在 Mac 下部署 istio 最新版 1.8.2,通过 kiali 观测流量的全链路访问情况。
虽然腾讯云的 容器服务 已经有服务网格,不过本地调试还是需要自己搭建一个。
istio 是什么
K8S 提供的是集群部署和运维能力,istio 提供流量管控,这是 K8S 和 istio 的区别。
- istio 核心能力 istio 核心能力
- istio 架构图
以下引用 istio 官方的解释。
为什么使用 Istio? 通过负载均衡、服务间的身份验证、监控等方法,Istio 可以轻松地创建一个已经部署了服务的网络,而服务的代码只需很少更改甚至无需更改。通过在整个环境中部署一个特殊的 sidecar 代理为服务添加 Istio 的支持,而代理会拦截微服务之间的所有网络通信,然后使用其控制平面的功能来配置和管理 Istio,这包括:
为 HTTP、gRPC、WebSocket 和 TCP 流量自动负载均衡。 通过丰富的路由规则、重试、故障转移和故障注入对流量行为进行细粒度控制。 可插拔的策略层和配置 API,支持访问控制、速率限制和配额。 集群内(包括集群的入口和出口)所有流量的自动化度量、日志记录和追踪。
今天我们在 Docer for macOS 中部署 istio,体验 istio 的流量治理能力;
k8s:1.19.3
1. 安装 istio 客户端(istioctl)
1.1 下载安装包
安装最新版本 istio 客户端 1.8.2,执行以下自动安装脚本会自动获取最新版本(包含发行版)
代码语言:txt复制这次是在 macOS 下安装,所以他自动获取了
istio-1.8.2-osx.tar.gz
版本。
$ curl -L https://istio.io/downloadIstio | sh -
Downloading istio-1.8.2 from https://github.com/istio/istio/releases/download/1.8.2/istio-1.8.2-osx.tar.gz ...
Istio 1.8.2 Download Complete!
Istio has been successfully downloaded into the istio-1.8.2 folder on your system.
Next Steps:
See https://istio.io/latest/docs/setup/install/ to add Istio to your Kubernetes cluster.
To configure the istioctl client tool for your workstation,
add the /Users/xxx/github/istio/istio-1.8.2/bin directory to your environment path variable with:
export PATH="$PATH:/Users/xxx/github/istio/istio-1.8.2/bin"
Begin the Istio pre-installation check by running:
istioctl x precheck
Need more information? Visit https://istio.io/latest/docs/setup/install/
安装过程中遇到如下报错,请自行在 github 仓库中下载客户端。 curl: (7) Failed to connect to raw.githubusercontent.com port 443: Connection refused
1.2 设置环境变量
代码语言:txt复制$ cd istio-1.8.2
$ export PATH=$PWD/bin:$PATH
在
~/.bash_profile
文件申明PATH
变量的值中增加istio-1.8.2/bin
的绝对路径。
1.3 检查运行环境
一切正常
代码语言:txt复制$ istioctl x precheck
Checking the cluster to make sure it is ready for Istio installation...
#1. Kubernetes-api
-----------------------
Can initialize the Kubernetes client.
Can query the Kubernetes API Server.
#2. Kubernetes-version
-----------------------
Istio is compatible with Kubernetes: v1.19.3.
#3. Istio-existence
-----------------------
Istio will be installed in the istio-system namespace.
#4. Kubernetes-setup
-----------------------
Can create necessary Kubernetes configurations: Namespace,ClusterRole,ClusterRoleBinding,CustomResourceDefinition,Role,ServiceAccount,Service,Deployments,ConfigMap.
#5. SideCar-Injector
-----------------------
This Kubernetes cluster supports automatic sidecar injection. To enable automatic sidecar injection see https://istio.io/v1.8/docs/setup/additional-setup/sidecar-injection/#deploying-an-app
-----------------------
Install Pre-Check passed! The cluster is ready for Istio installation.
2. 安装 Istio
2.1 Install Istio
安装 istio 的核心组件。
代码语言:txt复制$ istioctl install --set profile=demo -y
Detected that your cluster does not support third party JWT authentication. Falling back to less secure first party JWT. See https://istio.io/v1.8/docs/ops/best-practices/security/#configure-third-party-service-account-tokens for details.
✔ Istio core installed
✔ Istiod installed
✔ Egress gateways installed
✔ Ingress gateways installed
✔ Installation complete
通过 kubectl
可以查看在 istio-system
的 Namespace 下安装了如下资源:
$ kubectl get all -n=istio-system
NAME READY STATUS RESTARTS AGE
pod/istio-egressgateway-c9c55457b-xbh5r 1/1 Running 0 20m
pod/istio-ingressgateway-865d46c7f5-7f5c7 1/1 Running 0 20m
pod/istiod-7f785478df-jk87p 1/1 Running 0 21m
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/istio-egressgateway ClusterIP 10.99.161.192 <none> 80/TCP,443/TCP,15443/TCP 20m
service/istio-ingressgateway LoadBalancer 10.111.204.43 localhost 15021:30101/TCP,80:30856/TCP,443:30365/TCP,31400:30507/TCP,15443:32107/TCP 20m
service/istiod ClusterIP 10.96.86.16 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 21m
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/istio-egressgateway 1/1 1 1 20m
deployment.apps/istio-ingressgateway 1/1 1 1 20m
deployment.apps/istiod 1/1 1 1 21m
NAME DESIRED CURRENT READY AGE
replicaset.apps/istio-egressgateway-c9c55457b 1 1 1 20m
replicaset.apps/istio-ingressgateway-865d46c7f5 1 1 1 20m
replicaset.apps/istiod-7f785478df 1 1 1 21m
2.2 将 default Namespace 设置自动注入
设置 自动自动注入 后,会往 Pod 中增加一个 sidecar 的 container,用于控制这个 Pod 的流量。
代码语言:txt复制$ kubectl label namespace default istio-injection=enabled
namespace/default labeled
查看目前开启自动注入的 Namespace
代码语言:txt复制$ kubectl get ns --show-labels=true
NAME STATUS AGE LABELS
default Active 6d13h istio-injection=enabled
istio-system Active 6m52s istio-injection=disabled
kube-node-lease Active 6d13h <none>
kube-public Active 6d13h <none>
kube-system Active 6d13h <none>
kubernetes-dashboard Active 5d21h <none>
ops Active 6d11h <none>
query-ip Active 6d11h <none>
3. 部署 Demo 应用
部署一个应用,便于理解 istio 的功能
3.1 Install Istio
代码语言:txt复制~/github/istio/istio-1.8.2$ kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml
service/details created
serviceaccount/bookinfo-details created
deployment.apps/details-v1 created
service/ratings created
serviceaccount/bookinfo-ratings created
deployment.apps/ratings-v1 created
service/reviews created
serviceaccount/bookinfo-reviews created
deployment.apps/reviews-v1 created
deployment.apps/reviews-v2 created
deployment.apps/reviews-v3 created
service/productpage created
serviceaccount/bookinfo-productpage created
deployment.apps/productpage-v1 created
3.2 检查是否部署完成
代码语言:txt复制~/github/istio/istio-1.8.2$ kubectl get all
NAME READY STATUS RESTARTS AGE
pod/details-v1-79c697d759-cw5sk 2/2 Running 0 5m48s
pod/productpage-v1-65576bb7bf-tj9m5 2/2 Running 0 5m47s
pod/ratings-v1-7d99676f7f-g79zp 2/2 Running 0 5m47s
pod/reviews-v1-987d495c-cr2bv 2/2 Running 0 5m47s
pod/reviews-v2-6c5bf657cf-s46cm 2/2 Running 0 5m48s
pod/reviews-v3-5f7b9f4f77-t4tx2 2/2 Running 0 5m48s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/details ClusterIP 10.108.239.10 <none> 9080/TCP 5m48s
service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 6d14h
service/productpage ClusterIP 10.96.172.155 <none> 9080/TCP 5m48s
service/ratings ClusterIP 10.96.164.173 <none> 9080/TCP 5m48s
service/reviews ClusterIP 10.98.231.42 <none> 9080/TCP 5m48s
安装过程中比较耗时的原因,镜像太大。
代码语言:txt复制$ docker images | grep istio/examples
istio/examples-bookinfo-reviews-v3 1.16.2 83e6a8464b84 7 months ago 694MB
istio/examples-bookinfo-reviews-v2 1.16.2 39cff5d782e1 7 months ago 694MB
istio/examples-bookinfo-reviews-v1 1.16.2 181be23dc1af 7 months ago 694MB
istio/examples-bookinfo-ratings-v1 1.16.2 99ce598b98cf 7 months ago 161MB
istio/examples-bookinfo-details-v1 1.16.2 edf6b9bea3db 7 months ago 149MB
istio/examples-bookinfo-productpage-v1 1.16.2 7f1e097aad6d 7 months ago 207MB
Pod 都处于 running 状态后,接着访问应用内容,确认部署完毕。
代码语言:txt复制$ kubectl exec "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl -s productpage:9080/productpage | grep -o "<title>.*</title>"
<title>Simple Bookstore App</title>
4. 开启外部流量入口
4.1 创建 gateway 和 virtualservice 配置
- 先查看配置
- gateway:只让
service/istio-ingressgateway
中 HTTP 80 端口的流量进来 - virtualservice: 将 URI 为
/productpage
等页面的流量指向productpage
服务
- gateway:只让
$ cat samples/bookinfo/networking/bookinfo-gateway.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: bookinfo-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: bookinfo
spec:
hosts:
- "*"
gateways:
- bookinfo-gateway
http:
- match:
- uri:
exact: /productpage
- uri:
prefix: /static
- uri:
exact: /login
- uri:
exact: /logout
- uri:
prefix: /api/v1/products
route:
- destination:
host: productpage
port:
number: 9080
- 部署配置
$ kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml
gateway.networking.istio.io/bookinfo-gateway created
virtualservice.networking.istio.io/bookinfo created
- 验证配置,没问题
$ istioctl analyze
✔ No validation issues found when analyzing namespace: default.
4.2 获取访问服务的入口
流量的入口其实就是 service/istio-ingressgateway
所在 LB 的访问方式,从以下命令得知入口是 localhost:80
$ kubectl get service/istio-ingressgateway -n istio-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingressgateway LoadBalancer 10.111.204.43 localhost 15021:30101/TCP,80:30856/TCP,443:30365/TCP,31400:30507/TCP,15443:32107/TCP 165m
5. 访问 Demo 应用
在浏览器中访问 http://localhost/productpage
,每次刷新页面看到内容不同。
不过现在还看不出流量访问的情况,需要部署流量观测工具 kiali。
6. 部署流量观测工具 kiali
6.1 deploy kiali
- 部署
$ kubectl apply -f samples/addons
serviceaccount/grafana created
configmap/grafana created
service/grafana created
deployment.apps/grafana created
configmap/istio-grafana-dashboards created
configmap/istio-services-grafana-dashboards created
deployment.apps/jaeger created
service/tracing created
service/zipkin created
service/jaeger-collector created
Warning: apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16 , unavailable in v1.22 ; use apiextensions.k8s.io/v1 CustomResourceDefinition
customresourcedefinition.apiextensions.k8s.io/monitoringdashboards.monitoring.kiali.io created
serviceaccount/kiali created
configmap/kiali created
clusterrole.rbac.authorization.k8s.io/kiali-viewer created
clusterrole.rbac.authorization.k8s.io/kiali created
clusterrolebinding.rbac.authorization.k8s.io/kiali created
service/kiali created
deployment.apps/kiali created
serviceaccount/prometheus created
configmap/prometheus created
clusterrole.rbac.authorization.k8s.io/prometheus created
clusterrolebinding.rbac.authorization.k8s.io/prometheus created
service/prometheus created
deployment.apps/prometheus created
unable to recognize "samples/addons/kiali.yaml": no matches for kind "MonitoringDashboard" in version "monitoring.kiali.io/v1alpha1"
- 检查 Pod 运行状态
$ kubectl get pod -n istio-system
NAME READY STATUS RESTARTS AGE
grafana-784c89f4cf-4vd2h 1/1 Running 1 72m
istio-egressgateway-c9c55457b-xbh5r 1/1 Running 1 169m
istio-ingressgateway-865d46c7f5-7f5c7 1/1 Running 1 169m
istiod-7f785478df-jk87p 1/1 Running 1 170m
jaeger-7f78b6fb65-cw45j 1/1 Running 4 72m
kiali-7476977cf9-6w4kj 1/1 Running 4 72m
prometheus-7bfddb8dbf-jmgjq 2/2 Running 4 72m
- 检查部署状态
$ kubectl rollout status deployment/kiali -n istio-system
deployment "kiali" successfully rolled out
6.2 查看 kiali,了解流量访问情况
本地访问 kiali
代码语言:txt复制$ istioctl dashboard kiali
http://localhost:20001/kiali
- 网络拓扑图
- 单个应用的流量指标
非常不错的流量治理工具,可观测性很强。
后面咱们再写一些流量治理的文档。
reference
- 1 istio. Getting Started
- 2 istio. istio 官网
- 3 isito. istio 是什么
- 4 k8s. 部署 istio 1.8.2