服务网格 Service Mesh 实战:Istio 完全指南


文档摘要

服务网格 Service Mesh 实战:Istio 完全指南 服务网格概述 什么是服务网格? 服务网格是微服务架构中的基础设施层,用于处理服务间通信。 核心功能 流量管理:路由、负载均衡、灰度发布 安全:mTLS、认证、授权 可观测性:指标、日志、链路追踪 弹性:重试、熔断、超时 Istio 架构 数据平面(Data Plane) Envoy Sidecar: 拦截所有服务间流量 执行流量规则 收集遥测数据 控制平面(Control Plane) Istiod 组件: Pilot:服务发现和流量管理 Citadel:证书管理 Galley:配置验证和分发 安装 Istio 使用 istioctl 启用 Sidecar 注入 流量管理 VirtualService(虚拟服务) 基本路由:

服务网格 Service Mesh 实战:Istio 完全指南

服务网格概述

什么是服务网格?

服务网格是微服务架构中的基础设施层,用于处理服务间通信。

核心功能

  1. 流量管理:路由、负载均衡、灰度发布
  2. 安全:mTLS、认证、授权
  3. 可观测性:指标、日志、链路追踪
  4. 弹性:重试、熔断、超时

Istio 架构

数据平面(Data Plane)

Envoy Sidecar

  • 拦截所有服务间流量
  • 执行流量规则
  • 收集遥测数据
# Sidecar 注入示例 apiVersion: v1 kind: Pod metadata: name: my-app spec: containers: - name: app image: my-app:1.0

控制平面(Control Plane)

Istiod 组件

  • Pilot:服务发现和流量管理
  • Citadel:证书管理
  • Galley:配置验证和分发

安装 Istio

使用 istioctl

# 下载 Istio curl -L https://istio.io/downloadIstio | sh - # 安装 istioctl install --set profile=demo -y # 验证安装 istioctl verify-install

启用 Sidecar 注入

# 为命名空间启用自动注入 kubectl label namespace default istio-injection=enabled # 验证 kubectl get namespace -L istio-injection

流量管理

1. VirtualService(虚拟服务)

基本路由

apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: reviews spec: hosts: - reviews http: - match: - headers: end-user: exact: jason route: - destination: host: reviews subset: v2 - route: - destination: host: reviews subset: v1

金丝雀发布

apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: productpage spec: hosts: - productpage http: - route: - destination: host: productpage subset: v1 weight: 90 - destination: host: productpage subset: v2 weight: 10

2. DestinationRule(目标规则)

apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: reviews spec: host: reviews subsets: - name: v1 labels: version: v1 - name: v2 labels: version: v2 trafficPolicy: loadBalancer: simple: LEAST_CONN

3. Gateway(网关)

apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: my-gateway spec: selector: istio: ingressgateway servers: - port: number: 80 name: http protocol: HTTP hosts: - "*"

安全性

1. mTLS(双向 TLS)

apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: default spec: mtls: mode: STRICT

模式

  • STRICT:强制 mTLS
  • PERMISSIVE:允许 mTLS 和明文
  • DISABLE:禁用 mTLS

2. 认证策略

apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata: name: jwt-example spec: selector: matchLabels: app: httpbin jwtRules: - issuer: "testing@secure.istio.io" jwks: "https://raw.githubusercontent.com/istio/istio/release-1.13/security/tools/jwt/samples/jwks.json"

3. 授权策略

apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: allow-viewer spec: selector: matchLabels: app: productpage rules: - from: - source: principals: ["cluster.local/ns/default/sa/bookinfo-viewer"] to: - operation: methods: ["GET"]

可观测性

1. 指标(Metrics)

自动收集的指标

  • 请求量
  • 延迟
  • 错误率
  • 饱和度
apiVersion: telemetry.istio.io/v1alpha1 kind: Telemetry metadata: name: mesh-default spec: metrics: - providers: - name: prometheus overrides: - match: metric: REQUEST_COUNT tagOverrides: destination_service: value: "my-service"

2. 分布式追踪

apiVersion: telemetry.istio.io/v1alpha1 kind: Telemetry metadata: name: mesh-default spec: tracing: - providers: - name: jaeger

3. 访问日志

apiVersion: telemetry.istio.io/v1alpha1 kind: Telemetry metadata: name: mesh-default spec: accessLogging: - providers: - name: otel

弹性特性

1. 超时

apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: reviews spec: hosts: - reviews http: - timeout: 3s route: - destination: host: reviews

2. 重试

apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: reviews spec: hosts: - reviews http: - retries: attempts: 3 perTryTimeout: 2s retryOn: 5xx,connect-failure,refused-stream route: - destination: host: reviews

3. 熔断

apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: httpbin spec: host: httpbin trafficPolicy: outlierDetection: consecutiveErrors: 3 interval: 30s baseEjectionTime: 30s

故障注入

1. 延迟注入

apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: reviews spec: hosts: - reviews http: - fault: delay: percentage: value: 10 fixedDelay: 7s route: - destination: host: reviews

2. 中止注入

apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: ratings spec: hosts: - ratings http: - fault: abort: percentage: value: 50 httpStatus: 503 route: - destination: host: ratings

实战案例

灰度发布

# 1. 创建 DestinationRule apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: myapp spec: host: myapp subsets: - name: v1 labels: version: v1 - name: v2 labels: version: v2 --- # 2. 创建 VirtualService(10% 流量到 v2) apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: myapp spec: hosts: - myapp http: - route: - destination: host: myapp subset: v1 weight: 90 - destination: host: myapp subset: v2 weight: 10

蓝绿部署

# 切换所有流量到 v2 apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: myapp spec: hosts: - myapp http: - route: - destination: host: myapp subset: v2 weight: 100

最佳实践

1. 逐步启用功能

# 从 PERMISSIVE 模式开始 kubectl apply -f - <<EOF apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: default spec: mtls: mode: PERMISSIVE EOF # 验证后切换到 STRICT kubectl patch pa default --type merge -p '{"spec":{"mtls":{"mode":"STRICT"}}}'

2. 监控资源使用

# 限制 Sidecar 资源 apiVersion: v1 kind: Pod metadata: name: myapp spec: containers: - name: istio-proxy resources: requests: cpu: 100m memory: 128Mi limits: cpu: 500m memory: 256Mi

3. 配置优雅关闭

apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: myapp spec: host: myapp trafficPolicy: connectionPool: http: h2UpgradePolicy: UPGRADE outlierDetection: consecutiveGatewayErrors: 5 interval: 30s baseEjectionTime: 30s maxEjectionPercent: 100

故障排查

1. 检查 Sidecar 注入

# 查看 Pod 是否注入了 Sidecar kubectl get pod <pod-name> -o jsonpath='{.spec.containers[*].name}' # 应该看到 istio-proxy 容器

2. 查看 Envoy 配置

# 获取监听器配置 istioctl proxy-config listeners <pod-name> # 获取集群配置 istioctl proxy-config clusters <pod-name> # 获取路由配置 istioctl proxy-config routes <pod-name>

3. 日志分析

# 查看 Envoy 日志 kubectl logs <pod-name> -c istio-proxy # 使用 istioctl 分析 istioctl proxy-config bootstrap <pod-name>

总结

Istio 提供了强大的服务网格能力:

  1. 流量管理:灵活的路由和负载均衡
  2. 安全加固:mTLS 和细粒度授权
  3. 可观测性:全面的监控和追踪
  4. 弹性增强:重试、熔断、故障注入
  5. 最佳实践:逐步启用、监控优化

掌握 Istio,让你的微服务架构更加健壮!


发布者: 作者: 转发
评论区 (0)
U