← 返回首页
🕸️

服务网格Istio入门

📂 devops ⏱ 2 min 299 words
服务网格istio微服务高级应用

服务网格Istio入门

什么是服务网格

服务网格是处理服务间通信的基础设施层,提供流量管理、安全和可观测性功能。

Istio架构

数据平面:
- Envoy代理:拦截服务间的所有流量

控制平面:
- istiod:管理代理的配置和证书
- Pilot:流量管理
- Citadel:安全管理
- Galley:配置管理

安装Istio

# 下载Istio
curl -L https://istio.io/downloadIstio | sh -
cd istio-*

# 安装
istioctl install --set profile=demo -y

# 验证安装
kubectl get pods -n istio-system

部署应用

启用Sidecar注入

# 为命名空间启用自动注入
kubectl label namespace default istio-injection=enabled

# 部署示例应用
kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml

流量管理

VirtualService

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: myapp
spec:
  hosts:
    - myapp
  http:
    - route:
        - destination:
            host: myapp
            subset: v1
          weight: 90
        - destination:
            host: myapp
            subset: v2
          weight: 10

DestinationRule

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: myapp
spec:
  host: myapp
  subsets:
    - name: v1
      labels:
        version: v1
    - name: v2
      labels:
        version: v2
  trafficPolicy:
    connectionPool:
      tcp:
        maxConnections: 100
      http:
        h2UpgradePolicy: DEFAULT
        http1MaxPendingRequests: 100
        http2MaxRequests: 1000

故障注入

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: myapp
spec:
  hosts:
    - myapp
  http:
    - fault:
        delay:
          percentage:
            value: 10
          fixedDelay: 5s
        abort:
          percentage:
            value: 5
          httpStatus: 503
      route:
        - destination:
            host: myapp

安全

PeerAuthentication

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: default
spec:
  mtls:
    mode: STRICT

AuthorizationPolicy

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: myapp
  namespace: default
spec:
  selector:
    matchLabels:
      app: myapp
  action: ALLOW
  rules:
    - from:
        - source:
            principals: ["cluster.local/ns/default/sa/web"]
      to:
        - operation:
            methods: ["GET", "POST"]

可观测性

# 安装Kiali
kubectl apply -f samples/addons/kiali.yaml

# 安装Prometheus
kubectl apply -f samples/addons/prometheus.yaml

# 安装Grafana
kubectl apply -f samples/addons/grafana.yaml

# 访问Kiali
istioctl dashboard kiali

实践:金丝雀发布

# 1. 部署v1版本
apiVersion: apps/v1
kind: Deployment
metadata:
  name: myapp-v1
spec:
  replicas: 9
  selector:
    matchLabels:
      app: myapp
      version: v1
  template:
    metadata:
      labels:
        app: myapp
        version: v1
    spec:
      containers:
        - name: myapp
          image: myapp:v1

---
# 2. 部署v2版本
apiVersion: apps/v1
kind: Deployment
metadata:
  name: myapp-v2
spec:
  replicas: 1
  selector:
    matchLabels:
      app: myapp
      version: v2
  template:
    metadata:
      labels:
        app: myapp
        version: v2
    spec:
      containers:
        - name: myapp
          image: myapp:v2

---
# 3. 配置流量分割
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: myapp
spec:
  hosts:
    - myapp
  http:
    - route:
        - destination:
            host: myapp
            subset: v1
          weight: 90
        - destination:
            host: myapp
            subset: v2
          weight: 10

总结

服务网格是微服务架构的重要基础设施。Istio提供了强大的流量管理、安全和可观测性能力,简化了微服务的运维复杂度。