置http配置
http:
# 定义路由信息
- route:
# 定义目标
- destination:
host: apps-svc-v1
# 指定权重
weight: 90
- destination:
host: apps-svc-v2
weight: 10
[root@master115 case02]#
[root@master115 case02]# kubectl apply -f 01-deploy-apps.yaml -f 02-apps-vs.yaml
namespace/nolen created
deployment.apps/apps-v1 created
deployment.apps/apps-v2 created
service/apps-svc-v1 created
service/apps-svc-v2 created
service/apps-svc-all created
deployment.apps/apps-client created
virtualservice.networking.istio.io/apps-svc-all-vs created
[root@master115 case02]#
[root@master115 case02]# kubectl get pods -n nolen -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
apps-client-49fg472a4r-j0751 1/1 Running 0 6s 10.100.2.147 worker117 <none> <none>
apps-v1-56776f5d9b-675cp 1/1 Running 0 7s 10.100.2.135 worker117 <none> <none>
apps-v2-557cbcb6df-chp26 1/1 Running 0 7s 10.100.1.121 worker116 <none> <none>
[root@master115 case02]#
6.2 声明式注入
[root@master115 case02]# istioctl kube-inject -f 02-deploy-apps.yaml | kubectl -n nolen apply -f -
namespace/nolen unchanged
deployment.apps/apps-v1 configured
deployment.apps/apps-v2 configured
service/apps-svc-v1 unchanged
service/apps-svc-v2 unchanged
service/apps-svc-all unchanged
deployment.apps/apps-client configured
[root@master115 case02]#
[root@master115 case02]# kubectl get pods -n yinzhengjie -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
apps-client-2a305994a4-v8kb9 2/2 Running 0 21s 10.100.2.135 worker233 <none> <none>
apps-client-49fg472a4r-j0751 1/1 Terminating 0 73s 10.100.2.134 worker233 <none> <none>
apps-v1-3391271d68-fs0qi 2/2 Running 0 22s 10.100.1.147 worker232 <none> <none>
apps-v1-56776f5d9b-675cp 1/1 Terminating 0 74s 10.100.2.133 worker233 <none> <none>
apps-v2-77021r72qt-xulo9 2/2 Running 0 21s 10.100.1.148 worker232 <none> <none>
apps-v2-557cbcb6df-chp26 1/1 Terminating 0 74s 10.100.1.146 worker232 <none> <none>
[root@master115 case02]#
[root@master115 case02]# kubectl get pods -n yinzhengjie -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
apps-client-2a305994a4-v8kb9 2/2 Running 0 70s 10.100.2.135 worker233 <none> <none>
apps-v1-3391271d68-fs0qi 2/2 Running 0 71s 10.100.1.147 worker232 <none> <none>
apps-v2-77021r72qt-xulo9 2/2 Running 0 70s 10.100.1.148 worker232 <none> <none>
[root@master115 case02]#
6.3 模拟测试访问
[root@master115 case02]# kubectl -n nolen exec -it apps-client-2a305994a4-v8kb9 -- sh
/ # while true; do curl http://apps-svc-all;sleep 0.1;done
c1
c1
c1
c1
c1
c2
c1
c1
c1
c1
c1
c2
c1
c1
c1
c1
6.4 让c2的业务逐渐替换c1
[root@master115 case02]# cat 02-apps-vs.yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: apps-svc-all-vs
namespace: nolen
spec:
# 指定vs关联的后端svc名称
hosts:
- apps-svc-all
# 配置http配置
http:
# 定义路由信息
- route:
# 定义目标
- destination:
host: apps-svc-v1
# 指定权重
weight: 100
- destination:
host: apps-svc-v2
weight: 0
[root@master115 case02]#
[root@master115 case02]# kubectl apply -f 02-apps-vs.yaml
virtualservice.networking.istio.io/apps-svc-all-vs configured
[root@master115 case02]#
[root@master115 case02]#
7.istio微服务治理实现A_B测试
7.1 部署环境
[root@master115 case03]# cat 01-deploy-apps.yaml
apiVersion: v1
kind: Namespace
metadata:
name: nolen
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: apps-v1
namespace: nolen
spec:
replicas: 1
selector:
matchLabels:
app: linux01
version: v1
auther: nolen
template:
metadata:
labels:
app: linux01
version: v1
auther: nolen
spec:
containers:
- name: c1
ports:
- containerPort: 80
image: harbor.nolenlinux.cn/nolen-linux/busybox:1.36.1
command: ["/bin/sh","-c","echo 'c1' > /var/www/index.html;httpd -f -p 80 -h /var/www"]
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: apps-v2
namespace: nolen
spec:
replicas: 1
selector:
matchLabels:
app: linux02
version: v2
auther: nolen
template:
metadata:
labels:
app: linux02
version: v2
auther: nolen
spec:
containers:
- name: c2
ports:
- containerPort: 80
image: harbor.nolenlinux.cn/nolen-linux/busybox:1.36.1
command: ["/bin/sh","-c","echo 'c2' > /var/www/index.html;httpd -f -p 80 -h /var/www"]
---
apiVersion: v1
kind: Service
metadata:
name: apps-svc-v1
namespace: nolen
spec:
selector:
version: v1
ports:
- protocol: TCP
port: 80
targetPort: 80
name: http
---
apiVersion: v1
kind: Service
metadata:
name: apps-svc-v2
namespace: nolen
spec:
selector:
version: v2
ports:
- protocol: TCP
port: 80
targetPort: 80
name: http
---
apiVersion: v1
kind: Service
metadata:
name: apps-svc-all
namespace: nolen
spec:
selector:
auther: nolen
ports:
- protocol: TCP
port: 80
targetPort: 80
name: http
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: apps-client
namespace: nolen
spec:
replicas: 1
selector:
matchLabels:
app: client-test
template:
metadata:
labels:
app: client-test
spec:
containers:
- name: c1
image: registry.cn-hangzhou.aliyuncs.com/nolen_linux/test:v1
command:
- tail
- -f
- /etc/hosts
[root@master115 case03]# cat 02-vs-apps-svc-all.yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: apps-svc-all-vs
namespace: nolen
spec:
hosts:
- apps-svc-all
http:
# 定义匹配规则
- match:
# 基于header信息匹配将其进行路由,header信息自定义即可。
- headers:
# 匹配用户名包含"jasonyin"的用户,这个KEY是咱们自定义的。
username:
# "eaxct"关键词是包含,也可以使用"prefix"进行前缀匹配。
exact: nolen
route:
- destination:
host: apps-svc-v1
- route:
- destination:
host: apps-svc-v2
[root@master115 case03]#
[root@master115 case03]#
[root@master115 case03]# kubectl apply -f .
namespace/nolen created
deployment.apps/apps-v1 created
deployment.apps/apps-v2 created
service/apps-svc-v1 created
service/apps-svc-v2 created
service/apps-svc-all created
deployment.apps/apps-client created
virtualservice.networking.istio.io/apps-svc-all-vs created
[root@master115 case03]#
7.2 手动注入
[root@master115 case03]# istioctl kube-inject -f 01-deploy-apps.yaml | kubectl -n nolen apply -f -
namespace/yinzhengjie unchanged
deployment.apps/apps-v1 configured
deployment.apps/apps-v2 configured
service/apps-svc-v1 unchanged
service/apps-svc-v2 unchanged
service/apps-svc-all unchanged
deployment.apps/apps-client configured
[root@master115 case03]#
[root@master115 case03]# kubectl get pods -o wide -n nolen
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
apps-client-5f579696d5-84bv9 2/2 Running 0 3m22s 10.100.2.138 worker117 <none> <none>
apps-v1-7955775b88-b7sfz 2/2 Running 0 3m22s 10.100.1.150 worker116 <none> <none>
apps-v2-57766c45dc-9sqj2 2/2 Running 0 3m22s 10.100.1.151 worker116 <none> <none>
[root@master231 case03]#
7.3 访问测试
[root@master115 case03]# kubectl -n nolen exec -it apps-client-5f579696d5-84bv9 -- sh
/ # while true; do curl -H "username:nolen" http://apps-svc-all;sleep 0.1;done # 添加用户认证的header信息
c1
c1
c1
c1
c1
c1
c1
c1
...
/ # while true; do curl http://apps-svc-all;sleep 0.1;done # 不添加添加用户认证信息
c2
c2
c2
c2
c2
c2
c2
c2
c2
c2
c2
c2
浙公网安备 33010602011771号