安装Istio及基础用法
- 下载istio
curl -L https://istio.io/downloadIstio | sh
创建符号链接
ln -sv istio-1.14.1 istio ln -sv /root/istio/bin/istioctl /usr/local/bin/istioctl
查看版本
istioctl version
列出istio配置文件
istioctl profile list
default:生产可用
demo:测试环境
部署
istioctl install --set profile=demo
第二种部署方法并检查,二次修改后进行部署(两种方法自己选择)
istioctl profile dump demo >/root/istio-profiles/demo.yaml
vim /root/istio-profiles/demo.yaml #根据自己的需求修改
istioctl apply -f /root/istio-profiles/demo.yaml -y
istioctl verify-install -f /root/istio-profiles/demo.yaml
再次查看version多了数据平面和控制平面
查看istio的pod、svc
手动添加外部ip
kubectl edit svc istio-ingressgateway -n istio-system
在查看svc
打标签 允许自动注入
kubectl label namespace default istio-injection=enabled
运行一个容器尝试一下
kubectl run client-$RANDOM --image=ikubernetes/admin-box:v1.2 --restart=Never -it --rm --command -- /bin/bash
查看下第二个容器
kubectl get pods -o yaml
安装istio插件
cd istio
kubectl apply -f samples/addons/
创建sleep pod
[root@master 01-demoapp-v10]# kubectl apply -f /usr/local/istio/samples/sleep/sleep.yaml 创建demoapp v10
[root@master 01-demoapp-v10]# git clone https://github.com/iKubernetes/istio-in-practise.git
[root@master 01-demoapp-v10]# /root/istio-in-practise/Traffic-Management-Basics/ms-demo/01-demoapp-v10
[root@master 01-demoapp-v10]# kubectl apply -f deploy-demoapp.yaml
deployment.apps/demoappv10 created
service/demoappv10 created
[root@master 01-demoapp-v10]# kubectl get pods
NAME READY STATUS RESTARTS AGE
demoappv10-85cf87cdb4-2gg6q 2/2 Running 0 32m
demoappv10-85cf87cdb4-v5pz9 2/2 Running 0 32m
demoappv10-85cf87cdb4-wfh5r 2/2 Running 0 32m
sleep-78ff5975c6-m2dr8 2/2 Running 0 30m访问测试
[root@master 01-demoapp-v10]# kubectl exec -it sleep-78ff5975c6-m2dr8 -- /bin/sh
/ $
/ $
/ $
/ $ curl demoappv10:8080
iKubernetes demoapp v1.0 !! ClientIP: 127.0.0.6, ServerName: demoappv10-85cf87cdb4-2gg6q, ServerIP: 10.244.104.7!
/ $ curl demoappv10:8080
iKubernetes demoapp v1.0 !! ClientIP: 127.0.0.6, ServerName: demoappv10-85cf87cdb4-v5pz9, ServerIP: 10.244.166.159!
/ $ curl demoappv10:8080
iKubernetes demoapp v1.0 !! ClientIP: 127.0.0.6, ServerName: demoappv10-85cf87cdb4-wfh5r, ServerIP: 10.244.104.24!
/ $ curl demoappv10:8080
iKubernetes demoapp v1.0 !! ClientIP: 127.0.0.6, ServerName: demoappv10-85cf87cdb4-2gg6q, ServerIP: 10.244.104.7!查看网格中每个Envoy的同步状态 SYNCED表示同步完成了
[root@master 01-demoapp-v10]# istioctl proxy-status
NAME CLUSTER CDS LDS EDS RDS ECDS ISTIOD VERSION
demoappv10-85cf87cdb4-2gg6q.default Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-58c6454c57-5dkp9 1.14.1
demoappv10-85cf87cdb4-v5pz9.default Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-58c6454c57-5dkp9 1.14.1
demoappv10-85cf87cdb4-wfh5r.default Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-58c6454c57-5dkp9 1.14.1
istio-egressgateway-5bdd756dfd-wzfcn.istio-system Kubernetes SYNCED SYNCED SYNCED NOT SENT NOT SENT istiod-58c6454c57-5dkp9 1.14.1
istio-ingressgateway-67f7b5f88d-5stjr.istio-system Kubernetes SYNCED SYNCED SYNCED NOT SENT NOT SENT istiod-58c6454c57-5dkp9 1.14.1
sleep-78ff5975c6-m2dr8.default Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-58c6454c57-5dkp9 1.14.1查看istio侦听器
[root@master 01-demoapp-v10]# istioctl proxy-config listeners sleep-78ff5975c6-m2dr8
查看侦听器8080被路由给谁了
[root@master 01-demoapp-v10]# istioctl proxy-config route sleep-78ff5975c6-m2dr8
查看路由到的集群
[root@master 01-demoapp-v10]# istioctl proxy-config clusters sleep-78ff5975c6-m2dr8
查看后端端点
[root@master 01-demoapp-v10]# istioctl proxy-config endpoints sleep-78ff5975c6-m2dr8 | grep demoapp
10.244.104.24:8080 HEALTHY OK outbound|8080||demoappv10.default.svc.cluster.local
10.244.104.7:8080 HEALTHY OK outbound|8080||demoappv10.default.svc.cluster.local
10.244.166.159:8080 HEALTHY OK outbound|8080||demoappv10.default.svc.cluster.local创建一个gateway,istio-ingressgatewa多了一个8080端口的侦听器,就是我们新创建的gateway生成的 注意:80端口会默认显示为8080端口
[root@master 04-proxy-gateway]# cat /tmp/gateway-demoapp.yaml
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: demoapp-gateway
namespace: istio-system # 要指定为ingress gateway pod所在名称空间
spec:
selector:
app: istio-ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "demoapp.yang.com"
[root@master 04-proxy-gateway]# kubectl apply -f /tmp/gateway-demoapp.yaml
gateway.networking.istio.io/demoapp-gateway created
[root@master 04-proxy-gateway]# kubectl get gw -n istio-system
NAME AGE
demoapp-gateway 11s
[root@master 04-proxy-gateway]# kubectl get pods -n istio-system
NAME READY STATUS RESTARTS AGE
grafana-56bdf8bf85-jh7bg 1/1 Running 1 (12h ago) 15h
istio-egressgateway-5bdd756dfd-wzfcn 1/1 Running 1 (12h ago) 17h
istio-ingressgateway-67f7b5f88d-5stjr 1/1 Running 1 (12h ago) 17h
istiod-58c6454c57-5dkp9 1/1 Running 2 (12h ago) 17h
jaeger-c4fdf6674-tk9bj 1/1 Running 1 (12h ago) 15h
kiali-5ff49b9f69-q5nb9 1/1 Running 1 (12h ago) 15h
prometheus-85949fddb-jwngv 2/2 Running 2 (12h ago) 15h
[root@master 04-proxy-gateway]# istioctl pc listeners istio-ingressgateway-67f7b5f88d-5stjr.istio-system
ADDRESS PORT MATCH DESTINATION
0.0.0.0 8080 ALL Route: http.8080
0.0.0.0 15021 ALL Inline Route: /healthz/ready*
0.0.0.0 15090 ALL Inline Route: /stats/prometheus*[root@master tmp]# kubectl describe svc istio-ingressgateway -n istio-system
在创建一个kiali的gateway
[root@master tmp]# kubectl apply -f kiali-gateway.yaml
gateway.networking.istio.io/kiali-gateway created
[root@master tmp]# cat kiali-gateway.yaml
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: kiali-gateway
namespace: istio-system # 要指定为ingress gateway pod所在名称空间
spec:
selector:
app: istio-ingressgateway
servers:
- port:
number: 20001
name: http
protocol: HTTP
hosts:
- "kiali.yang.com"
[root@master tmp]# istioctl pc listeners istio-ingressgateway-67f7b5f88d-5stjr.istio-system
ADDRESS PORT MATCH DESTINATION
0.0.0.0 8080 ALL Route: http.8080
0.0.0.0 15021 ALL Inline Route: /healthz/ready*
0.0.0.0 15090 ALL Inline Route: /stats/prometheus*
0.0.0.0 20001 ALL Route: http.20001创建一个virtualservice,将网关上主机头为demoapp.yang.com目标的流量,将其转到网格内部 default下的demoappv10
[root@master tmp]# kubectl apply -f virtualservice-demoapp.yaml
virtualservice.networking.istio.io/demoapp created
[root@master tmp]# cat virtualservice-demoapp.yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: demoapp
spec:
hosts:
- "demoapp.yang.com" # 对应于gateways/demoapp-gateway
gateways:
- istio-system/demoapp-gateway # 相关定义仅应用于Ingress Gateway上
#- mesh
http:
- name: default
route:
- destination:
host: demoappv10
[root@master tmp]# kubectl get vs
NAME GATEWAYS HOSTS AGE
demoapp ["istio-system/demoapp-gateway"] ["demoapp.yang.com"] 2m59s
#可以看到8080端口DOMAINSdemoapp.yang.com已经路由到VIRTUAL SERVICE已经到demoapp.default了
[root@master tmp]# istioctl pc routes istio-ingressgateway-67f7b5f88d-5stjr.istio-system
NAME DOMAINS MATCH VIRTUAL SERVICE
http.8080 demoapp.yang.com /* demoapp.default
http.20001 * /* 404
* /healthz/ready*
* /stats/prometheus* 做好本地域名解析直接浏览器访问,这样就把网格内部的服务发布到集群外了。
创建一个destinationrule
[root@master tmp]# kubectl apply -f destinationrule-demoapp.yaml
destinationrule.networking.istio.io/demoapp created
[root@master tmp]# cat destinationrule-demoapp.yaml
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: demoapp
spec:
host: demoappv10 #必须为后端SVC服务名
trafficPolicy:
loadBalancer:
simple: LEAST_CONN #负载均衡算法
[root@master tmp]# kubectl get dr
NAME HOST AGE
demoapp demoappv10 7s可以看到 demoappv10.default.svc.cluster.local已经有了DESTNATION RULE规则了
[root@master tmp]# istioctl pc cluster sleep-78ff5975c6-m2dr8
SERVICE FQDN PORT SUBSET DIRECTION TYPE DESTINATION RULE
80 - inbound ORIGINAL_DST
BlackHoleCluster - - - STATIC
InboundPassthroughClusterIpv4 - - - ORIGINAL_DST
PassthroughCluster - - - ORIGINAL_DST
agent - - - STATIC
demoappv10.default.svc.cluster.local 8080 - outbound EDS demoapp.default
grafana.istio-system.svc.cluster.local 3000 - outbound EDS
istio-egressgateway.istio-system.svc.cluster.local 80 - outbound EDS
istio-egressgateway.istio-system.svc.cluster.local 443 - outbound EDS
istio-ingressgateway.istio-system.svc.cluster.local 80 - outbound EDS
istio-ingressgateway.istio-system.svc.cluster.local 443 - outbound EDS
istio-ingressgateway.istio-system.svc.cluster.local 15021 - outbound EDS
istio-ingressgateway.istio-system.svc.cluster.local 15443 - outbound EDS
istio-ingressgateway.istio-system.svc.cluster.local 31400 - outbound EDS
istiod.istio-system.svc.cluster.local 443 - outbound EDS
istiod.istio-system.svc.cluster.local 15010 - outbound EDS
istiod.istio-system.svc.cluster.local 15012 - outbound EDS
istiod.istio-system.svc.cluster.local 15014 - outbound EDS
jaeger-collector.istio-system.svc.cluster.local 9411 - outbound EDS
jaeger-collector.istio-system.svc.cluster.local 14250 - outbound EDS
jaeger-collector.istio-system.svc.cluster.local 14268 - outbound EDS
kiali.istio-system.svc.cluster.local 9090 - outbound EDS
kiali.istio-system.svc.cluster.local 20001 - outbound EDS
kube-dns.kube-system.svc.cluster.local 53 - outbound EDS
kube-dns.kube-system.svc.cluster.local 9153 - outbound EDS
kubelet.kube-system.svc.cluster.local 4194 - outbound ORIGINAL_DST
kubelet.kube-system.svc.cluster.local 10250 - outbound ORIGINAL_DST
kubelet.kube-system.svc.cluster.local 10255 - outbound ORIGINAL_DST
kubernetes.default.svc.cluster.local 443 - outbound EDS
prometheus.istio-system.svc.cluster.local 9090 - outbound EDS
prometheus_stats - - - STATIC
sds-grpc - - - STATIC
sleep.default.svc.cluster.local 80 - outbound EDS
tracing.istio-system.svc.cluster.local 80 - outbound EDS
tracing.istio-system.svc.cluster.local 16685 - outbound EDS
xds-grpc - - - STATIC
zipkin - - - STRICT_DNS
zipkin.istio-system.svc.cluster.local 9411 - outbound EDS
[root@master tmp]# istioctl pc clusters --fqdn demoappv10.default.svc.cluster.local sleep-78ff5975c6-m2dr8
SERVICE FQDN PORT SUBSET DIRECTION TYPE DESTINATION RULE
demoappv10.default.svc.cluster.local 8080 - outbound EDS demoapp.default查看创建的负载均衡规则
下载马哥的相关代码 ,并创建kiali
git clone https://github.com/iKubernetes/istio-in-practise.git cd istio-in-practise/Traffic-Management-Basics
kubectl apply -f kiali-port-80/
在自己本地的hosts文件添加解析
10.211.55.23 kiail.magedu.com
直接浏览器访问 kiail.magedu.com
部署bookinfo
kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml
创建客户端
kubectl apply -f samples/sleep/sleep.yaml
进入到sleep中直接productpage
将 productpage开放外部访问
kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml
直接浏览器访问外部IP
模拟持续访问
while true; do elinks --dump 10.211.55.24/productpage; sleep 0.$RANDOM; done
回到kiali查看采集信息
创建destination-rule
kubectl apply -f samples/bookinfo/networking/destination-rule-all.yaml
创建访问v1的定义
kubectl apply -f samples/bookinfo/networking/virtual-service-all-v1.yaml
创建v2规则
kubectl apply -f samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml
直接访问web是不带星的版本
登陆jason访问是带星的版本
再次查看kiali也访问到了v2
部署档案:profile
istioctl apply/install --set profile=<PROFILE> --set ...
istioctl profile dump <NAME> > /path/to/profile.yaml
istioctl apply/install -f /path/to/profile.yaml 部署在istio-system名称空间下
控制平面的名称空间,服务网格的root namespace
istioctl x uninstall --purge:卸载控制平面组件调整网格级别控制平面的配置:支持基于已经部署调整配置
istioctl apply/install部署档案对应存在Kubernetes原生格式的资源配置:
istioctl manifest generate --set profile=demo | kubectl apply -f -