第13天:Service Mesh - 微服务的"交通管制系统",让通信更智能更安全!🚦
一、先白话白话Service Mesh是啥
零基础全栈开发Java微服务版本实战-后端-前端-运维-实战企业级三个实战项目
资源获取:关注公众号: 小坏说Java ,获取本文所有示例代码、配置模板及导出工具。
场景:微服务网络越来越复杂
你有20个微服务,它们之间互相调用:
- A调用B、C、D
- B调用E、F
- C调用G、H、I
- ...
问题来了:
- 服务发现:B挂了,A怎么知道?
- 负载均衡:B有3个实例,A怎么选?
- 熔断降级:B响应慢,A一直等?
- 流量控制:双11流量暴增,怎么限流?
- 安全认证:服务之间怎么互相认证?
- 监控追踪:请求链路过长,怎么追踪?
传统方案:每个服务自己处理(代码耦合) Service Mesh方案:抽出一层专门处理(解耦)
Service Mesh就像城市交通管制系统:
- 数据平面:路上的车(Envoy代理)
- 控制平面:交通指挥中心(Istio控制台)
- 规则配置:交通规则(限速、单行、红绿灯)
好处:
- 业务代码只关心业务
- 网络问题统一处理
- 规则动态生效,不用重启
- 可视化监控
二、Istio vs Linkerd vs 其他
零基础全栈开发Java微服务版本实战-后端-前端-运维-实战企业级三个实战项目
资源获取:关注公众号: 小坏说Java ,获取本文所有示例代码、配置模板及导出工具。
Istio(当前最流行)
优点:
- 功能最全(Google、IBM、Lyft背书)
- 社区活跃
- 集成好(K8S亲儿子)
- 插件丰富
缺点:
- 太重(需要很多组件)
- 学习曲线陡
- 资源消耗大
Linkerd(轻量级)
优点:
- 轻量(Rust编写,性能好)
- 简单易用
- 资源消耗小
- 启动快
缺点:
- 功能相对少
- 社区小
其他选择
- Consul Connect:Consul自带,简单
- Kuma:跨云多集群
- AWS App Mesh:AWS全家桶
咱们选Istio:功能全,生态好,资料多
三、安装Istio(10分钟搞定)
方式1:快速安装(开发环境)
# 1. 下载Istio
curl -L https://istio.io/downloadIstio | sh -
cd istio-1.18.0
export PATH=$PWD/bin:$PATH
# 2. 安装(使用demo配置,包含所有组件)
istioctl install --set profile=demo -y
# 3. 验证安装
kubectl get pods -n istio-system
# 应该看到:istiod、istio-ingressgateway、istio-egressgateway等
# 4. 给命名空间打标签(自动注入Sidecar)
kubectl label namespace microservices istio-injection=enabled
# 5. 安装Kiali(可视化)
kubectl apply -f samples/addons/kiali.yaml
kubectl apply -f samples/addons/grafana.yaml
kubectl apply -f samples/addons/jaeger.yaml
kubectl apply -f samples/addons/prometheus.yaml
# 6. 访问Dashboard
istioctl dashboard kiali
# 浏览器打开 http://localhost:20001
方式2:生产环境安装
# 1. 生成配置
istioctl manifest generate --set profile=default > istio-default.yaml
# 2. 自定义配置
cat > istio-custom.yaml << EOF
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
profile: default
components:
egressGateways:
- name: istio-egressgateway
enabled: true
k8s:
resources:
requests:
cpu: 100m
memory: 128Mi
ingressGateways:
- name: istio-ingressgateway
enabled: true
k8s:
resources:
requests:
cpu: 100m
memory: 128Mi
service:
ports:
- port: 80
targetPort: 8080
name: http2
- port: 443
targetPort: 8443
name: https
meshConfig:
enableTracing: true
defaultConfig:
tracing:
sampling: 100
zipkin:
address: zipkin.istio-system:9411
outboundTrafficPolicy:
mode: REGISTRY_ONLY
values:
global:
proxy:
autoInject: enabled
controlPlaneSecurityEnabled: false
mtls:
enabled: true
EOF
# 3. 安装
istioctl install -f istio-custom.yaml
# 4. 验证
istioctl verify-install
方式3:Helm安装
# 添加Istio仓库
helm repo add istio https://istio-release.storage.googleapis.com/charts
helm repo update
# 创建命名空间
kubectl create namespace istio-system
# 安装Istio基础组件
helm install istio-base istio/base -n istio-system
# 安装Istiod
helm install istiod istio/istiod -n istio-system --wait
# 安装Ingress Gateway
kubectl create namespace istio-ingress
helm install istio-ingressgateway istio/gateway -n istio-ingress
四、Istio核心概念(必须掌握)
1. Sidecar(边车)🛵
- 每个Pod里的小代理(Envoy)
- 拦截所有进出流量
- 不修改应用代码
2. VirtualService(虚拟服务)📍
- 路由规则:请求去哪
- 流量分流:A/B测试、金丝雀发布
- 超时重试:失败重试策略
3. DestinationRule(目标规则)🎯
- 负载均衡策略:轮询、随机、最少连接
- 连接池设置:最大连接数、超时
- 熔断配置:错误率、最小请求数
4. Gateway(网关)🚪
- 入口网关:外部流量进入
- TLS终止:HTTPS证书
- 路由规则:域名、路径路由
5. ServiceEntry(服务入口)🔧
- 外部服务访问:访问集群外服务
- 扩展服务网格:纳入非网格服务
6. PeerAuthentication(对等认证)🔐
- 服务间认证:mTLS双向认证
- 安全策略:严格模式、宽容模式
7. AuthorizationPolicy(授权策略)🛡️
- 访问控制:谁可以访问谁
- 细粒度控制:方法、路径、Header
五、给微服务注入Sidecar
1. 自动注入(推荐)
# 给命名空间打标签
kubectl label namespace microservices istio-injection=enabled
# 查看标签
kubectl get namespace -L istio-injection
# 重启Pod(重新注入Sidecar)
kubectl rollout restart deployment -n microservices
2. 手动注入
# deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: user-service
namespace: microservices
spec:
template:
metadata:
annotations:
sidecar.istio.io/inject: "true" # 手动注入
sidecar.istio.io/proxyCPULimit: "200m"
sidecar.istio.io/proxyMemoryLimit: "128Mi"
3. 验证注入
# 查看Pod,应该有两个容器
kubectl get pods -n microservices -l app=user-service
# 输出:
NAME READY STATUS RESTARTS AGE
user-service-7c6f8d9b8-abc12 2/2 Running 0 1m
# ^ 2/2 表示两个容器:用户服务 + Sidecar代理
# 查看Sidecar配置
kubectl exec -it user-service-7c6f8d9b8-abc12 -n microservices -c istio-proxy -- pilot-agent request GET config_dump
# 查看流量统计
kubectl exec -it user-service-7c6f8d9b8-abc12 -n microservices -c istio-proxy -- pilot-agent request GET stats
六、流量管理实战
零基础全栈开发Java微服务版本实战-后端-前端-运维-实战企业级三个实战项目
资源获取:关注公众号: 小坏说Java ,获取本文所有示例代码、配置模板及导出工具。
1. 创建Gateway(入口网关)
# istio/gateway.yaml
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: microservices-gateway
namespace: microservices
spec:
selector:
istio: ingressgateway # 使用Ingress Gateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*.mycompany.com"
- "api.mycompany.com"
- "admin.mycompany.com"
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: mycompany-tls # TLS证书
hosts:
- "*.mycompany.com"
- "api.mycompany.com"
- "admin.mycompany.com"
2. 创建VirtualService(路由规则)
# istio/virtualservice-user.yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: user-service
namespace: microservices
spec:
hosts:
- "user-service.microservices.svc.cluster.local" # 服务名
- "api.mycompany.com" # 外部域名
gateways:
- microservices-gateway # 关联Gateway
- mesh # 网格内服务间调用
http:
- match:
- uri:
prefix: /api/user
- uri:
prefix: /user-service
route:
- destination:
host: user-service.microservices.svc.cluster.local
port:
number: 8080
weight: 100
# 超时设置
timeout: 3s
# 重试策略
retries:
attempts: 3
perTryTimeout: 2s
retryOn: gateway-error,connect-failure,refused-stream
# 故障注入(测试用)
# fault:
# delay:
# percentage:
# value: 10.0
# fixedDelay: 5s
# abort:
# percentage:
# value: 10.0
# httpStatus: 500
# 跨域
corsPolicy:
allowOrigins:
- exact: "*"
allowMethods:
- GET
- POST
- PUT
- DELETE
- OPTIONS
allowHeaders:
- "*"
maxAge: 24h
3. 创建DestinationRule(负载均衡策略)
# istio/destinationrule-user.yaml
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: user-service
namespace: microservices
spec:
host: user-service.microservices.svc.cluster.local
trafficPolicy:
# 负载均衡策略
loadBalancer:
simple: LEAST_CONN # 最少连接
# 连接池设置
connectionPool:
tcp:
maxConnections: 100
connectTimeout: 30ms
http:
http1MaxPendingRequests: 1024
http2MaxRequests: 1024
maxRequestsPerConnection: 1024
maxRetries: 3
# 熔断设置
outlierDetection:
consecutive5xxErrors: 7
interval: 5s
baseEjectionTime: 30s
maxEjectionPercent: 50
# 子集(版本分流)
subsets:
- name: v1
labels:
version: v1.0.0
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
- name: v2
labels:
version: v1.1.0
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
# TLS设置
# trafficPolicy:
# tls:
# mode: ISTIO_MUTUAL # 双向TLS
七、金丝雀发布实战
场景:用户服务从v1升级到v2
# 1. 部署v1版本
# istio/deployment-user-v1.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: user-service-v1
namespace: microservices
spec:
replicas: 3
selector:
matchLabels:
app: user-service
version: v1.0.0
template:
metadata:
labels:
app: user-service
version: v1.0.0
spec:
containers:
- name: user-service
image: registry.mycompany.com/microservices/user-service:v1.0.0
---
# 2. 部署v2版本(少量流量)
# istio/deployment-user-v2.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: user-service-v2
namespace: microservices
spec:
replicas: 1 # 只部署1个实例
selector:
matchLabels:
app: user-service
version: v1.1.0
template:
metadata:
labels:
app: user-service
version: v1.1.0
spec:
containers:
- name: user-service
image: registry.mycompany.com/microservices/user-service:v1.1.0
---
# 3. Service选择两个版本
# istio/service-user.yaml
apiVersion: v1
kind: Service
metadata:
name: user-service
namespace: microservices
spec:
selector:
app: user-service # 选择所有版本
ports:
- port: 8080
targetPort: 8080
---
# 4. 流量分流(90% v1, 10% v2)
# istio/virtualservice-canary.yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: user-service-canary
namespace: microservices
spec:
hosts:
- user-service.microservices.svc.cluster.local
http:
- route:
- destination:
host: user-service.microservices.svc.cluster.local
subset: v1
weight: 90 # 90%流量到v1
- destination:
host: user-service.microservices.svc.cluster.local
subset: v2
weight: 10 # 10%流量到v2
# 基于Header的路由(内部测试)
match:
- headers:
x-canary:
exact: "true"
route:
- destination:
host: user-service.microservices.svc.cluster.local
subset: v2
weight: 100 # 内部测试流量全到v2
逐步扩大流量
# 第1阶段:1%流量到v2
kubectl patch virtualservice user-service-canary -n microservices --type='json' -p='[
{
"op": "replace",
"path": "/spec/http/0/route/0/weight",
"value": 99
},
{
"op": "replace",
"path": "/spec/http/0/route/1/weight",
"value": 1
}
]'
# 观察监控(等待5分钟)
# 查看错误率、响应时间、CPU使用率
# 第2阶段:5%流量到v2
kubectl patch virtualservice user-service-canary -n microservices --type='json' -p='[
{
"op": "replace",
"path": "/spec/http/0/route/0/weight",
"value": 95
},
{
"op": "replace",
"path": "/spec/http/0/route/1/weight",
"value": 5
}
]'
# 第3阶段:50%流量到v2
# 第4阶段:100%流量到v2(全量发布)
# 最终:删除v1版本
kubectl delete deployment user-service-v1 -n microservices
八、熔断限流实战
1. 熔断配置
# istio/destinationrule-circuitbreaker.yaml
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: order-service-circuitbreaker
namespace: microservices
spec:
host: order-service.microservices.svc.cluster.local
trafficPolicy:
connectionPool:
tcp:
maxConnections: 100 # 最大连接数
connectTimeout: 30ms
http:
http1MaxPendingRequests: 1024 # 最大等待请求数
http2MaxRequests: 1024
maxRequestsPerConnection: 1024
maxRetries: 3
outlierDetection:
consecutive5xxErrors: 7 # 连续7个5xx错误
interval: 5s # 检查间隔
baseEjectionTime: 30s # 基础驱逐时间
maxEjectionPercent: 50 # 最多驱逐50%实例
2. 限流配置
# istio/ratelimit.yaml
apiVersion: networking.istio.io/v1beta1
kind: EnvoyFilter
metadata:
name: ratelimit
namespace: microservices
spec:
workloadSelector:
labels:
app: order-service
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
portNumber: 8080
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.http.local_ratelimit
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
value:
stat_prefix: http_local_rate_limiter
token_bucket:
max_tokens: 100 # 令牌桶最大容量
tokens_per_fill: 100 # 每次填充令牌数
fill_interval: 60s # 填充间隔
filter_enabled:
runtime_key: local_rate_limit_enabled
default_value:
numerator: 100
denominator: HUNDRED
filter_enforced:
runtime_key: local_rate_limit_enforced
default_value:
numerator: 100
denominator: HUNDRED
response_headers_to_add:
- append: false
header:
key: x-rate-limited
value: "true"
3. 全局限流(使用Redis)
# 1. 部署Redis和限流服务
# istio/redis.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: redis
namespace: istio-system
spec:
replicas: 1
selector:
matchLabels:
app: redis
template:
metadata:
labels:
app: redis
spec:
containers:
- name: redis
image: redis:alpine
ports:
- containerPort: 6379
---
# istio/ratelimit-service.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: ratelimit
namespace: istio-system
spec:
replicas: 2
selector:
matchLabels:
app: ratelimit
template:
metadata:
labels:
app: ratelimit
spec:
containers:
- name: ratelimit
image: envoyproxy/ratelimit:latest
ports:
- containerPort: 8080
- containerPort: 8081
env:
- name: REDIS_SOCKET_TYPE
value: tcp
- name: REDIS_URL
value: redis:6379
- name: LOG_LEVEL
value: debug
- name: USE_STATSD
value: "false"
---
# 2. 配置限流规则
# istio/ratelimit-config.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: ratelimit-config
namespace: istio-system
data:
config.yaml: |
domain: microservices
descriptors:
- key: generic_key
value: user-service
rate_limit:
unit: second
requests_per_unit: 10
- key: path
value: "/api/user/create"
rate_limit:
unit: minute
requests_per_unit: 100
- key: user_id
rate_limit:
unit: hour
requests_per_unit: 1000
---
# 3. 应用限流
# istio/ratelimit-envoyfilter.yaml
apiVersion: networking.istio.io/v1beta1
kind: EnvoyFilter
metadata:
name: filter-ratelimit
namespace: microservices
spec:
workloadSelector:
labels:
app: user-service
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
filterChain:
filter:
name: envoy.filters.network.http_connection_manager
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.http.ratelimit
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit
domain: microservices
timeout: 0.25s
failure_mode_deny: false
rate_limit_service:
grpc_service:
envoy_grpc:
cluster_name: rate_limit_cluster
timeout: 0.25s
九、安全认证实战
1. 双向TLS(mTLS)
# istio/peerauthentication.yaml
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: microservices
spec:
mtls:
mode: STRICT # 严格模式,必须mTLS
---
# 或者宽容模式
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: microservices
spec:
mtls:
mode: PERMISSIVE # 宽容模式,明文和mTLS都接受
---
# 特定服务严格模式
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: user-service-strict
namespace: microservices
spec:
selector:
matchLabels:
app: user-service
mtls:
mode: STRICT
2. 授权策略(谁可以访问谁)
# istio/authorizationpolicy.yaml
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: user-service-auth
namespace: microservices
spec:
selector:
matchLabels:
app: user-service
# 默认拒绝所有
action: DENY
rules:
- from:
- source:
principals: ["cluster.local/ns/microservices/sa/order-service"]
- source:
principals: ["cluster.local/ns/microservices/sa/api-gateway"]
to:
- operation:
methods: ["GET", "POST"]
paths: ["/api/user/*"]
when:
- key: request.headers[user-id]
values: ["*"]
- from:
- source:
principals: ["cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"]
to:
- operation:
methods: ["GET"]
paths: ["/actuator/health", "/actuator/info"]
---
# 允许特定IP访问
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-admin-ip
namespace: microservices
spec:
selector:
matchLabels:
app: user-service
action: ALLOW
rules:
- from:
- source:
ipBlocks: ["10.0.0.0/8", "192.168.1.0/24"]
to:
- operation:
methods: ["*"]
paths: ["*"]
3. JWT认证
# istio/requestauthentication.yaml
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: jwt-auth
namespace: microservices
spec:
selector:
matchLabels:
app: user-service
jwtRules:
- issuer: "https://auth.mycompany.com"
jwksUri: "https://auth.mycompany.com/.well-known/jwks.json"
# 或者直接配置JWKS
# jwks: |
# {
# "keys": [
# {
# "kid": "key1",
# "kty": "RSA",
# "e": "AQAB",
# "n": "..."
# }
# ]
# }
fromHeaders:
- name: Authorization
prefix: "Bearer "
fromParams:
- "token"
---
# 需要JWT的路径
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: require-jwt
namespace: microservices
spec:
selector:
matchLabels:
app: user-service
action: ALLOW
rules:
- from:
- source:
requestPrincipals: ["*"] # 需要有效的JWT
to:
- operation:
methods: ["GET", "POST", "PUT", "DELETE"]
paths: ["/api/user/*"]
- to:
- operation:
methods: ["GET"]
paths: ["/actuator/health", "/actuator/info"] # 健康检查不需要JWT
十、可观测性实战
1. 分布式追踪
# istio/telemetry-tracing.yaml
apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
name: mesh-tracing
namespace: microservices
spec:
tracing:
- providers:
- name: zipkin
randomSamplingPercentage: 100.0 # 100%采样(生产环境调低)
customTags:
user-agent:
header:
name: user-agent
defaultValue: unknown
request-id:
header:
name: x-request-id
defaultValue: unknown
---
# 部署Jaeger(替代Zipkin)
kubectl apply -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/main/deploy/crds/jaegertracing.io_jaegers_crd.yaml
kubectl apply -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/main/deploy/service_account.yaml
kubectl apply -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/main/deploy/role.yaml
kubectl apply -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/main/deploy/role_binding.yaml
kubectl apply -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/main/deploy/operator.yaml
# Jaeger配置
apiVersion: jaegertracing.io/v1
kind: Jaeger
metadata:
name: simplest
spec:
strategy: allInOne
allInOne:
image: jaegertracing/all-in-one:latest
options:
log-level: debug
storage:
type: memory
options:
memory:
max-traces: 100000
ingress:
enabled: true
2. 指标收集
# istio/telemetry-metrics.yaml
apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
name: mesh-metrics
namespace: microservices
spec:
metrics:
- providers:
- name: prometheus
overrides:
- match:
metric: REQUEST_COUNT
mode: CLIENT_AND_SERVER
tagOverrides:
response_code:
operation: UPSERT
- match:
metric: REQUEST_DURATION
mode: CLIENT_AND_SERVER
tagOverrides:
destination_service:
operation: UPSERT
source_service:
operation: UPSERT
3. 访问日志
# istio/telemetry-accesslog.yaml
apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
name: mesh-accesslog
namespace: microservices
spec:
accessLogging:
- providers:
- name: envoy
filter:
expression: "response.code >= 400"
# 或者配置到文件
# disabled: false
# providers:
# - name: file
# file:
# path: /dev/stdout
# format: |
# [%START_TIME%] "%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%"
# %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION%
# %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% "%REQ(X-FORWARDED-FOR)%" "%REQ(USER-AGENT)%"
# "%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%"
十一、Kiali可视化监控
1. 访问Kiali
# 端口转发
kubectl port-forward svc/kiali -n istio-system 20001:20001
# 或者使用Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: kiali-ingress
namespace: istio-system
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: kiali-auth
nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
spec:
rules:
- host: kiali.mycompany.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kiali
port:
number: 20001
2. Kiali能干啥?
- 服务拓扑图:可视化服务调用关系
- 指标监控:请求量、错误率、延迟
- 追踪查看:查看单个请求链路
- 配置验证:验证Istio配置正确性
- 健康检查:服务健康状态
3. 自定义仪表盘
# istio/kiali-custom-dashboard.yaml
apiVersion: kiali.io/v1alpha1
kind: MonitoringDashboard
metadata:
name: microservices-dashboard
namespace: microservices
spec:
title: "微服务监控面板"
aggregations:
- displayName: "请求量"
label: "request_count"
singleLabel: "request_count"
metricLabel: "request_count"
charts:
- name: "请求量(按服务)"
unit: "请求/秒"
spans: 12
metricName: "istio_requests_total"
dataType: "raw"
aggregations:
- label: "destination_service"
- name: "错误率"
unit: "%"
spans: 6
metricName: "istio_requests_total"
dataType: "rate"
aggregations:
- label: "response_code"
- label: "destination_service"
- name: "延迟(P95)"
unit: "毫秒"
spans: 6
metricName: "istio_request_duration_milliseconds"
dataType: "histogram"
aggregations:
- label: "destination_service"
十二、生产环境最佳实践
1. 资源限制
# istio/sidecar-resources.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
components:
pilot:
k8s:
resources:
requests:
cpu: 500m
memory: 1Gi
limits:
cpu: 2000m
memory: 2Gi
ingressGateways:
- name: istio-ingressgateway
enabled: true
k8s:
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 2000m
memory: 1Gi
meshConfig:
defaultConfig:
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 2000m
memory: 256Mi
2. 高可用配置
# istio/ha-config.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
profile: default
components:
pilot:
k8s:
replicaCount: 3 # Pilot副本数
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
podDisruptionBudget:
minAvailable: 2
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: istio
operator: In
values:
- pilot
topologyKey: kubernetes.io/hostname
ingressGateways:
- name: istio-ingressgateway
enabled: true
k8s:
replicaCount: 3
service:
type: LoadBalancer
externalTrafficPolicy: Local
podDisruptionBudget:
minAvailable: 2
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: istio
operator: In
values:
- ingressgateway
topologyKey: kubernetes.io/hostname
3. 网络策略
# istio/network-policy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: istio-sidecar-policy
namespace: microservices
spec:
podSelector:
matchLabels:
app: user-service
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: order-service
- podSelector:
matchLabels:
app: api-gateway
- namespaceSelector:
matchLabels:
istio-injection: enabled
ports:
- protocol: TCP
port: 8080
- protocol: TCP
port: 15090 # Prometheus指标
- protocol: TCP
port: 15021 # 健康检查
egress:
- to:
- podSelector:
matchLabels:
app: mysql
ports:
- protocol: TCP
port: 3306
- to:
- podSelector:
matchLabels:
app: redis
ports:
- protocol: TCP
port: 6379
- to:
- namespaceSelector:
matchLabels:
name: istio-system
ports:
- protocol: TCP
port: 15012 # Istiod
- protocol: TCP
port: 15017 # Webhook
4. 备份和恢复
#!/bin/bash
# backup-istio.sh
# 备份Istio配置
kubectl get virtualservices -n microservices -o yaml > backup/virtualservices.yaml
kubectl get destinationrules -n microservices -o yaml > backup/destinationrules.yaml
kubectl get gateways -n microservices -o yaml > backup/gateways.yaml
kubectl get peerauthentications -n microservices -o yaml > backup/peerauthentications.yaml
kubectl get authorizationpolicies -n microservices -o yaml > backup/authorizationpolicies.yaml
# 备份IstioOperator配置
kubectl get iop -n istio-system -o yaml > backup/iop.yaml
# 备份Sidecar注入配置
kubectl get mutatingwebhookconfiguration istio-sidecar-injector -o yaml > backup/sidecar-injector.yaml
# 恢复脚本
#!/bin/bash
# restore-istio.sh
kubectl apply -f backup/virtualservices.yaml
kubectl apply -f backup/destinationrules.yaml
kubectl apply -f backup/gateways.yaml
kubectl apply -f backup/peerauthentications.yaml
kubectl apply -f backup/authorizationpolicies.yaml
十三、常见问题解决
1. Sidecar注入失败
# 检查命名空间标签
kubectl get namespace microservices --show-labels
# 检查Pod注解
kubectl get pod user-service-xxx -o yaml | grep sidecar.istio.io
# 查看注入日志
kubectl logs -n istio-system -l app=sidecar-injector --tail=100
# 手动注入测试
istioctl kube-inject -f deployment.yaml | kubectl apply -f -
2. 流量路由失败
# 检查VirtualService
kubectl get virtualservice -n microservices
kubectl describe virtualservice user-service -n microservices
# 检查DestinationRule
kubectl get destinationrule -n microservices
kubectl describe destinationrule user-service -n microservices
# 检查Service
kubectl get svc -n microservices
kubectl get endpoints -n microservices
# 检查Sidecar配置
istioctl proxy-config routes user-service-xxx.microservices -o json
3. mTLS证书问题
# 检查证书状态
istioctl authn tls-check user-service-xxx.microservices
# 检查PeerAuthentication
kubectl get peerauthentication -n microservices
# 临时关闭mTLS调试
kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: microservices
spec:
mtls:
mode: PERMISSIVE
EOF
4. 性能问题
# 检查Sidecar资源使用
kubectl top pods -n microservices -l app=user-service --containers
# 调整Sidecar资源限制
kubectl patch deployment user-service -n microservices --type='json' -p='[
{
"op": "add",
"path": "/spec/template/metadata/annotations",
"value": {
"sidecar.istio.io/proxyCPULimit": "500m",
"sidecar.istio.io/proxyMemoryLimit": "256Mi"
}
}
]'
# 减少遥测数据
kubectl patch configmap istio -n istio-system --type merge -p '{
"data": {
"mesh": "accessLogFile: /dev/stdout\naccessLogEncoding: JSON\nenableTracing: false"
}
}'
5. 版本升级
# 备份当前配置
istioctl manifest generate > istio-backup.yaml
# 下载新版本
curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.19.0 sh -
# 升级
istioctl upgrade --set profile=default -y
# 验证升级
istioctl version
kubectl get pods -n istio-system
# 回滚
istioctl manifest apply -f istio-backup.yaml
十四、今儿个总结
学会了啥?
- ✅ Service Mesh核心概念:数据平面 vs 控制平面
- ✅ Istio安装和配置
- ✅ Sidecar自动注入
- ✅ 流量管理:路由、分流、熔断、限流
- ✅ 安全:mTLS、JWT认证、授权策略
- ✅ 可观测性:追踪、指标、日志
- ✅ 可视化:Kiali监控面板
- ✅ 生产环境最佳实践
关键点
- Sidecar模式:网络功能与应用解耦
- 声明式配置:告诉Istio想要什么状态
- 渐进式发布:金丝雀、蓝绿、A/B测试
- 零信任安全:默认mTLS,最小权限
- 统一可观测:链路追踪、指标、日志一体化
十五、明儿个学啥?
明天咱学CI/CD流水线!
- 代码提交自动触发构建
- 自动测试、安全扫描
- 自动部署到K8S
- 自动回滚、蓝绿发布
- GitOps:一切配置即代码
明天咱实现全自动DevOps流水线,从代码到上线全自动!🚀
零基础全栈开发Java微服务版本实战-后端-前端-运维-实战企业级三个实战项目
资源获取:关注公众号: 小坏说Java ,获取本文所有示例代码、配置模板及导出工具。
Service Mesh深度实战:Istio从入门到生产,SpringCloud微服务治理终极方案
【关注文案】
🔥 本文为《SpringCloud企业级实战》专栏第13篇,收藏是点赞的3倍!
💡 关注获取:Istio完整配置文件 + 生产环境调优指南 + 故障排查手册
🚀 评论区留下你的Service Mesh问题,获取架构师一对一解答
📚 配套GitHub项目:包含全链路压测配置和监控告警规则
👨💻 明日预告:GitOps实战,ArgoCD实现全自动CI/CD流水线
