Istio 是什么?
Istio是一個用於服務治理的開放平台
Istio是一個Service Mesh形態的用於服務治理的開放平台
Istio是一個與Kubernetes緊密結合的適用於雲原生場景的Service Mesh形態的用於服務治理的開放平台
Istio核心組件:
- Proxy(Envoy):以 C++ 開發的高性能代理,用於調解服務網格中所有服務的所有入站和出站流量。
- Pilot:為 Envoy sidecar 提供服務發現功能,為智能路由(例如 A/B 測試、金絲雀部署等)和彈性(超時、重試、熔斷器等)提供流量管理功能。
- Citadel:通過內置身份和憑證管理可以提供強大的服務間和最終用戶身份驗證。
- Galley:istio 負責配置管理的組件,驗證配置信息的格式和內容的正確性,並將這些配置信息提供給控制面上向其他組件提供支持。
- Mixer:主要進行訪問控制以及策略控制,同時也負責從 Envoy 中獲取各項指標。
Istio基本功能:
① 自動注入:指在創建應用程序時自動注入Sidecar代理。
② 流量攔截:在Pod初始化時設置iptables規則,當有流量到來時,基於配置的iptables規則攔截業務容器的Inbound流量和Outbound流量到Sidecar上。
③ 服務發現:服務發起方的Envoy調用管理面組件Pilot的服務發現接口獲取目標服務的實例列表。
④ 負載均衡:服務發起方的Envoy根據配置的負載均衡策略選擇服務實例,並連接對應的實例地 址。
⑤ 流量治理:Envoy從Pilot中獲取配置的流量規則,在攔截到Inbound流量和Outbound流量時執行治理邏輯。
⑥ 訪問安全:在服務間訪問時通過雙方的Envoy進行雙向認證和通道加密,並基於服務的身份進行授權管理。
⑦ 外部訪問:在網格的入口處有一個Envoy扮演入口網關的角色。
Istio基本使用!
Istio路由規則配置:VirtualService
1 路由規則定義
2 HTTP路由(HTTPRoute)
apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: frontend-route spec: hosts: - "*" gateways: - istio-system/weather-gateway http: - match: - port: 80 route: - destination: host: frontend port: number: 3000 subset: v1
3 TLS路由(TLSRoute)
apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: frontend-route spec: gateways: - istio-system/weather-gateway hosts: - www.weather.com http: - route: - destination: host: frontend subset: v1
4 TCP路由(TCPRoute)
apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: tcp-echo spec: hosts: - "*" gateways: - tcp-echo-gateway tcp: - route: - destination: host: tcp-echo port: number: 9000 subset: v1
5 三種協議路由規則的對比
Istio目標規則配置:DestinationRule
1 DestinationRule配置示例
apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: frontend-dr namespace: weather spec: host: frontend subsets: - name: v1 labels: version: v1
2 DestinationRule規則定義 
Istio服務網關配置:Gateway
1 Gateway配置示例
apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: weather-gateway namespace: istio-system spec: selector: istio: ingressgateway # use istio default controller servers: - port: number: 80 name: http protocol: HTTP hosts: - "*"
2 Gateway規則定義 
Istio外部服務配置:ServiceEntry
1 ServiceEntry配置示例
apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: weather-external spec: hosts: - www.wearherdb.com ports: - number: 80 name: http protocol: HTTP location: MESH_EXTERNAL resolution: DNS
2 ServiceEntry規則的定義和用法
Istio代理規則配置:Sidecar
1 Sidecar配置示例
apiVersion: networking.istio.io/v1alpha3 kind: Sidecar metadata: name: default namespace: weather spec: egress: - hosts: - "news/*" - "istio-system/*"
2 Sidecar規則定義
Istio部署記錄!
[root@k8s-32 istio-1.6.0]# istioctl manifest apply --set profile=demo Detected that your cluster does not support third party JWT authentication. Falling back to less secure first party JWT. See https://istio.io/docs/ops/best-practices/security/#configure-third-party-service-account-tokens for details. ✔ Istio core installed ✔ Istiod installed ✔ Ingress gateways installed ✔ Egress gateways installed ✔ Addons installed ✔ Installation complete [root@k8s-32 istio-1.6.0]# [root@k8s-32 istio-1.6.0]# kubectl -n istio-system get pod NAME READY STATUS RESTARTS AGE grafana-74dc798895-r9w4k 1/1 Running 0 3m24s istio-egressgateway-69bf865cf8-dqmbm 1/1 Running 0 3m25s istio-ingressgateway-569d44555d-7r6qf 1/1 Running 0 3m25s istio-tracing-8584b4d7f9-zmcrs 1/1 Running 0 3m24s istiod-84cc4dfcd8-cr9vs 1/1 Running 0 3m50s kiali-6f457f5964-7b6h4 1/1 Running 0 3m24s prometheus-79878ff5fd-ktlpf 2/2 Running 0 3m24s
[root@k8s-32 istio-1.6.0]# kubectl -n istio-system get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE grafana ClusterIP 10.96.184.105 <none> 3000/TCP 23m istio-egressgateway ClusterIP 10.103.86.9 <none> 80/TCP,443/TCP,15443/TCP 23m istio-ingressgateway LoadBalancer 10.104.28.37 <pending> 15020:32340/TCP,80:32254/TCP,443:32115/TCP,31400:32616/TCP,15443:32470/TCP 23m istiod ClusterIP 10.105.190.0 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP,53/UDP,853/TCP 24m jaeger-agent ClusterIP None <none> 5775/UDP,6831/UDP,6832/UDP 23m jaeger-collector ClusterIP 10.108.128.31 <none> 14267/TCP,14268/TCP,14250/TCP 23m jaeger-collector-headless ClusterIP None <none> 14250/TCP 23m jaeger-query ClusterIP 10.104.174.30 <none> 16686/TCP 23m kiali ClusterIP 10.101.20.142 <none> 20001/TCP 23m prometheus ClusterIP 10.99.39.72 <none> 9090/TCP 23m tracing ClusterIP 10.99.205.57 <none> 80/TCP 23m zipkin ClusterIP 10.106.72.65 <none> 9411/TCP 23m
[root@k8s-32 istio-1.6.0]# kubectl -n istio-system edit svc istio-ingressgateway service/istio-ingressgateway edited
[root@k8s-32 istio-1.6.0]# kubectl -n istio-system get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE grafana ClusterIP 10.96.184.105 <none> 3000/TCP 25m istio-egressgateway ClusterIP 10.103.86.9 <none> 80/TCP,443/TCP,15443/TCP 25m istio-ingressgateway NodePort 10.104.28.37 <none> 15020:32340/TCP,80:32254/TCP,443:32115/TCP,31400:32616/TCP,15443:32470/TCP 25m istiod ClusterIP 10.105.190.0 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP,53/UDP,853/TCP 25m jaeger-agent ClusterIP None <none> 5775/UDP,6831/UDP,6832/UDP 25m jaeger-collector ClusterIP 10.108.128.31 <none> 14267/TCP,14268/TCP,14250/TCP 25m jaeger-collector-headless ClusterIP None <none> 14250/TCP 25m jaeger-query ClusterIP 10.104.174.30 <none> 16686/TCP 24m kiali ClusterIP 10.101.20.142 <none> 20001/TCP 24m prometheus ClusterIP 10.99.39.72 <none> 9090/TCP 24m tracing ClusterIP 10.99.205.57 <none> 80/TCP 24m zipkin ClusterIP 10.106.72.65 <none> 9411/TCP 24m
[root@k8s-32 istio-1.6.0]# kubectl label namespace default istio-injection=enabled error: 'istio-injection' already has a value (enabled), and --overwrite is false
[root@k8s-32 istio-1.6.0]# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml service/details created serviceaccount/bookinfo-details created deployment.apps/details-v1 created service/ratings created serviceaccount/bookinfo-ratings created deployment.apps/ratings-v1 created service/reviews created serviceaccount/bookinfo-reviews created deployment.apps/reviews-v1 created deployment.apps/reviews-v2 created deployment.apps/reviews-v3 created service/productpage created serviceaccount/bookinfo-productpage created deployment.apps/productpage-v1 created
[root@k8s-32 istio-1.6.0]# kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml gateway.networking.istio.io/bookinfo-gateway created virtualservice.networking.istio.io/bookinfo created
[root@k8s-32 istio-1.6.0]# kubectl apply -f samples/bookinfo/networking/destination-rule-all.yaml destinationrule.networking.istio.io/productpage created destinationrule.networking.istio.io/reviews created destinationrule.networking.istio.io/ratings created destinationrule.networking.istio.io/details created
[root@k8s-32 istio-1.6.0]# kubectl get pod NAME READY STATUS RESTARTS AGE details-v1-78d78fbddf-jxx2h 0/2 Init:0/1 0 9s productpage-v1-85b9bf9cd7-kh5wg 0/2 Init:0/1 0 7s ratings-v1-6c9dbf6b45-ccdcg 0/2 Init:0/1 0 8s reviews-v1-564b97f875-5j5x5 0/2 Init:0/1 0 8s reviews-v2-568c7c9d8f-vg52z 0/2 Init:0/1 0 8s reviews-v3-67b4988599-fsjnb 0/2 Init:0/1 0 8s
[root@k8s-32 istio-1.6.0]# kubectl get pod NAME READY STATUS RESTARTS AGE details-v1-78d78fbddf-jxx2h 2/2 Running 0 2m53s productpage-v1-85b9bf9cd7-kh5wg 2/2 Running 0 2m51s ratings-v1-6c9dbf6b45-ccdcg 2/2 Running 0 2m52s reviews-v1-564b97f875-5j5x5 2/2 Running 0 2m52s reviews-v2-568c7c9d8f-vg52z 2/2 Running 0 2m52s reviews-v3-67b4988599-fsjnb 2/2 Running 0 2m52s
其他信息
微服務、容器、Kubernetes、Istio四者關系:
Istio與Kubernetes架構的關系:
Istio+Kubernetes的方案與SDK開發的微服務+Kubernetes的方案比較:
Gateway上的服務發布方式比較
作者:Leozhanggg
出處: https://www.cnblogs.com/leozhanggg/p/12936327.html
本文版權歸作者和博客園共有,歡迎轉載,但未經作者同意必須保留此段聲明,且在文章頁面明顯位置給出原文連接,否則保留追究法律責任的權利。