部署 istio 1.8.2

2021-03-14 08:03:17 浏览数 (1)

在 Mac 下部署 istio 最新版 1.8.2,通过 kiali 观测流量的全链路访问情况。

虽然腾讯云的 容器服务 已经有服务网格,不过本地调试还是需要自己搭建一个。

istio 是什么

K8S 提供的是集群部署和运维能力,istio 提供流量管控,这是 K8S 和 istio 的区别。

  • istio 核心能力  istio 核心能力 istio 核心能力
  • istio 架构图
istio 架构图istio 架构图

以下引用 istio 官方的解释。

为什么使用 Istio? 通过负载均衡、服务间的身份验证、监控等方法,Istio 可以轻松地创建一个已经部署了服务的网络,而服务的代码只需很少更改甚至无需更改。通过在整个环境中部署一个特殊的 sidecar 代理为服务添加 Istio 的支持,而代理会拦截微服务之间的所有网络通信,然后使用其控制平面的功能来配置和管理 Istio,这包括:

为 HTTP、gRPC、WebSocket 和 TCP 流量自动负载均衡。 通过丰富的路由规则、重试、故障转移和故障注入对流量行为进行细粒度控制。 可插拔的策略层和配置 API,支持访问控制、速率限制和配额。 集群内(包括集群的入口和出口)所有流量的自动化度量、日志记录和追踪。

今天我们在 Docer for macOS 中部署 istio,体验 istio 的流量治理能力;

k8s:1.19.3

1. 安装 istio 客户端(istioctl)

1.1 下载安装包

安装最新版本 istio 客户端 1.8.2,执行以下自动安装脚本会自动获取最新版本(包含发行版)

这次是在 macOS 下安装,所以他自动获取了 istio-1.8.2-osx.tar.gz 版本。

代码语言:txt复制
$ curl -L https://istio.io/downloadIstio | sh -

Downloading istio-1.8.2 from https://github.com/istio/istio/releases/download/1.8.2/istio-1.8.2-osx.tar.gz ...
Istio 1.8.2 Download Complete!

Istio has been successfully downloaded into the istio-1.8.2 folder on your system.

Next Steps:
See https://istio.io/latest/docs/setup/install/ to add Istio to your Kubernetes cluster.

To configure the istioctl client tool for your workstation,
add the /Users/xxx/github/istio/istio-1.8.2/bin directory to your environment path variable with:
	 export PATH="$PATH:/Users/xxx/github/istio/istio-1.8.2/bin"

Begin the Istio pre-installation check by running:
	 istioctl x precheck

Need more information? Visit https://istio.io/latest/docs/setup/install/

安装过程中遇到如下报错,请自行在 github 仓库中下载客户端。 curl: (7) Failed to connect to raw.githubusercontent.com port 443: Connection refused

1.2 设置环境变量

代码语言:txt复制
$ cd istio-1.8.2
$ export PATH=$PWD/bin:$PATH

~/.bash_profile 文件申明 PATH 变量的值中增加 istio-1.8.2/bin 的绝对路径。

1.3 检查运行环境

一切正常

代码语言:txt复制
$ istioctl x precheck

Checking the cluster to make sure it is ready for Istio installation...

#1. Kubernetes-api
-----------------------
Can initialize the Kubernetes client.
Can query the Kubernetes API Server.

#2. Kubernetes-version
-----------------------
Istio is compatible with Kubernetes: v1.19.3.

#3. Istio-existence
-----------------------
Istio will be installed in the istio-system namespace.

#4. Kubernetes-setup
-----------------------
Can create necessary Kubernetes configurations: Namespace,ClusterRole,ClusterRoleBinding,CustomResourceDefinition,Role,ServiceAccount,Service,Deployments,ConfigMap.

#5. SideCar-Injector
-----------------------
This Kubernetes cluster supports automatic sidecar injection. To enable automatic sidecar injection see https://istio.io/v1.8/docs/setup/additional-setup/sidecar-injection/#deploying-an-app

-----------------------
Install Pre-Check passed! The cluster is ready for Istio installation.

2. 安装 Istio

2.1 Install Istio

安装 istio 的核心组件。

代码语言:txt复制
$  istioctl install --set profile=demo -y
Detected that your cluster does not support third party JWT authentication. Falling back to less secure first party JWT. See https://istio.io/v1.8/docs/ops/best-practices/security/#configure-third-party-service-account-tokens for details.
✔ Istio core installed
✔ Istiod installed
✔ Egress gateways installed
✔ Ingress gateways installed
✔ Installation complete

通过 kubectl 可以查看在 istio-system 的 Namespace 下安装了如下资源:

代码语言:txt复制
$ kubectl get all -n=istio-system
NAME                                        READY   STATUS    RESTARTS   AGE
pod/istio-egressgateway-c9c55457b-xbh5r     1/1     Running   0          20m
pod/istio-ingressgateway-865d46c7f5-7f5c7   1/1     Running   0          20m
pod/istiod-7f785478df-jk87p                 1/1     Running   0          21m

NAME                           TYPE           CLUSTER-IP      EXTERNAL-IP   PORT(S)                                                                      AGE
service/istio-egressgateway    ClusterIP      10.99.161.192   <none>        80/TCP,443/TCP,15443/TCP                                                     20m
service/istio-ingressgateway   LoadBalancer   10.111.204.43   localhost     15021:30101/TCP,80:30856/TCP,443:30365/TCP,31400:30507/TCP,15443:32107/TCP   20m
service/istiod                 ClusterIP      10.96.86.16     <none>        15010/TCP,15012/TCP,443/TCP,15014/TCP                                        21m

NAME                                   READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/istio-egressgateway    1/1     1            1           20m
deployment.apps/istio-ingressgateway   1/1     1            1           20m
deployment.apps/istiod                 1/1     1            1           21m

NAME                                              DESIRED   CURRENT   READY   AGE
replicaset.apps/istio-egressgateway-c9c55457b     1         1         1       20m
replicaset.apps/istio-ingressgateway-865d46c7f5   1         1         1       20m
replicaset.apps/istiod-7f785478df                 1         1         1       21m

2.2 将 default Namespace 设置自动注入

设置 自动自动注入 后,会往 Pod 中增加一个 sidecar 的 container,用于控制这个 Pod 的流量。

代码语言:txt复制
$ kubectl label namespace default istio-injection=enabled
namespace/default labeled

查看目前开启自动注入的 Namespace

代码语言:txt复制
$ kubectl get ns --show-labels=true
NAME                   STATUS   AGE     LABELS
default                Active   6d13h   istio-injection=enabled
istio-system           Active   6m52s   istio-injection=disabled
kube-node-lease        Active   6d13h   <none>
kube-public            Active   6d13h   <none>
kube-system            Active   6d13h   <none>
kubernetes-dashboard   Active   5d21h   <none>
ops                    Active   6d11h   <none>
query-ip               Active   6d11h   <none>

3. 部署 Demo 应用

部署一个应用,便于理解 istio 的功能

3.1 Install Istio

代码语言:txt复制
~/github/istio/istio-1.8.2$ kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml
service/details created
serviceaccount/bookinfo-details created
deployment.apps/details-v1 created
service/ratings created
serviceaccount/bookinfo-ratings created
deployment.apps/ratings-v1 created
service/reviews created
serviceaccount/bookinfo-reviews created
deployment.apps/reviews-v1 created
deployment.apps/reviews-v2 created
deployment.apps/reviews-v3 created
service/productpage created
serviceaccount/bookinfo-productpage created
deployment.apps/productpage-v1 created

3.2 检查是否部署完成

代码语言:txt复制
~/github/istio/istio-1.8.2$ kubectl get all
NAME                                  READY   STATUS    RESTARTS   AGE
pod/details-v1-79c697d759-cw5sk       2/2     Running   0          5m48s
pod/productpage-v1-65576bb7bf-tj9m5   2/2     Running   0          5m47s
pod/ratings-v1-7d99676f7f-g79zp       2/2     Running   0          5m47s
pod/reviews-v1-987d495c-cr2bv         2/2     Running   0          5m47s
pod/reviews-v2-6c5bf657cf-s46cm       2/2     Running   0          5m48s
pod/reviews-v3-5f7b9f4f77-t4tx2       2/2     Running   0          5m48s

NAME                  TYPE           CLUSTER-IP      EXTERNAL-IP   PORT(S)           AGE
service/details       ClusterIP      10.108.239.10   <none>        9080/TCP          5m48s
service/kubernetes    ClusterIP      10.96.0.1       <none>        443/TCP           6d14h
service/productpage   ClusterIP      10.96.172.155   <none>        9080/TCP          5m48s
service/ratings       ClusterIP      10.96.164.173   <none>        9080/TCP          5m48s
service/reviews       ClusterIP      10.98.231.42    <none>        9080/TCP          5m48s

安装过程中比较耗时的原因,镜像太大。

代码语言:txt复制
$ docker images | grep istio/examples
istio/examples-bookinfo-reviews-v3              1.16.2                                                  83e6a8464b84   7 months ago    694MB
istio/examples-bookinfo-reviews-v2              1.16.2                                                  39cff5d782e1   7 months ago    694MB
istio/examples-bookinfo-reviews-v1              1.16.2                                                  181be23dc1af   7 months ago    694MB
istio/examples-bookinfo-ratings-v1              1.16.2                                                  99ce598b98cf   7 months ago    161MB
istio/examples-bookinfo-details-v1              1.16.2                                                  edf6b9bea3db   7 months ago    149MB
istio/examples-bookinfo-productpage-v1          1.16.2                                                  7f1e097aad6d   7 months ago    207MB

Pod 都处于 running 状态后,接着访问应用内容,确认部署完毕。

代码语言:txt复制
$ kubectl exec "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl -s productpage:9080/productpage | grep -o "<title>.*</title>"
<title>Simple Bookstore App</title>

4. 开启外部流量入口

4.1 创建 gateway 和 virtualservice 配置

  • 先查看配置
    • gateway:只让 service/istio-ingressgateway 中 HTTP 80 端口的流量进来
    • virtualservice: 将 URI 为 /productpage等页面的流量指向 productpage 服务
代码语言:txt复制
$ cat samples/bookinfo/networking/bookinfo-gateway.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: bookinfo-gateway
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: bookinfo
spec:
  hosts:
  - "*"
  gateways:
  - bookinfo-gateway
  http:
  - match:
    - uri:
        exact: /productpage
    - uri:
        prefix: /static
    - uri:
        exact: /login
    - uri:
        exact: /logout
    - uri:
        prefix: /api/v1/products
    route:
    - destination:
        host: productpage
        port:
          number: 9080
  • 部署配置
代码语言:txt复制
$ kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml
gateway.networking.istio.io/bookinfo-gateway created
virtualservice.networking.istio.io/bookinfo created
  • 验证配置,没问题
代码语言:txt复制
$  istioctl analyze
✔ No validation issues found when analyzing namespace: default.

4.2 获取访问服务的入口

流量的入口其实就是 service/istio-ingressgateway 所在 LB 的访问方式,从以下命令得知入口是 localhost:80

代码语言:txt复制
$ kubectl get service/istio-ingressgateway -n istio-system
NAME                   TYPE           CLUSTER-IP      EXTERNAL-IP   PORT(S)                                                                      AGE
istio-ingressgateway   LoadBalancer   10.111.204.43   localhost     15021:30101/TCP,80:30856/TCP,443:30365/TCP,31400:30507/TCP,15443:32107/TCP   165m

5. 访问 Demo 应用

在浏览器中访问 http://localhost/productpage,每次刷新页面看到内容不同。

访问 Demo 应用访问 Demo 应用

不过现在还看不出流量访问的情况,需要部署流量观测工具 kiali。

6. 部署流量观测工具 kiali

6.1 deploy kiali

  • 部署
代码语言:txt复制
$ kubectl apply -f samples/addons
serviceaccount/grafana created
configmap/grafana created
service/grafana created
deployment.apps/grafana created
configmap/istio-grafana-dashboards created
configmap/istio-services-grafana-dashboards created
deployment.apps/jaeger created
service/tracing created
service/zipkin created
service/jaeger-collector created
Warning: apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16 , unavailable in v1.22 ; use apiextensions.k8s.io/v1 CustomResourceDefinition
customresourcedefinition.apiextensions.k8s.io/monitoringdashboards.monitoring.kiali.io created
serviceaccount/kiali created
configmap/kiali created
clusterrole.rbac.authorization.k8s.io/kiali-viewer created
clusterrole.rbac.authorization.k8s.io/kiali created
clusterrolebinding.rbac.authorization.k8s.io/kiali created
service/kiali created
deployment.apps/kiali created
serviceaccount/prometheus created
configmap/prometheus created
clusterrole.rbac.authorization.k8s.io/prometheus created
clusterrolebinding.rbac.authorization.k8s.io/prometheus created
service/prometheus created
deployment.apps/prometheus created
unable to recognize "samples/addons/kiali.yaml": no matches for kind "MonitoringDashboard" in version "monitoring.kiali.io/v1alpha1"
  • 检查 Pod 运行状态
代码语言:txt复制
$ kubectl get pod -n istio-system
NAME                                    READY   STATUS    RESTARTS   AGE
grafana-784c89f4cf-4vd2h                1/1     Running   1          72m
istio-egressgateway-c9c55457b-xbh5r     1/1     Running   1          169m
istio-ingressgateway-865d46c7f5-7f5c7   1/1     Running   1          169m
istiod-7f785478df-jk87p                 1/1     Running   1          170m
jaeger-7f78b6fb65-cw45j                 1/1     Running   4          72m
kiali-7476977cf9-6w4kj                  1/1     Running   4          72m
prometheus-7bfddb8dbf-jmgjq             2/2     Running   4          72m
  • 检查部署状态
代码语言:txt复制
$ kubectl rollout status deployment/kiali -n istio-system
deployment "kiali" successfully rolled out

6.2 查看 kiali,了解流量访问情况

本地访问 kiali

代码语言:txt复制
$ istioctl dashboard kiali
http://localhost:20001/kiali
  • 网络拓扑图
网络拓扑图网络拓扑图
  • 单个应用的流量指标
inbound metricsinbound metrics
TrafficTraffic
OverviewOverview
TraceTrace

非常不错的流量治理工具,可观测性很强。

后面咱们再写一些流量治理的文档。

reference

  • 1 istio. Getting Started
  • 2 istio. istio 官网
  • 3 isito. istio 是什么
  • 4 k8s. 部署 istio 1.8.2

0 人点赞