网站备案完成后,品牌设计logo,wordpress 添加附件,贵州城乡建设部网站首页istio概述
**概述#xff1a;**Istio 是一个开源的 服务网格#xff08;Service Mesh#xff09;解决方案#xff0c;主要用于管理、保护和监控微服务架构中的服务通信。它为微服务提供了基础设施层的控制功能#xff0c;不需要更改应用程序的代码#xff0c;从而解决服…istio概述
**概述**Istio 是一个开源的 服务网格Service Mesh解决方案主要用于管理、保护和监控微服务架构中的服务通信。它为微服务提供了基础设施层的控制功能不需要更改应用程序的代码从而解决服务之间的安全性、流量管理、可观察性等问题
**工作机制**通过在每个服务的旁边部署一个 Sidecar Proxy通常是 Envoy。这个代理会拦截所有进出该服务的流量并将其发送到 Istio 的控制平面进行管理和监控。应用程序本身不需要进行修改所有的功能都通过配置管理
K8S版本要求https://istio.io/latest/zh/docs/releases/supported-releases/#support-status-of-istio-releases
VersionCurrently SupportedRelease DateEnd of LifeSupported Kubernetes VersionsTested, but not supportedmasterNo, development only1.29, 1.30, 1.31, 1.321.23, 1.24, 1.25, 1.26, 1.27, 1.281.24YesNovember 7, 2024~Aug 2025 (Expected)1.28, 1.29, 1.30, 1.311.23, 1.24, 1.25, 1.26, 1.271.23YesAug 14, 2024~May 2025 (Expected)1.27, 1.28, 1.29, 1.301.23, 1.24, 1.25, 1.261.22YesMay 13, 2024~Jan 2025 (Expected)1.27, 1.28, 1.29, 1.301.23, 1.24, 1.25, 1.261.21YesMar 13, 2024Sept 27, 20241.26, 1.27, 1.28, 1.291.23, 1.24, 1.251.20NoNov 14, 2023Jun 25, 20241.25, 1.26, 1.27, 1.28, 1.291.23, 1.241.19NoSept 5, 2023Apr 24, 20241.25, 1.26, 1.27, 1.281.21, 1.22, 1.23, 1.241.18NoJun 3, 2023Jan 4, 20241.24, 1.25, 1.26, 1.271.20, 1.21, 1.22, 1.231.17NoFeb 14, 2023Oct 27, 20231.23, 1.24, 1.25, 1.261.16, 1.17, 1.18, 1.19, 1.20, 1.21, 1.221.16NoNov 15, 2022Jul 25, 20231.22, 1.23, 1.24, 1.251.16, 1.17, 1.18, 1.19, 1.20, 1.211.15NoAug 31, 2022Apr 4, 20231.22, 1.23, 1.24, 1.251.16, 1.17, 1.18, 1.19, 1.20, 1.211.14NoMay 24, 2022Dec 27, 20221.21, 1.22, 1.23, 1.241.16, 1.17, 1.18, 1.19, 1.201.13NoFeb 11, 2022Oct 12, 20221.20, 1.21, 1.22, 1.231.16, 1.17, 1.18, 1.19
安装istio
参考链接https://istio.io/v1.17/zh/docs/setup/getting-started/#download
1.下载指定版本的Istio以K8S1.23版本为例安装istio1.17.8
[rootmaster231 06-istio]# curl -L https://istio.io/downloadIstio | ISTIO_VERSION1.17.8 TARGET_ARCHx86_64 sh -2.配置Istioctl工具的环境变量
[rootmaster231 06-istio]# tar xf istio-1.17.8-linux-amd64.tar.gz
[rootmaster231 06-istio]#
[rootmaster231 06-istio]# ll
total 26504
drwxr-xr-x 3 root root 4096 Aug 14 11:30 ./
drwxr-xr-x 8 root root 4096 Aug 14 11:24 ../
drwxr-x--- 6 root root 4096 Oct 11 2023 istio-1.17.8/
-rw-r--r-- 1 root root 27127663 Jun 21 17:39 istio-1.17.8-linux-amd64.tar.gz[rootmaster231 06-istio]# echo export PATH$PATH:pwd/istio-1.17.8/bin /etc/profile.d/istio.sh
[rootmaster231 06-istio]# source /etc/profile.d/istio.sh
[rootmaster231 06-istio]# istioctl --help3.安装Istio
[rootmaster241 ~]# istioctl install --set profiledemo -y # 安装demo的配置[rootmaster241 ~]# istioctl profile dump demo|default|minimal|... # 查看你想要查看的配置即可。在安装 Istio 时所能够使用的内置配置文件。这些配置文件提供了对Istio控制平面和Istio数据平面Sidecar的定制内容。
可以从Istio内置配置文件的其中一个开始入手然后根据您的特定需求进一步自定义配置文件。当前提供以下几种内置配置文件- default:根据 IstioOperator API 的默认设置启动组件。 建议用于生产部署和 Multicluster Mesh 中的 Primary Cluster。您可以运行 istioctl profile dump 命令来查看默认设置。- demo这一配置具有适度的资源需求旨在展示 Istio 的功能。 它适合运行 Bookinfo 应用程序和相关任务。 这是通过快速开始指导安装的配置。此配置文件启用了高级别的追踪和访问日志因此不适合进行性能测试。- minimal与默认配置文件相同但只安装了控制平面组件。 它允许您使用 Separate Profile 配置控制平面和数据平面组件(例如 Gateway)。- remote配置 Multicluster Mesh 的 Remote Cluster。- empty不部署任何东西。可以作为自定义配置的基本配置文件。- preview预览文件包含的功能都是实验性。这是为了探索 Istio 的新功能。不确保稳定性、安全性和性能使用风险需自负。参考链接:https://istio.io/v1.17/zh/docs/setup/additional-setup/config-profiles/https://istio.io/v1.17/zh/docs/setup/getting-started/#download 温馨提示:此环节可能下载镜像失败需要手动解决。成功的输出如下:
[rootmaster231 06-istio]# istioctl install --set profiledemo -y
✔ Istio core installed
✔ Istiod installed
✔ Egress gateways installed
✔ Ingress gateways installed
✔ Installation complete Making this installation the default for injection and validation.Thank you for installing Istio 1.17. Please take a few minutes to tell us about your install/upgrade experience! https://forms.gle/hMHGiwZHPU7UQRWe9
[rootmaster231 06-istio]# 6.查看istio的版本号
[rootmaster231 06-istio]# istioctl version
client version: 1.17.8
control plane version: 1.17.8
data plane version: 1.17.8 (2 proxies)7.添加自动补全
[rootmaster231 06-istio]# source istio-1.17.8/tools/istioctl.bash l 手动注入pod
在安装完毕istio组件后创建一些业务pod然后在注入istiopod
cat 00-test_istio.yaml eof
apiVersion: v1
kind: Namespace
metadata:name: wzyluckyboy
---apiVersion: apps/v1
kind: Deployment
metadata:name: deploy-appsnamespace: wzyluckyboy
spec:replicas: 3selector:matchLabels:app: v1template:metadata:labels:app: v1spec:containers:- name: c1image: registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1ports:- containerPort: 80
eof2.待pod创建完毕后再手动注入
istioctl kube-inject -f 00-test_istio.yaml | kubectl -n wzyluckyboy apply -f -3.可以查看到带有istio标签的pod
[rootmaster23101-istio]# kubectl -n wzyluckyboy get pods --show-labels
NAME READY STATUS RESTARTS AGE LABELS
deploy-apps-858765cd5c-pmbpm 2/2 Running 0 29s appv1,pod-template-hash858765cd5c,security.istio.io/tlsModeistio,service.istio.io/canonical-namev1,service.istio.io/canonical-revisionlatest
deploy-apps-858765cd5c-w8gxf 2/2 Running 0 54s appv1,pod-template-hash858765cd5c,security.istio.io/tlsModeistio,service.istio.io/canonical-namev1,service.istio.io/canonical-revisionlatest
deploy-apps-858765cd5c-zkbfk 2/2 Running 0 51s appv1,pod-template-hash858765cd5c,security.istio.io/tlsModeistio,service.istio.io/canonical-namev1,service.istio.io/canonical-revisionlatest查看pod的init容器kubectl -n wzyluckyboy get pods -o yaml
istio实现权重路由
istio实现灰度发布
# 相关配置文件说明
01-deploy-apps.yaml # 部署了2个pod对应要灰度发布的应用
02-svc-apps.yaml # 2个svc关联到2个pod
03-deploy-client.yaml # 仅用于业务访问测试
04-vs-apps-svc-all.yaml # 虚拟服务影响权重的操作在这个文件1.流量管理之路由权重路由模拟灰度发布
cat 01-deploy-apps.yaml EOF
apiVersion: v1
kind: Namespace
metadata:name: wzyluckyboy
---apiVersion: apps/v1
# 注意创建pod建议使用deploy资源不要使用rc资源否则istioctl可能无法手动注入。
kind: Deployment
metadata:name: apps-v1namespace: wzyluckyboy
spec:replicas: 1selector:matchLabels:app: xiuxian01version: v1auther: wzyluckyboytemplate:metadata:labels:app: xiuxian01version: v1auther: wzyluckyboyspec:containers:- name: c1ports:- containerPort: 80image: busybox:1.36.1command: [/bin/sh,-c,echo c1 /var/www/index.html;httpd -f -p 80 -h /var/www]
---apiVersion: apps/v1
kind: Deployment
metadata:name: apps-v2namespace: wzyluckyboy
spec:replicas: 1selector:matchLabels:app: xiuxian02version: v2auther: wzyluckyboytemplate:metadata:labels:app: xiuxian02version: v2auther: wzyluckyboyspec:containers:- name: c2ports:- containerPort: 80image: busybox:1.36.1command: [/bin/sh,-c,echo c2 /var/www/index.html;httpd -f -p 80 -h /var/www]
EOF2.创建3个service分别关联不同的pod其中一个svc管理之前创建的所有pod
cat 02-svc-apps.yaml EOF
apiVersion: v1
kind: Service
metadata:name: apps-svc-v1namespace: wzyluckyboy
spec:selector:version: v1ports:- protocol: TCPport: 80targetPort: 80name: http---apiVersion: v1
kind: Service
metadata:name: apps-svc-v2namespace: wzyluckyboy
spec:selector:version: v2ports:- protocol: TCPport: 80targetPort: 80name: http---apiVersion: v1
kind: Service
metadata:name: apps-svc-allnamespace: wzyluckyboy
spec:selector:auther: wzyluckyboyports:- protocol: TCPport: 80targetPort: 80name: http
EOF3.创建一个客户端用户业务测试
cat 03-deploy-client.yaml EOF
apiVersion: apps/v1
kind: Deployment
metadata:name: apps-clientnamespace: wzyluckyboy
spec:replicas: 1selector:matchLabels:app: client-testtemplate:metadata:labels:app: client-testspec:containers:- name: c1image: registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1 command:- tail- -f- /etc/hosts
EOF4.注入影响路由权重
cat 04-vs-apps-svc-all.yaml eof
apiVersion: networking.istio.io/v1beta1
# apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:name: apps-svc-all-vsnamespace: wzyluckyboy
spec:# 指定vs关联的后端svc名称hosts:- apps-svc-all# 配置http配置http:# 定义路由信息- route:# 定义目标- destination:host: apps-svc-v1# 指定权重weight: 90- destination:host: apps-svc-v2weight: 10
eof3.手动注入Istio-proxy1.注入前
[rootmaster241 yinzhengjie]# kubectl get pods -n wzyluckyboy
NAME READY STATUS RESTARTS AGE
apps-client-f84c89565-kmqkv 1/1 Running 0 31s
apps-v1-9bff7546c-fsnmn 1/1 Running 0 32s
apps-v2-6c957bf64b-lz65z 1/1 Running 0 32s
[rootmaster241 yinzhengjie]# 2.开始手动注入
[rootmaster241 yinzhengjie]# istioctl kube-inject -f 03-deploy-client.yaml | kubectl -n wzyluckyboy apply -f -
deployment.apps/apps-client configured
[rootmaster241 yinzhengjie]#
[rootmaster241 yinzhengjie]# istioctl kube-inject -f 01-deploy-apps.yaml | kubectl -n wzyluckyboy apply -f -
namespace/yinzhengjie unchanged
deployment.apps/apps-v1 configured
deployment.apps/apps-v2 configured
[rootmaster241 yinzhengjie]# 3.注入后
[rootmaster241 yinzhengjie]# kubectl get pods -n wzyluckyboy
NAME READY STATUS RESTARTS AGE
apps-client-5cc67d864-g2r2v 2/2 Running 0 41s
apps-v1-85c976498b-5qp59 2/2 Running 0 30s
apps-v2-5bb84548fc-65r7x 2/2 Running 0 30s
[rootmaster241 yinzhengjie]# 5.4.开始测试
[rootmaster231 ~]# kubectl -n wzyluckyboy exec -it apps-client-5f579696d5-s7nvc -- sh
/ # while true; do curl http://apps-svc-all;sleep 0.1;done
c1
c1
c1
c1
c1
c1
c1
c1
c1
c1
c1
c1
c1
c1
c2
