简介
Istio是服务网格的实现方案之一,核心功能特性为流量管理、安全和可观测性等
Istio程序架构
- 控制平面:Istiod
- 数据平面:Proxy(envoy + mixer client library)
下载istioctl二进制文件
istioctl 是一个允许服务管理者调试和诊断服务网格应用的命令行配置工具
# 下载istioctl
wget https://github.com/istio/istio/releases/download/1.19.3/istio-1.19.3-linux-amd64.tar.gz
# 解压
tar -xf istioctl-1.19.3-linux-amd64.tar.gz
# 将istioctl拷贝到/usr/local/bin目录,这样可以直接运行了
cd istio-1.19.3/
cp ./bin/istioctl /usr/local/bin
istio命令补全
# 将 istioctl.bash 文件到 home 目录,该文件位于压缩包的tools目录
cp tools/istioctl.bash /root/
修改.bashrc文件
# 在/root/.bashrc文件中添加如下内容
source ~/istioctl.bash
# 立即生效
[root@node1 ~]# source .bashrc
安装一个istio profile
istioctl install --set profile=demo
Istio内置的部署档案
-
default:根据
IstioOperatorAPI 的默认设置启动组件。 建议用于生产部署和 Multicluster Mesh 中的 Primary Cluster。您可以运行
istioctl profile dump命令来查看默认设置。 -
demo:这一配置具有适度的资源需求,旨在展示 Istio 的功能。 它适合运行 Bookinfo 应用程序和相关任务。 这是通过快速开始指导安装的配置。
此配置文件启用了高级别的追踪和访问日志,因此不适合进行性能测试。
-
minimal:与默认配置文件相同,但只安装了控制平面组件。 它允许您使用 Separate Profile 配置控制平面和数据平面组件(例如 Gateway)。
-
remote:用于配置一个 Remote Cluster, 这个从集群由 External Control Plane 管理, 或者由 Multicluster Mesh 的 Primary Cluster 中的控制平面管理。
-
empty:不部署任何内容。可以作为自定义配置的基本配置文件。
-
preview:预览文件包含的功能都属于实验性阶段。该配置文件是为了探索 Istio 的新功能。 确保稳定性、安全性和性能(使用风险需自负)。
-
ambient:Ambient 配置文件旨在帮助您开始使用Ambient Mesh。
查看内置的部署档案
[root@node1 ~]# istioctl profile list
Istio configuration profiles:
ambient
default
demo
empty
external
minimal
openshift
preview
remote
查看内置档案的配置信息
[root@node1 ~]# istioctl profile dump demo
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
components:
base:
enabled: true
cni:
enabled: false
egressGateways:
- enabled: true # 是否启用
k8s:
resources:
requests:
cpu: 10m
memory: 40Mi
name: istio-egressgateway
ingressGateways:
- enabled: true
k8s:
resources:
requests:
cpu: 10m
memory: 40Mi
service:
ports:
- name: status-port
port: 15021
targetPort: 15021
- name: http2
port: 80
targetPort: 8080
- name: https
port: 443
targetPort: 8443
- name: tcp
port: 31400
targetPort: 31400
- name: tls
port: 15443
targetPort: 15443
name: istio-ingressgateway
istiodRemote:
enabled: false
pilot:
enabled: true
k8s:
env:
- name: PILOT_TRACE_SAMPLING
value: "100"
resources:
requests:
cpu: 10m
memory: 100Mi
hub: docker.io/istio
meshConfig:
accessLogFile: /dev/stdout
defaultConfig:
proxyMetadata: {}
enablePrometheusMerge: true
extensionProviders:
- envoyOtelAls:
port: 4317
service: opentelemetry-collector.istio-system.svc.cluster.local
name: otel
- name: skywalking
skywalking:
port: 11800
service: tracing.istio-system.svc.cluster.local
- name: otel-tracing
opentelemetry:
port: 4317
service: opentelemetry-collector.otel-collector.svc.cluster.local
profile: demo
tag: 1.19.0
values:
base:
enableCRDTemplates: false
validationURL: ""
defaultRevision: ""
gateways:
istio-egressgateway:
autoscaleEnabled: false
env: {}
name: istio-egressgateway
secretVolumes:
- mountPath: /etc/istio/egressgateway-certs
name: egressgateway-certs
secretName: istio-egressgateway-certs
- mountPath: /etc/istio/egressgateway-ca-certs
name: egressgateway-ca-certs
secretName: istio-egressgateway-ca-certs
type: ClusterIP
istio-ingressgateway:
autoscaleEnabled: false
env: {}
name: istio-ingressgateway
secretVolumes:
- mountPath: /etc/istio/ingressgateway-certs
name: ingressgateway-certs
secretName: istio-ingressgateway-certs
- mountPath: /etc/istio/ingressgateway-ca-certs
name: ingressgateway-ca-certs
secretName: istio-ingressgateway-ca-certs
type: LoadBalancer
global:
configValidation: true
defaultNodeSelector: {}
defaultPodDisruptionBudget:
enabled: true
defaultResources:
requests:
cpu: 10m
imagePullPolicy: ""
imagePullSecrets: []
istioNamespace: istio-system
istiod:
enableAnalysis: false
jwtPolicy: third-party-jwt
logAsJson: false
logging:
level: default:info
meshNetworks: {}
mountMtlsCerts: false
multiCluster:
clusterName: ""
enabled: false
network: ""
omitSidecarInjectorConfigMap: false
oneNamespace: false
operatorManageWebhooks: false
pilotCertProvider: istiod
priorityClassName: ""
proxy:
autoInject: enabled
clusterDomain: cluster.local
componentLogLevel: misc:error
enableCoreDump: false
excludeIPRanges: ""
excludeInboundPorts: ""
excludeOutboundPorts: ""
image: proxyv2
includeIPRanges: '*'
logLevel: warning
privileged: false
readinessFailureThreshold: 30
readinessInitialDelaySeconds: 1
readinessPeriodSeconds: 2
resources:
limits:
cpu: 2000m
memory: 1024Mi
requests:
cpu: 10m
memory: 40Mi
statusPort: 15020
tracer: zipkin
proxy_init:
image: proxyv2
sds:
token:
aud: istio-ca
sts:
servicePort: 0
tracer:
datadog: {}
lightstep: {}
stackdriver: {}
zipkin: {}
useMCP: false
istiodRemote:
injectionURL: ""
pilot:
autoscaleEnabled: false
autoscaleMax: 5
autoscaleMin: 1
configMap: true
cpu:
targetAverageUtilization: 80
env: {}
image: pilot
keepaliveMaxServerConnectionAge: 30m
nodeSelector: {}
podLabels: {}
replicaCount: 1
traceSampling: 1
telemetry:
enabled: true
v2:
enabled: true
metadataExchange:
wasmEnabled: false
prometheus:
enabled: true
wasmEnabled: false
stackdriver:
configOverride: {}
enabled: false
logging: false
monitoring: false
topology: false
安装完成后有如下pod
[root@node1 ~]# kubectl get pods -n istio-system
NAME READY STATUS RESTARTS AGE
istio-egressgateway-7b8b76f497-vvwgg 1/1 Running 2 (9m27s ago) 10h
istio-ingressgateway-7f58d78f47-pcwff 1/1 Running 2 (9m25s ago) 10h
istiod-86b84db666-mtxbr 1/1 Running 2 (9m45s ago) 10h
检查Istio是否安装成功
[root@node1 istio-1.19.0]# istioctl x precheck
✔ No issues found when checking the cluster. Istio is safe to install or upgrade!
To get started, check out https://istio.io/latest/docs/setup/getting-started/
给某个名称空间添加标签
给某个名称空间添加标签,让istio自动往创建的pod内注入Envoy sidecar
# 给istio-learn名称空间添加标签
kubectl label namespace istio-learn istio-injection=enabled
# 查看名称空间标签
root@node1:~# kubectl get namespace istio-learn --show-labels
NAME STATUS AGE LABELS
istio-learn Active 5m31s istio-injection=enabled,kubernetes.io/metadata.name=istio-learn
部署一个小demo
运行nginx的一个Pod
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-nginx
namespace: istio-learn
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:latest
ports:
- containerPort: 80
发起请求
root@node1:~/istio-learn# kubectl get pods -owide -n istio-learn
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
my-nginx-7c79c4bf97-khdlf 2/2 Running 0 5m7s 10.244.2.8 node4 <none> <none>
# 可以看到请求被istio proxy代理了
root@node1:~/istio-learn# curl -I 10.244.2.8
HTTP/1.1 200 OK
server: istio-envoy
date: Sat, 21 Oct 2023 23:48:56 GMT
content-type: text/html
content-length: 615
last-modified: Tue, 15 Aug 2023 17:03:04 GMT
etag: "64dbafc8-267"
accept-ranges: bytes
x-envoy-upstream-service-time: 0
x-envoy-decorator-operation: :0/*
查看Listener
listener之所以有很多是因为Istio把发现的所有service都注入进来了
root@node1:~/istio-learn# kubectl exec -it my-nginx-7c79c4bf97-khdlf -n istio-learn -- curl localhost:15000/listeners
2d178a61-f16b-4624-9a50-b591cc90b54b::0.0.0.0:15090
625579f0-5ffd-4168-85ad-fb47d010ee8b::0.0.0.0:15021
10.96.0.1_443::10.96.0.1:443
10.96.0.10_53::10.96.0.10:53
10.96.0.10_9153::10.96.0.10:9153
10.103.68.212_443::10.103.68.212:443
10.103.128.175_31400::10.103.128.175:31400
10.111.185.175_8000::10.111.185.175:8000
0.0.0.0_80::0.0.0.0:80
10.103.128.175_15021::10.103.128.175:15021
10.103.128.175_15443::10.103.128.175:15443
10.102.51.243_443::10.102.51.243:443
10.103.128.175_443::10.103.128.175:443
10.106.135.238_15012::10.106.135.238:15012
0.0.0.0_15014::0.0.0.0:15014
0.0.0.0_15010::0.0.0.0:15010
10.106.135.238_443::10.106.135.238:443
virtualOutbound::0.0.0.0:15001
virtualInbound::0.0.0.0:15006
以更加易读的方式查看Listener
使用istioctl proxy-config命令
root@node1:~# istioctl proxy-config listeners my-nginx-7c79c4bf97-khdlf -n istio-learn
ADDRESSES PORT MATCH DESTINATION
10.96.0.10 53 ALL Cluster: outbound|53||kube-dns.kube-system.svc.cluster.local
0.0.0.0 80 Trans: raw_buffer; App: http/1.1,h2c Route: 80
0.0.0.0 80 ALL PassthroughCluster
10.102.51.243 443 ALL Cluster: outbound|443||istio-egressgateway.istio-system.svc.cluster.local
10.103.128.175 443 ALL Cluster: outbound|443||istio-ingressgateway.istio-system.svc.cluster.local
10.103.68.212 443 ALL Cluster: outbound|443||metrics-server.kube-system.svc.cluster.local
10.106.135.238 443 ALL Cluster: outbound|443||istiod.istio-system.svc.cluster.local
10.96.0.1 443 ALL Cluster: outbound|443||kubernetes.default.svc.cluster.local
10.111.185.175 8000 Trans: raw_buffer; App: http/1.1,h2c Route: metrics-scraper.kuboard.svc.cluster.local:8000
10.111.185.175 8000 ALL Cluster: outbound|8000||metrics-scraper.kuboard.svc.cluster.local
10.96.0.10 9153 Trans: raw_buffer; App: http/1.1,h2c Route: kube-dns.kube-system.svc.cluster.local:9153
10.96.0.10 9153 ALL Cluster: outbound|9153||kube-dns.kube-system.svc.cluster.local
0.0.0.0 15001 ALL PassthroughCluster
0.0.0.0 15001 Addr: *:15001 Non-HTTP/Non-TCP
0.0.0.0 15006 Addr: *:15006 Non-HTTP/Non-TCP
0.0.0.0 15006 Trans: tls; App: istio-http/1.0,istio-http/1.1,istio-h2; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4
0.0.0.0 15006 Trans: raw_buffer; App: http/1.1,h2c; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4
0.0.0.0 15006 Trans: tls; App: TCP TLS; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4
0.0.0.0 15006 Trans: raw_buffer; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4
0.0.0.0 15006 Trans: tls; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4
0.0.0.0 15010 Trans: raw_buffer; App: http/1.1,h2c Route: 15010
0.0.0.0 15010 ALL PassthroughCluster
10.106.135.238 15012 ALL Cluster: outbound|15012||istiod.istio-system.svc.cluster.local
0.0.0.0 15014 Trans: raw_buffer; App: http/1.1,h2c Route: 15014
0.0.0.0 15014 ALL PassthroughCluster
0.0.0.0 15021 ALL Inline Route: /healthz/ready*
10.103.128.175 15021 Trans: raw_buffer; App: http/1.1,h2c Route: istio-ingressgateway.istio-system.svc.cluster.local:15021
10.103.128.175 15021 ALL Cluster: outbound|15021||istio-ingressgateway.istio-system.svc.cluster.local
0.0.0.0 15090 ALL Inline Route: /stats/prometheus*
10.103.128.175 15443 ALL Cluster: outbound|15443||istio-ingressgateway.istio-system.svc.cluster.local
10.103.128.175 31400 ALL Cluster: outbound|31400||istio-ingressgateway.istio-system.svc.cluster.local
查看资源的下发状态
可以看到nginx那个Pod里面被下发了信息
root@node1:~/istio-learn# istioctl proxy-status
NAME CLUSTER CDS LDS EDS RDS ECDS ISTIOD VERSION
istio-egressgateway-84776fd7f6-hnmvx.istio-system Kubernetes SYNCED SYNCED SYNCED NOT SENT NOT SENT istiod-566dc66cff-djg9c 1.19.3
istio-ingressgateway-779c475c44-z727p.istio-system Kubernetes SYNCED SYNCED SYNCED NOT SENT NOT SENT istiod-566dc66cff-djg9c 1.19.3
my-nginx-7c79c4bf97-khdlf.istio-learn Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-566dc66cff-djg9c 1.19.3
定制Istio部署环境
IstioOperator API中的各种配置参数,均可在istioctl命令行中使用--set选项进行独立设置;例如
# 部署时,为default配置档案启用debug日志功能,可使用如下命令
istioctl install --set profile=default --set values.global.logging.level=debug
# 部署时,为default配置档案启用EgressGateway组件
istioctl install --set profile=default --set components.egressGateways.enabled=true
安装Addons
查看addons的资源清单,文件在samples目录下的addons目录
[root@node1 addons]# pwd
/root/istio-1.19.0/samples/addons
[root@node1 addons]# ls
extras grafana.yaml jaeger.yaml kiali.yaml loki.yaml prometheus.yaml README.md
应用资源清单文件
这里应用了grafana.yaml jaeger.yaml kiali.yaml loki.yaml prometheus.yaml 这些资源清单文件
[root@node1 addons]# kubectl apply -f ./
卸载Istio
查看系统上安装的revision
root@node1:~# istioctl experimental revision list
REVISION TAG ISTIO-OPERATOR-CR PROFILE REQD-COMPONENTS
default default istio-system/installed-state demo Istio core
Istiod
Ingress gateways:istio-ingressgateway
Egress gateways:istio-egressgateway
使用istioctl命令卸载
卸载指定的revision,这里卸载名称为default的revision
istioctl uninstall --revision default
使用kubectl卸载
istioctl manifest generate --set profile=demo | kubectl delete -f -
