istio

istio1.5后版本包括组件:

控制平面: istiod(pilot,citadel,galley)
数据平面: istio-proxy(envoy开发版)
ingress gateway
egress gateway
addons

部署控制平面

下载地址
https://github.com/istio/istio/releases
 
$ tar xf istio-1.14.1-linux-amd64.tar.gz
$ echo "export PATH=\$PATH:/root/istio/istio-1.14.1/bin" >>/etc/profile
$ source /etc/profile

列出支持的profile

$ istioctl profile list
Istio configuration profiles:
    default
    demo
    empty
    external
    minimal
    openshift
    preview
    remote

yaml 格式打印出profile 的资源配置清单。istioctl profile dump 等价于 istioctl profile dump default

$ istioctl  profile dump
piVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  components:
    base:
      enabled: true
    cni:
      enabled: false
    egressGateways:
    - enabled: false
      name: istio-egressgateway
    ingressGateways:
    - enabled: true
      name: istio-ingressgateway
    istiodRemote:
      enabled: false
    pilot:
      enabled: true
  hub: docker.io/istio
  meshConfig:
    defaultConfig:
      proxyMetadata: {}
    enablePrometheusMerge: true
  profile: default
  tag: 1.14.1
  values:
    base:
      enableCRDTemplates: false
      validationURL: ""
    defaultRevision: ""
    gateways:
      istio-egressgateway:
        autoscaleEnabled: true
        env: {}
        name: istio-egressgateway
        secretVolumes:
        - mountPath: /etc/istio/egressgateway-certs
          name: egressgateway-certs
          secretName: istio-egressgateway-certs
        - mountPath: /etc/istio/egressgateway-ca-certs
          name: egressgateway-ca-certs
          secretName: istio-egressgateway-ca-certs
        type: ClusterIP
      istio-ingressgateway:
        autoscaleEnabled: true
        env: {}
        name: istio-ingressgateway
        secretVolumes:
        - mountPath: /etc/istio/ingressgateway-certs
          name: ingressgateway-certs
          secretName: istio-ingressgateway-certs
        - mountPath: /etc/istio/ingressgateway-ca-certs
          name: ingressgateway-ca-certs
          secretName: istio-ingressgateway-ca-certs
        type: LoadBalancer
    global:
      configValidation: true
      defaultNodeSelector: {}
      defaultPodDisruptionBudget:
        enabled: true
      defaultResources:
        requests:
          cpu: 10m
      imagePullPolicy: ""
      imagePullSecrets: []
      istioNamespace: istio-system
      istiod:
        enableAnalysis: false
      jwtPolicy: third-party-jwt
      logAsJson: false
      logging:
        level: default:info
      meshNetworks: {}
      mountMtlsCerts: false
      multiCluster:
        clusterName: ""
        enabled: false
      network: ""
      omitSidecarInjectorConfigMap: false
      oneNamespace: false
      operatorManageWebhooks: false
      pilotCertProvider: istiod
      priorityClassName: ""
      proxy:
        autoInject: enabled
        clusterDomain: cluster.local
        componentLogLevel: misc:error
        enableCoreDump: false
        excludeIPRanges: ""
        excludeInboundPorts: ""
        excludeOutboundPorts: ""
        image: proxyv2
        includeIPRanges: '*'
        logLevel: warning
        privileged: false
        readinessFailureThreshold: 30
        readinessInitialDelaySeconds: 1
        readinessPeriodSeconds: 2
        resources:
          limits:
            cpu: 2000m
            memory: 1024Mi
          requests:
            cpu: 100m
            memory: 128Mi
        statusPort: 15020
        tracer: zipkin
      proxy_init:
        image: proxyv2
        resources:
          limits:
            cpu: 2000m
            memory: 1024Mi
          requests:
            cpu: 10m
            memory: 10Mi
      sds:
        token:
          aud: istio-ca
      sts:
        servicePort: 0
      tracer:
        datadog: {}
        lightstep: {}
        stackdriver: {}
        zipkin: {}
      useMCP: false
    istiodRemote:
      injectionURL: ""
    pilot:
      autoscaleEnabled: true
      autoscaleMax: 5
      autoscaleMin: 1
      configMap: true
      cpu:
        targetAverageUtilization: 80
      enableProtocolSniffingForInbound: true
      enableProtocolSniffingForOutbound: true
      env: {}
      image: pilot
      keepaliveMaxServerConnectionAge: 30m
      nodeSelector: {}
      podLabels: {}
      replicaCount: 1
      traceSampling: 1
    telemetry:
      enabled: true
      v2:
        enabled: true
        metadataExchange:
          wasmEnabled: false
        prometheus:
          enabled: true
          wasmEnabled: false
        stackdriver:
          configOverride: {}
          enabled: false
          logging: false
          monitoring: false
          topology: false

部署istio 到k8s ,默认部署到istio-system 名称空间

$ istioctl install --set profile=demo -y
✔ Istio core installed
✔ Istiod installed
✔ Egress gateways installed
✔ Ingress gateways installed
✔ Installation complete

功能测试

创建一个名称空间自动注入数据平面sidecar

$ kubectl create ns test
$ kubectl label namespace test istio-injection=enabled

基础环境

创建pod
$ kubectl run base --image=python -n test -- python -m http.server 
创建svc
$ kubectl create svc clusterip base --tcp 8000:8000 -n test
 
$ kubectl label pod base app=base -n test

通过istio的gateway 把服务暴露出去

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: test-web	# 1
  namespace: istio-system
spec:
  selector:
    app: istio-ingressgateway  # 选择指定gateway
  servers:
  - name: test-web 
    hosts:
    - "test-web.wed.com"  # 2
    port:
      name: test-web
      number: 80
      protocol: http
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: test-web
  namespace: istio-system
spec:
  gateways:
  - test-web	# 1
  hosts:
  - "test-web.wed.com" # 2
  http:
  - route:
    - destination:
        host: base.test.svc.cluster.local
        port:
          number: 8000
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: base
  namespace: test
spec:
  host: base.test.svc.cluster.local
$ istioctl proxy-config listeners base -n test
$ istioctl proxy-config clusters base -n test
$ istioctl proxy-config routes base -n test

集群子集

  • 版本1
$ kubectl run basev1 --image=python -n test -- sh -c "cd tmp;python -m http.server" 
$ kubectl create 	svc clusterip base --tcp 8000:8000 -n test
 
$ kubectl label pod basev1 app=base version=v1 -n test
  • 版本2
$ kubectl run basev2 --image=python -n test -- python -m http.server
$ kubectl create svc clusterip base --tcp 8000:8000 -n test 
$ vkubectl label pod basev2 app=base version=v2 -n test
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: test-web
  namespace: istio-system
spec:
  gateways:
  - test-web
  hosts:
  - "test-web.wed.com"
  http:
  - route:
    - destination:
        host: base.test.svc.cluster.local
        port:
          number: 8000
        subset: v1
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: base
  namespace: test
spec:
  host: base.test.svc.cluster.local
  subsets:
  - name: v1
    labels:
      version: v1  # 匹配pod.spec.metadata.labels
  - name: v2
    labels:
      version: v2

权重

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: test-web
  namespace: istio-system
spec:
  gateways:
  - test-web
  hosts:
  - "test-web.wed.com"
  http:
  - route:
    - destination:
        host: base.test.svc.cluster.local
        port:
          number: 8000
        subset: v1
      weight: 20
    - destination:
        host: base.test.svc.cluster.local
        port:
          number: 8000
        subset: v2
      weight: 80
 
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: base
  namespace: test
spec:
  host: base.test.svc.cluster.local
  subsets:
  - name: v1
    labels:
      version: v1  # 匹配pod.spec.metadata.labels
  - name: v2
    labels:
      version: v2

故障注入.中断

---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: test-web
  namespace: istio-system
spec:
  gateways:
  - test-web
  hosts:
  - "test-web.wed.com"
  http:
  - route:
    - destination:
        host: base.test.svc.cluster.local
        port:
          number: 8000
    fault:
      abort:
        httpStatus: 503
        percentage:
          value: 50

故障注入.延迟

---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: test-web
  namespace: istio-system
spec:
  gateways:
  - test-web
  hosts:
  - "test-web.wed.com"
  http:
  - route:
    - destination:
        host: base.test.svc.cluster.local
        port:
          number: 8000
    fault:
      delay:
        fixedDelay: 10s
        percentage:
          value: 50

操作标头

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: test-web
  namespace: istio-system
spec:
  gateways:
  - test-web
  hosts:
  - "test-web.wed.com"
  http:
  - route:
    - destination:
        host: base.test.svc.cluster.local
        port:
          number: 8000
    headers:
      request:
      # 添加请求标头
        add:
          vip-level: v3
        set:
          User-Agent: Chrome
        remove:
        - method
      response:
        add:
          vip-level: v3
        set:
          User-Agent: Chrome
        remove:
        - method
      # 添加请求标头
        add:
          vip-level: v3
        set:
          User-Agent: Chrome
        remove:
        - method

match 类似nginx 中location

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: test-web
  namespace: istio-system
spec:
  gateways:
  - test-web
  hosts:
  - "test-web.wed.com"
  http:
  - match:
    - headers:
        User-Agent:
          exact: Chrome
        vip:
          exact: "true"
    route:
    - destination:
        host: base.test.svc.cluster.local
        port:
          number: 8000
        subset: v1
  - route:
    - destination:
        host: base.test.svc.cluster.local
        port:
          number: 8000
          
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: base
  namespace: test
spec:
  host: base.test.svc.cluster.local
  subsets:
  - name: v1
    labels:
      version: v1  # 匹配pod.spec.metadata.labels
  - name: v2
    labels:
      version: v2
curl -H "User-Agent: Chrome" -H "vip: true" http://test-web.wed.com
posted @   mingtian是吧  阅读(65)  评论(0编辑  收藏  举报
相关博文:
· kubectl
· envoy
· 安装Istio及基础用法
· istio服务治理
· 使用 Istioctl 安装 istio
阅读排行:
· 无需6万激活码!GitHub神秘组织3小时极速复刻Manus,手把手教你使用OpenManus搭建本
· C#/.NET/.NET Core优秀项目和框架2025年2月简报
· 葡萄城 AI 搜索升级:DeepSeek 加持,客户体验更智能
· 什么是nginx的强缓存和协商缓存
· 一文读懂知识蒸馏
点击右上角即可分享
微信分享提示