istio
istio1.5后版本包括组件:
控制平面: istiod(pilot,citadel,galley)
数据平面: istio-proxy(envoy开发版)
ingress gateway
egress gateway
addons
部署控制平面
下载地址
https://github.com/istio/istio/releases
$ tar xf istio-1.14.1-linux-amd64.tar.gz
$ echo "export PATH=\$PATH:/root/istio/istio-1.14.1/bin" >>/etc/profile
$ source /etc/profile
列出支持的profile
$ istioctl profile list
Istio configuration profiles:
default
demo
empty
external
minimal
openshift
preview
remote
yaml 格式打印出profile 的资源配置清单。istioctl profile dump 等价于 istioctl profile dump default
$ istioctl profile dump
piVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
components:
base:
enabled: true
cni:
enabled: false
egressGateways:
- enabled: false
name: istio-egressgateway
ingressGateways:
- enabled: true
name: istio-ingressgateway
istiodRemote:
enabled: false
pilot:
enabled: true
hub: docker.io/istio
meshConfig:
defaultConfig:
proxyMetadata: {}
enablePrometheusMerge: true
profile: default
tag: 1.14.1
values:
base:
enableCRDTemplates: false
validationURL: ""
defaultRevision: ""
gateways:
istio-egressgateway:
autoscaleEnabled: true
env: {}
name: istio-egressgateway
secretVolumes:
- mountPath: /etc/istio/egressgateway-certs
name: egressgateway-certs
secretName: istio-egressgateway-certs
- mountPath: /etc/istio/egressgateway-ca-certs
name: egressgateway-ca-certs
secretName: istio-egressgateway-ca-certs
type: ClusterIP
istio-ingressgateway:
autoscaleEnabled: true
env: {}
name: istio-ingressgateway
secretVolumes:
- mountPath: /etc/istio/ingressgateway-certs
name: ingressgateway-certs
secretName: istio-ingressgateway-certs
- mountPath: /etc/istio/ingressgateway-ca-certs
name: ingressgateway-ca-certs
secretName: istio-ingressgateway-ca-certs
type: LoadBalancer
global:
configValidation: true
defaultNodeSelector: {}
defaultPodDisruptionBudget:
enabled: true
defaultResources:
requests:
cpu: 10m
imagePullPolicy: ""
imagePullSecrets: []
istioNamespace: istio-system
istiod:
enableAnalysis: false
jwtPolicy: third-party-jwt
logAsJson: false
logging:
level: default:info
meshNetworks: {}
mountMtlsCerts: false
multiCluster:
clusterName: ""
enabled: false
network: ""
omitSidecarInjectorConfigMap: false
oneNamespace: false
operatorManageWebhooks: false
pilotCertProvider: istiod
priorityClassName: ""
proxy:
autoInject: enabled
clusterDomain: cluster.local
componentLogLevel: misc:error
enableCoreDump: false
excludeIPRanges: ""
excludeInboundPorts: ""
excludeOutboundPorts: ""
image: proxyv2
includeIPRanges: '*'
logLevel: warning
privileged: false
readinessFailureThreshold: 30
readinessInitialDelaySeconds: 1
readinessPeriodSeconds: 2
resources:
limits:
cpu: 2000m
memory: 1024Mi
requests:
cpu: 100m
memory: 128Mi
statusPort: 15020
tracer: zipkin
proxy_init:
image: proxyv2
resources:
limits:
cpu: 2000m
memory: 1024Mi
requests:
cpu: 10m
memory: 10Mi
sds:
token:
aud: istio-ca
sts:
servicePort: 0
tracer:
datadog: {}
lightstep: {}
stackdriver: {}
zipkin: {}
useMCP: false
istiodRemote:
injectionURL: ""
pilot:
autoscaleEnabled: true
autoscaleMax: 5
autoscaleMin: 1
configMap: true
cpu:
targetAverageUtilization: 80
enableProtocolSniffingForInbound: true
enableProtocolSniffingForOutbound: true
env: {}
image: pilot
keepaliveMaxServerConnectionAge: 30m
nodeSelector: {}
podLabels: {}
replicaCount: 1
traceSampling: 1
telemetry:
enabled: true
v2:
enabled: true
metadataExchange:
wasmEnabled: false
prometheus:
enabled: true
wasmEnabled: false
stackdriver:
configOverride: {}
enabled: false
logging: false
monitoring: false
topology: false
部署istio 到k8s ,默认部署到istio-system 名称空间
$ istioctl install --set profile=demo -y
✔ Istio core installed
✔ Istiod installed
✔ Egress gateways installed
✔ Ingress gateways installed
✔ Installation complete
功能测试
创建一个名称空间自动注入数据平面sidecar
$ kubectl create ns test
$ kubectl label namespace test istio-injection=enabled
基础环境
创建pod
$ kubectl run base --image=python -n test -- python -m http.server
创建svc
$ kubectl create svc clusterip base --tcp 8000:8000 -n test
$ kubectl label pod base app=base -n test
通过istio的gateway 把服务暴露出去
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: test-web # 1
namespace: istio-system
spec:
selector:
app: istio-ingressgateway # 选择指定gateway
servers:
- name: test-web
hosts:
- "test-web.wed.com" # 2
port:
name: test-web
number: 80
protocol: http
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: test-web
namespace: istio-system
spec:
gateways:
- test-web # 1
hosts:
- "test-web.wed.com" # 2
http:
- route:
- destination:
host: base.test.svc.cluster.local
port:
number: 8000
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: base
namespace: test
spec:
host: base.test.svc.cluster.local
$ istioctl proxy-config listeners base -n test
$ istioctl proxy-config clusters base -n test
$ istioctl proxy-config routes base -n test
集群子集
- 版本1
$ kubectl run basev1 --image=python -n test -- sh -c "cd tmp;python -m http.server"
$ kubectl create svc clusterip base --tcp 8000:8000 -n test
$ kubectl label pod basev1 app=base version=v1 -n test
- 版本2
$ kubectl run basev2 --image=python -n test -- python -m http.server
$ kubectl create svc clusterip base --tcp 8000:8000 -n test
$ vkubectl label pod basev2 app=base version=v2 -n test
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: test-web
namespace: istio-system
spec:
gateways:
- test-web
hosts:
- "test-web.wed.com"
http:
- route:
- destination:
host: base.test.svc.cluster.local
port:
number: 8000
subset: v1
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: base
namespace: test
spec:
host: base.test.svc.cluster.local
subsets:
- name: v1
labels:
version: v1 # 匹配pod.spec.metadata.labels
- name: v2
labels:
version: v2
权重
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: test-web
namespace: istio-system
spec:
gateways:
- test-web
hosts:
- "test-web.wed.com"
http:
- route:
- destination:
host: base.test.svc.cluster.local
port:
number: 8000
subset: v1
weight: 20
- destination:
host: base.test.svc.cluster.local
port:
number: 8000
subset: v2
weight: 80
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: base
namespace: test
spec:
host: base.test.svc.cluster.local
subsets:
- name: v1
labels:
version: v1 # 匹配pod.spec.metadata.labels
- name: v2
labels:
version: v2
故障注入.中断
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: test-web
namespace: istio-system
spec:
gateways:
- test-web
hosts:
- "test-web.wed.com"
http:
- route:
- destination:
host: base.test.svc.cluster.local
port:
number: 8000
fault:
abort:
httpStatus: 503
percentage:
value: 50
故障注入.延迟
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: test-web
namespace: istio-system
spec:
gateways:
- test-web
hosts:
- "test-web.wed.com"
http:
- route:
- destination:
host: base.test.svc.cluster.local
port:
number: 8000
fault:
delay:
fixedDelay: 10s
percentage:
value: 50
操作标头
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: test-web
namespace: istio-system
spec:
gateways:
- test-web
hosts:
- "test-web.wed.com"
http:
- route:
- destination:
host: base.test.svc.cluster.local
port:
number: 8000
headers:
request:
# 添加请求标头
add:
vip-level: v3
set:
User-Agent: Chrome
remove:
- method
response:
add:
vip-level: v3
set:
User-Agent: Chrome
remove:
- method
# 添加请求标头
add:
vip-level: v3
set:
User-Agent: Chrome
remove:
- method
match 类似nginx 中location
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: test-web
namespace: istio-system
spec:
gateways:
- test-web
hosts:
- "test-web.wed.com"
http:
- match:
- headers:
User-Agent:
exact: Chrome
vip:
exact: "true"
route:
- destination:
host: base.test.svc.cluster.local
port:
number: 8000
subset: v1
- route:
- destination:
host: base.test.svc.cluster.local
port:
number: 8000
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: base
namespace: test
spec:
host: base.test.svc.cluster.local
subsets:
- name: v1
labels:
version: v1 # 匹配pod.spec.metadata.labels
- name: v2
labels:
version: v2
curl -H "User-Agent: Chrome" -H "vip: true" http://test-web.wed.com
