istio小结
一、概述
测试环境已经跑了很长时间的istio了,也更新到了最新的istio-1.1。性能相较之前提升很大,官方给出的测试数据说是延迟降低到了8ms,但是实际测试确实访问速度有很大的提升,但是确实还是比直接访问pod速度差异很明显,sidecar的引入使数据流向变得层数更多,导致访问性能上的一些损耗。总结下来的使用建议就是不要盲目的使用service-mesh,服务网格是解决了很多问题,但同时也带来很多新的问题。但是istio的pilot和mixer还是可以用的。具体详细的istio介绍直接参考官网:https://istio.io/docs/concepts/what-is-istio/
二、部署
参考GitHub上的install,然后我这里根据自己的使用做了一份,只是定制了一下values文件,没有做很大的修改。
https://github.com/cuishuaigit/istio-chart
这里使用的是istio的自动注入,所以需要设置一下namespace的label:
kubectl label namespace default istio-injection=enabled
首先是部署helm,现在最新版本的helm:https://github.com/helm/helm/releases
wget https://storage.googleapis.com/kubernetes-helm/helm-v2.13.1-linux-amd64.tar.gz
创建serviceaccount
kubectl create helm-service-account.yaml
安装tiller
helm init --service-account tiller
生产使用都是TLS的:
参考https://helm.sh/docs/using_helm/#using-ssl-between-helm-and-tiller
istio的安装参考我github的README。
安装完的效果:
root@k3-1:/data/appswitch# kubectl get pods -n istio-system NAME READY STATUS RESTARTS AGE grafana-5758685b-9qk5z 1/1 Running 0 4d8h istio-citadel-5f88c9b4-wwz2d 1/1 Running 0 4d8h istio-galley-689b8d98-c5pw8 1/1 Running 0 4d8h istio-ingressgateway-744855f4-x8jkl 1/1 Running 0 4d7h istio-init-crd-10-68cgn 0/1 Completed 0 4d8h istio-init-crd-11-fsb6w 0/1 Completed 0 4d8h istio-init-crd-certmanager-10-64btr 0/1 Completed 0 4d8h istio-init-crd-certmanager-11-8qzrg 0/1 Completed 0 4d8h istio-pilot-6cd56bb6cb-6t78m 2/2 Running 0 4d8h istio-policy-54686485-lsfxt 2/2 Running 0 4d7h istio-sidecar-injector-746b458c-6rbdz 1/1 Running 0 4d8h istio-telemetry-77b97547-2pdpq 1/2 Running 0 4d7h istio-telemetry-77b96547-8gmd8 2/2 Running 0 4d7h istio-tracing-656fc99c-xggq8 1/1 Running 0 4d8h istiocoredns-bd4885d-x9hwt 2/2 Running 0 4d8h kiali-69d68b45-2sxzj 1/1 Running 0 4d4h prometheus-66f5694-bn622 1/1 Running 0 4d8h servicegraph-759c7d9b-sjdfg 1/1 Running 0 4d8h tiller-deploy-556f6dd9-jhpt4 1/1 Running 0 6d6h
三、使用
四、Appswitch
istio存在代理多层的问题,还有就是Envoy代理延时设置的问题,考虑引入Appswitch可以将这些层都删减掉,引入一个说明图(侵删),同时appswitch也能解决k8s的跨网段通信问题。
appswitch测试demo:
以daemonset的方式部署Appswitch:
git clone https://github.com/cuishuaigit/appswitch.git kubectl apply -f appswitch.yaml
root@ku13-1:~# ax get nodes NAME CLUSTER IP EXTERNALIP ROLE APPCOUNT ----------------------------------------------------------------- ku13-5 cluster0 10.1.80.149 [compute] 0 ku13-1 cluster0 10.2.68.77 [compute] 0 ku13-2 cluster0 10.2.73.110 [compute] 1 ku13-3 cluster0 10.2.83.248 [compute] 0
部署nginx-demo:
kubectl apply -f nginx-demo.yaml
访问:
root@k3-1:/data/appswitch# ax get vservices VSNAME VSTYPE VSIP VSPORTS VSBACKENDIPS VSAPPIDS ---------------------------------------------------------------------------------------------- nginx-demo Random 1.1.1.1 [{80 80}] [] [30d2f4g1-6194-4d95-bcvc-6c785c9f0237]
root@k3-1:/data/appswitch# ax run -- curl -I nginx-demo HTTP/1.1 200 OK Server: nginx/1.15.10 Date: Mon, 01 Apr 2019 13:52:24 GMT Content-Type: text/html Content-Length: 612 Last-Modified: Tue, 26 Mar 2019 14:04:38 GMT Connection: keep-alive ETag: "5c9a3176-264" Accept-Ranges: bytes
跨网段访问:
root@ku13-5:~# ax run -- curl -I nginx-demo HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Tue, 16 Apr 2019 08:39:17 GMT Content-Type: text/html Content-Length: 612 Last-Modified: Tue, 09 Apr 2019 11:20:51 GMT Connection: keep-alive ETag: "5cac8013-264" Accept-Ranges: bytes
参考:
http://appswitch.io/blog/kubernetes_istio_and_network_function_devirtualization_with_appswitch/
https://appswitch.readthedocs.io/en/latest/reading.html
https://appswitch.readthedocs.io/en/latest/integrations.html
https://istio.io/blog/2018/delayering-istio/
