服务网格 Service Mesh 实战:Istio 完全指南 服务网格概述 什么是服务网格? 服务网格是微服务架构中的基础设施层,用于处理服务间通信。 核心功能 流量管理:路由、负载均衡、灰度发布 安全:mTLS、认证、授权 可观测性:指标、日志、链路追踪 弹性:重试、熔断、超时 Istio 架构 数据平面(Data Plane) Envoy Sidecar: 拦截所有服务间流量 执行流量规则 收集遥测数据 控制平面(Control Plane) Istiod 组件: Pilot:服务发现和流量管理 Citadel:证书管理 Galley:配置验证和分发 安装 Istio 使用 istioctl 启用 Sidecar 注入 流量管理 VirtualService(虚拟服务) 基本路由:
服务网格是微服务架构中的基础设施层,用于处理服务间通信。
Envoy Sidecar:
# Sidecar 注入示例 apiVersion: v1 kind: Pod metadata: name: my-app spec: containers: - name: app image: my-app:1.0
Istiod 组件:
# 下载 Istio curl -L https://istio.io/downloadIstio | sh - # 安装 istioctl install --set profile=demo -y # 验证安装 istioctl verify-install
# 为命名空间启用自动注入 kubectl label namespace default istio-injection=enabled # 验证 kubectl get namespace -L istio-injection
基本路由:
apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: reviews spec: hosts: - reviews http: - match: - headers: end-user: exact: jason route: - destination: host: reviews subset: v2 - route: - destination: host: reviews subset: v1
金丝雀发布:
apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: productpage spec: hosts: - productpage http: - route: - destination: host: productpage subset: v1 weight: 90 - destination: host: productpage subset: v2 weight: 10
apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: reviews spec: host: reviews subsets: - name: v1 labels: version: v1 - name: v2 labels: version: v2 trafficPolicy: loadBalancer: simple: LEAST_CONN
apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: my-gateway spec: selector: istio: ingressgateway servers: - port: number: 80 name: http protocol: HTTP hosts: - "*"
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: default spec: mtls: mode: STRICT
模式:
apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata: name: jwt-example spec: selector: matchLabels: app: httpbin jwtRules: - issuer: "testing@secure.istio.io" jwks: "https://raw.githubusercontent.com/istio/istio/release-1.13/security/tools/jwt/samples/jwks.json"
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: allow-viewer spec: selector: matchLabels: app: productpage rules: - from: - source: principals: ["cluster.local/ns/default/sa/bookinfo-viewer"] to: - operation: methods: ["GET"]
自动收集的指标:
apiVersion: telemetry.istio.io/v1alpha1 kind: Telemetry metadata: name: mesh-default spec: metrics: - providers: - name: prometheus overrides: - match: metric: REQUEST_COUNT tagOverrides: destination_service: value: "my-service"
apiVersion: telemetry.istio.io/v1alpha1 kind: Telemetry metadata: name: mesh-default spec: tracing: - providers: - name: jaeger
apiVersion: telemetry.istio.io/v1alpha1 kind: Telemetry metadata: name: mesh-default spec: accessLogging: - providers: - name: otel
apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: reviews spec: hosts: - reviews http: - timeout: 3s route: - destination: host: reviews
apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: reviews spec: hosts: - reviews http: - retries: attempts: 3 perTryTimeout: 2s retryOn: 5xx,connect-failure,refused-stream route: - destination: host: reviews
apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: httpbin spec: host: httpbin trafficPolicy: outlierDetection: consecutiveErrors: 3 interval: 30s baseEjectionTime: 30s
apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: reviews spec: hosts: - reviews http: - fault: delay: percentage: value: 10 fixedDelay: 7s route: - destination: host: reviews
apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: ratings spec: hosts: - ratings http: - fault: abort: percentage: value: 50 httpStatus: 503 route: - destination: host: ratings
# 1. 创建 DestinationRule apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: myapp spec: host: myapp subsets: - name: v1 labels: version: v1 - name: v2 labels: version: v2 --- # 2. 创建 VirtualService(10% 流量到 v2) apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: myapp spec: hosts: - myapp http: - route: - destination: host: myapp subset: v1 weight: 90 - destination: host: myapp subset: v2 weight: 10
# 切换所有流量到 v2 apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: myapp spec: hosts: - myapp http: - route: - destination: host: myapp subset: v2 weight: 100
# 从 PERMISSIVE 模式开始 kubectl apply -f - <<EOF apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: default spec: mtls: mode: PERMISSIVE EOF # 验证后切换到 STRICT kubectl patch pa default --type merge -p '{"spec":{"mtls":{"mode":"STRICT"}}}'
# 限制 Sidecar 资源 apiVersion: v1 kind: Pod metadata: name: myapp spec: containers: - name: istio-proxy resources: requests: cpu: 100m memory: 128Mi limits: cpu: 500m memory: 256Mi
apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: myapp spec: host: myapp trafficPolicy: connectionPool: http: h2UpgradePolicy: UPGRADE outlierDetection: consecutiveGatewayErrors: 5 interval: 30s baseEjectionTime: 30s maxEjectionPercent: 100
# 查看 Pod 是否注入了 Sidecar kubectl get pod <pod-name> -o jsonpath='{.spec.containers[*].name}' # 应该看到 istio-proxy 容器
# 获取监听器配置 istioctl proxy-config listeners <pod-name> # 获取集群配置 istioctl proxy-config clusters <pod-name> # 获取路由配置 istioctl proxy-config routes <pod-name>
# 查看 Envoy 日志 kubectl logs <pod-name> -c istio-proxy # 使用 istioctl 分析 istioctl proxy-config bootstrap <pod-name>
Istio 提供了强大的服务网格能力:
掌握 Istio,让你的微服务架构更加健壮!