第二节 Istio 架构与技术

大纲

• Service Mesh
• Istio 架构基础
• Istio 基本概念
• Istio & Kubernetes:架构结合
• 运行第一个Istio集群

1、Kubernetes

Kubernetes 提供平台基础设施层强大的容器编排与调度能力

• 服务部署与弹性伸缩:Deployment
• 服务拆分与服务发现:Service

Kubernetes 提供简单的负载均衡

• 负载均衡:基于IPVS或Iptables的简单均衡机制

2、Service Mesh

• 治理能力独立(Sidecar)
• 应用程序无感知
• 服务通信的基础设施层

3、Istio问世

• 连接(Connect)
• 安全(Secure)
• 控制(Control)
• 观察(Observe)

3-1 Istio关键能力

功能

扩展

4、Istio + Kubernetes:云原生应用治理 + 云原生应用设施

4-1 Istio架构与其关键组件

4-2 Pilot, Service discovery and traffic rule

4-3 Mixer, Check & Report

4-4 Citadel

5、Istio & Kubernetes:架构结合

5-1 Envoy

• 基于C++的 L4/L7 Proxy转发器
• CNCF第三个毕业的项目

• Listeners (LDS)
• Routes (RDS)
• Clusters (CDS)
• Endpoints (EDS)

5-2 Envoy 配置文件

6、Istio 基础概念

6-1 VirtualService

最核心的配置接口，定义指定服务的所有路由规则

• Hosts
• Gateways
• Http
• Tcp
• Tls

apiVersion: networking.istio.io/v1alpha3 
kind: VirtualService
metadata:
  name: reviews-route
  namespace: foo
spec:
  hosts:
  - reviews
  http:
  - match:
    - uri:
        prefix: "/wpcatalog"
     - uri:
        prefix: "/consumercatalog"
    rewrite:
      uri: "/newcatalog"
    route:
    - destination:
        host: reviews
        subset: v2
  - route:
    - destination:
        host: reviews
subset: v1

6-2 DestinationRule

其定义的策略，决定了路由处理之后的流 量访问策略。负载均衡设置，断路器， TLS设置等

• Host
• Subset
• TrafficPolicy

apiVersion: networking.istio.io/v1alpha3 
kind: DestinationRule
metadata:
  name: bookinfo-ratings
spec:
  host: ratings
  trafficPolicy:
    loadBalancer:
      simple: LEAST_CONN
  subsets:
  - name: v1
     labels: 
        version: v1
  - name: v2
    labels:
        version: v2
  - name: v3
     labels: 
        version: v3
    trafficPolicy:
      loadBalancer:
        simple: ROUND_ROBIN

6-3 Gateway

提供外部服务访问接入，可发布任意内部端 口的服务，供外部访问。 配合VirtualService 使用，使用标准Istio规则治理

• Servers
• Selector

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: bookinfo-gateway 
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 80 
      name: http 
      protocol: HTTP
    hosts:
    - "*" 
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: bookinfo 
spec:
  hosts:
  - "*"
  gateways:
  - bookinfo-gateway 
  http:
  - match:
    - uri:
        exact: /productpage
  route:
    - destination:
        ...

6-4 ServiceEntry

将外部服务接入到服务注册表中，让Istio中自动发现的服务能够访问和路由到这些手工加入的服务。

与VirtualService或DestinationRule配合使用

• Hosts
• Addresss
• Ports
• Location
• Resolution
• Endpoints

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: external-svc-mongocluster 
spec:
  hosts:
  - mymongodb.somedomain
  addresses:
  - 192.192.192.192/24 # VIPs
  ports:
  - number: 27018
    name: mongodb
    protocol: MONGO
  location: MESH_INTERNAL
  resolution: STATIC
  endpoints:
  - address: 2.2.2.2
  - address: 3.3.3.3
----
apiVersion: networking.istio.io/v1alpha3 
kind: DestinationRule
metadata:
  name: mtls-mongocluster
spec:
  host: mymongodb.somedomain 
  trafficPolicy:
    tls:
      mode: MUTUAL
      clientCertificate: /etc/certs/myclientcert.pem 
      privateKey: /etc/certs/client_private_key.pem 
      caCertificates: /etc/certs/rootcacerts.pem

7、基于K8s运行Istio集群

• kubectl apply -f install/kubernetes/helm/istio/templates/crds.yaml
• helm template install/kubernetes/helm/istio --name istio --namespace istio-system > $HOME/istio.yaml
• kubectl create namespace istio-system
• kubectl apply -f $HOME/istio.yaml

7-1 Istioctl

• proxy-status:状态同步情况
• proxy-config:envoy 中具体规则查询
• listener
• route
• cluster
• endpoint
• kube-inject
• ......

8、Demo

$ kubectl apply -f install/kubernetes/helm/istio/templates/crds.yaml
$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system > $HOME/istio.yaml
$ kubectl create namespace istio-system
$ kubectl apply -f $HOME/istio.yaml

8-1 Every pod inside default namespace will inject istio sidecar

$ kubectl label namespace default istio-injection=enabled

8-2 check ingress gateway svc

$ kubectl get svc istio-ingressgateway -n istio-system

$ kubectl get svc istio-ingressgateway -n istio-system -o yaml

8-3 The bookinfo experiments please check I did before

1. 基于Bookinfo的流量管理配置1
2. 基于Bookinfo的流量管理配置2