1.简介
2.整体架构
istio
3.组件说明
3.1 Pilot
属于控制面,承担着服务发现、流量管理、智能路由等,提供一系列的api的入口
3.2 Galley
配置的验证,管理和分发,作为istio的配置中心,通过用validatingWebhook机制对Pilot 和 Mixer 的配置进行验证
3.3 Citadel
负责秘钥和证书的管理,服务鉴权
3.4 Mixer
管理授权和审计,和连接envoy,对应镜像istio-policy,Mixer提供adapter机制
Mixer中现有的Adapter
实现Check的Adapter
listchecker(黑白名单)
opa(open Policy Agent)
RBAC(连接到istioCA)实现Quota的Adapter
Menquota(基于单机内存)
Redisquota(基于外部Redis)实现Report的Adapter
Circonus
Cloudwatch
Dogstatsd
Fluentd
Prometheus
Solarwinds
StatsD
Stdio
3.5 Proxy(Agent+Envoy)
通过sidecar方式部署于pod中,负责接收控制面策略并生成配置文件,作用于pod。
Envoy启动时的启动配置文件中包括:
- Node信息
包含的节点信息 - stats_config
Envoy的管理信息 - admin
Envoy的管理信息主要是指管理API地址(127.0.0.1::15000) - dynamic_resources
根据Polit提供的XDS接口生成的配置信息 - static_resources
静态配置信息,包括prometheus,Pilot控制面和zipkin服务发现信息 - tracing
链路追踪Tracing的配置信息
Envoy启动的配置文件所在位置
[root@node4 ~]# kubectl exec productpage-v1-8554d58bff-bhlfl -c istio-proxy -- ls /etc/istio/proxy/envoy-rev0.json
/etc/istio/proxy/envoy-rev0.json
Envoy中的接口:
[root@node4 ~]# kubectl exec productpage-v1-8554d58bff-bhlfl -c istio-proxy curl http://127.0.0.1:15000/help
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0admin commands are:
/: Admin home page
/certs: print certs on machine
/clusters: upstream cluster status
/config_dump: dump current Envoy configs (experimental)
/contention: dump current Envoy mutex contention stats (if enabled)
/cpuprofiler: enable/disable the CPU profiler
/healthcheck/fail: cause the server to fail health checks
/healthcheck/ok: cause the server to pass health checks
/heapprofiler: enable/disable the heap profiler
/help: print out list of admin commands
/hot_restart_version: print the hot restart compatibility version
/listeners: print listener info
/logging: query/change logging levels
/memory: print current allocation/heap usage
/quitquitquit: exit the server
/ready: print server state, return 200 if LIVE, otherwise return 503
/reset_counters: reset all counters to zero
/runtime: print runtime values
/runtime_modify: modify runtime values
/server_info: print server version/status information
/stats: print server stats
/stats/prometheus: print server stats in prometheus format
clusters信息
istio-proxy@productpage-v1-8554d58bff-tqhnk:/$ curl http://127.0.0.1:15000/clusters |grep 9080
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
outbound|9080||reviews.default.svc.cluster.local::default_priority::max_connections::1024
outbound|9080||reviews.default.svc.cluster.local::default_priority::max_pending_requests::1024
outbound|9080||reviews.default.svc.cluster.local::default_priority::max_requests::1024
outbound|9080||reviews.default.svc.cluster.local::default_priority::max_retries::1024
outbound|9080||reviews.default.svc.cluster.local::high_priority::max_connections::1024
outbound|9080||reviews.default.svc.cluster.local::high_priority::max_pending_requests::1024
outbound|9080||reviews.default.svc.cluster.local::high_priority::max_requests::1024
outbound|9080||reviews.default.svc.cluster.local::high_priority::max_retries::3
outbound|9080||reviews.default.svc.cluster.local::added_via_api::true
outbound|9080||reviews.default.svc.cluster.local::172.10.104.13:9080::cx_active::2
outbound|9080||reviews.default.svc.cluster.local::172.10.104.13:9080::cx_connect_fail::0
outbound|9080||reviews.default.svc.cluster.local::172.10.104.13:9080::cx_total::2
outbound|9080||reviews.default.svc.cluster.local::172.10.104.13:9080::rq_active::0
Envoy的运行时配置信息
[root@node4 ~]# kubectl exec -it productpage-v1-8554d58bff-bhlfl -c istio-proxy curl http://127.0.0.1:15000/config_dump
包含的内容
BootstrapConfigDump
bootstrap包含启动Envoy时的配置西悉尼ClustersConfigDump
static_clusters:
主要包括istio平台本省的组件信息,如zipkin、prometheus、STRICT_DNS(Polit控制面)
dynamic_active_clusters:根据POD产生的cluster,根据类型分为STATIC(如BlackHoleCluster,类似404无匹配时到达)、ORIGINAL_DST和EDS(表示通过API产生的配置)
-
ListenersConfigDump
static_listeners:在15090端口上开启的listeners
dynamic_active_listeners:动态在POD和service上创建的listeners - ScopedRoutesConfigDump
-
RoutesConfigDump对应VirtualService
static_route_configs :平台产生的路由配置信息
dynamic_route_configs :根据业务产的路由配置 - SecretsConfigDump
4.istio中资源类型
attributemanifest
定义属性清单-
instance rule handler
instance 表示一系列的数据
handler 对应着数据处理的适配器
rule 包含一系列的action,每个action是一个handler 和一组instance 的对应关系
三个关系 DestinationRule
描述即将流量转发到服务时应用的策略集,包括负载均衡配置,sidecar中的连接池大小和异常值检测设置(主要用于从负载平衡池中逐出不正常的主机)
其中负载均衡策略包括:ROUND_ROBIN、LEAST_CONN、RANDOM、PASSTHROUGHGateway
网关,描述应用在边缘设备(整个mesh对外的入口和出口)上的开放的端口和协议等VirtualService
定义路由规则,包括headers匹配等ServiceEntry
ServiceEntry用于将附加条目添加到Istio内部维护的服务注册表中。
4.istio的安装
istio的安装
//下载istio-1.3.4-linux.tar.gz
[root@node4 istio]# wget https://github.com/istio/istio/releases/download/1.3.4/istio-1.3.4-linux.tar.gz
[root@node4 istio]# tar -zxvf istio-1.3.4-linux.tar.gz
[root@node4 istio]# cd istio-1.3.4/
[root@node4 istio-1.3.4]# kubectl apply -f install/kubernetes/istio-demo.yaml
[root@node4 istio-1.3.4]# kubectl -n istio-system get pod
NAME READY STATUS RESTARTS AGE
grafana-59d57c5c56-sj95t 1/1 Running 0 21d
istio-citadel-555bff45bf-rtcv6 1/1 Running 0 21d
istio-egressgateway-7fd45cc845-2lzzh 1/1 Running 0 21d
istio-galley-7f8b6db7d7-v992r 1/1 Running 0 21d
istio-grafana-post-install-1.3.4-7bgxj 0/1 Completed 0 21d
istio-ingressgateway-64456bb8b-nqc89 1/1 Running 0 21d
istio-pilot-85894cd4f5-859kp 2/2 Running 0 21d
istio-policy-7d8f44db64-4zggd 2/2 Running 2 21d
istio-security-post-install-1.3.4-2vxhk 0/1 Completed 0 21d
istio-sidecar-injector-65d5f8db56-2x8l5 1/1 Running 0 21d
istio-telemetry-85c7c59b86-wxxsx 2/2 Running 2 21d
istio-tracing-795c9c64c4-8r6p5 1/1 Running 0 21d
kiali-8c9d6fbf6-rblp5 1/1 Running 0 21d
prometheus-7d7b9f7844-kfpk4 1/1 Running 0 21d
[root@node4 istio-1.3.4]# kubectl -n istio-system get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
grafana ClusterIP 172.20.185.180 <none> 3000/TCP 21d
istio-citadel ClusterIP 172.20.170.209 <none> 8060/TCP,15014/TCP 21d
istio-egressgateway ClusterIP 172.20.17.218 <none> 80/TCP,443/TCP,15443/TCP 21d
istio-galley ClusterIP 172.20.53.63 <none> 443/TCP,15014/TCP,9901/TCP 21d
istio-ingressgateway NodePort 172.20.68.121 <none> 15020:30962/TCP,80:31380/TCP,443:31390/TCP,31400:31400/TCP,15029:30391/TCP,15030:32742/TCP,15031:31213/TCP,15032:31411/TCP,15443:32673/TCP 21d
istio-pilot ClusterIP 172.20.42.191 <none> 15010/TCP,15011/TCP,8080/TCP,15014/TCP 21d
istio-policy ClusterIP 172.20.168.15 <none> 9091/TCP,15004/TCP,15014/TCP 21d
istio-sidecar-injector ClusterIP 172.20.149.157 <none> 443/TCP,15014/TCP 21d
istio-telemetry ClusterIP 172.20.42.203 <none> 9091/TCP,15004/TCP,15014/TCP,42422/TCP 21d
jaeger-agent ClusterIP None <none> 5775/UDP,6831/UDP,6832/UDP 21d
jaeger-collector ClusterIP 172.20.50.220 <none> 14267/TCP,14268/TCP,14250/TCP 21d
jaeger-query ClusterIP 172.20.49.122 <none> 16686/TCP 21d
kiali ClusterIP 172.20.238.205 <none> 20001/TCP 21d
prometheus ClusterIP 172.20.97.112 <none> 9090/TCP 21d
tracing ClusterIP 172.20.203.114 <none> 80/TCP 21d
zipkin ClusterIP 172.20.133.126 <none> 9411/TCP 21d
bookinfo实例
//设置default的注入标识
[root@node4 istio-1.3.4]# kubectl label namespace default istio-injection=enabled
[root@node4 istio-1.3.4]# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml
[root@node4 istio-1.3.4]# kubectl get pod
NAME READY STATUS RESTARTS AGE
details-v1-74f858558f-cqwdk 2/2 Running 0 21d
productpage-v1-8554d58bff-bhlfl 2/2 Running 0 21d
ratings-v1-7855f5bcb9-c6d7w 2/2 Running 0 21d
reviews-v1-59fd8b965b-h759b 2/2 Running 0 21d
reviews-v2-d6cfdb7d6-v4fjt 2/2 Running 0 21d
reviews-v3-75699b5cfb-kf8tb 2/2 Running 0 21d
检查Proxy注入
image.png
访问测试
export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}')
export INGRESS_HOST=$(kubectl get po -l istio=ingressgateway -n istio-system -o jsonpath='{.items[0].status.hostIP}')
image.png
image.png
image.png
5.访问流程分析
image.png
