1. Istio简介与版本说明
Istio是一个开源的服务网格(Service Mesh)平台,提供流量管理、安全通信、可观测性等功能。Istio通过Sidecar代理模式,为微服务架构提供统一的网络基础设施层。更多学习教程www.fgedu.net.cn
最新版本信息:
Istio 1.22.x – 最新稳定版
Istio 1.21.x – 长期支持版
Istio 1.20.x – 维护版
Istio 1.19.x – 旧版支持
2. Istio下载方式
Istio提供多种下载方式,包括官方发布包下载、Helm Chart部署和Istioctl命令行工具安装。学习交流加群风哥微信: itpux-com
方式一:官方发布包下载
# https://github.com/istio/istio/releases
# 下载Istio 1.22.0发布包
$ curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.22.0 sh –
# 或使用wget下载
$ wget https://github.com/istio/istio/releases/download/1.22.0/istio-1.22.0-linux-amd64.tar.gz
# 解压安装包
$ tar -xzf istio-1.22.0-linux-amd64.tar.gz
# 查看解压内容
$ ls -la istio-1.22.0/
输出示例如下:
total 32
drwxr-xr-x 4 root root 4096 Mar 15 10:00 .
drwxr-xr-x 3 root root 4096 Mar 15 10:00 ..
drwxr-xr-x 2 root root 4096 Mar 15 10:00 bin
-rw-r–r– 1 root root 11357 Mar 15 10:00 LICENSE
drwxr-xr-x 6 root root 4096 Mar 15 10:00 manifests
-rw-r–r– 1 root root 1234 Mar 15 10:00 manifest.yaml
-rw-r–r– 1 root root 4567 Mar 15 10:00 README.md
-rw-r–r– 1 root root 123 Mar 15 10:00 release
# 查看bin目录
$ ls -la istio-1.22.0/bin/
输出示例如下:
total 78848
drwxr-xr-x 2 root root 4096 Mar 15 10:00 .
drwxr-xr-x 4 root root 4096 Mar 15 10:00 ..
-rwxr-xr-x 1 root root 80541696 Mar 15 10:00 istioctl
方式二:添加环境变量
$ export PATH=$PWD/istio-1.22.0/bin:$PATH
# 或永久添加到bashrc
$ echo ‘export PATH=$PATH:/root/istio-1.22.0/bin’ >> ~/.bashrc
$ source ~/.bashrc
# 验证安装
$ istioctl version
输出示例如下:
client version: 1.22.0
control plane version: 1.22.0
data plane version: 1.22.0 (3 proxies)
# 启用自动补全
$ istioctl completion bash > /etc/bash_completion.d/istioctl
$ source ~/.bashrc
方式三:使用Helm安装
$ helm repo add istio https://istio-release.storage.googleapis.com/charts
输出示例如下:
“istio” has been added to your repositories
# 更新仓库
$ helm repo update
输出示例如下:
Hang tight while we grab the latest from your chart repositories…
…Successfully got an update from the “istio” chart repository
Update Complete. ⎈Happy Helming!⎈
# 搜索Istio Charts
$ helm search repo istio
输出示例如下:
NAME CHART VERSION APP VERSION DESCRIPTION
istio/base 1.22.0 1.22.0 Helm chart for deploying Istio …
istio/cni 1.22.0 1.22.0 Helm chart for istio-cni components
istio/gateway 1.22.0 1.22.0 Helm chart for deploying Istio Gateway
istio/istiod 1.22.0 1.22.0 Helm chart for istiod control plane
istio/istiod-remote 1.22.0 1.22.0 Helm chart for a remote istiod
istio/ztunnel 1.22.0 1.22.0 Helm chart for istio ztunnel
# 下载Charts
$ helm pull istio/base –version 1.22.0
$ helm pull istio/istiod –version 1.22.0
$ helm pull istio/gateway –version 1.22.0
3. Istio安装部署
Istio支持多种安装方式,推荐使用istioctl命令行工具进行安装。学习交流加群风哥QQ113257174
步骤1:检查Kubernetes环境
$ kubectl version –short
输出示例如下:
Client Version: v1.29.0
KVM Version: v1.29.0
# 检查节点状态
$ kubectl get nodes
输出示例如下:
NAME STATUS ROLES AGE VERSION
fgedu-node01 Ready control-plane 10d v1.29.0
fgedu-node02 Ready
fgedu-node03 Ready
# 检查可用资源
$ kubectl top nodes
输出示例如下:
NAME CPU(cores) CPU% MEMORY(bytes) MEMORY%
fgedu-node01 500m 12% 4096Mi 25%
fgedu-node02 300m 8% 3072Mi 18%
fgedu-node03 350m 9% 3584Mi 21%
# 运行预检查
$ istioctl x precheck
输出示例如下:
✔ No issues found when checking the cluster. Istio is safe to install or upgrade!
To get started, check out https://istio.io/latest/docs/setup/getting-started/
步骤2:安装Istio
$ istioctl install –set profile=default -y
输出示例如下:
✔ Istio core installed
✔ Istiod installed
✔ Ingress gateways installed
✔ Installation complete
Made this installation the default for injection and remote sidecar installation.
# 查看安装的组件
$ kubectl get pods -n istio-system
输出示例如下:
NAME READY STATUS RESTARTS AGE
istio-ingressgateway-6b9d7c8d5d-abc12 1/1 Running 0 2m
istiod-7c8d9e6f5g-hij34 1/1 Running 0 2m
# 查看安装的服务
$ kubectl get svc -n istio-system
输出示例如下:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingressgateway LoadBalancer 10.96.0.100
istiod ClusterIP 10.96.0.101
# 查看Istio版本
$ istioctl version
输出示例如下:
client version: 1.22.0
control plane version: 1.22.0
data plane version: 1.22.0 (1 proxies)
步骤3:配置Sidecar自动注入
$ kubectl label namespace default istio-injection=enabled
输出示例如下:
namespace/default labeled
# 验证标签
$ kubectl get namespace -L istio-injection
输出示例如下:
NAME STATUS AGE ISTIO-INJECTION
default Active 10d enabled
istio-system Active 5m disabled
kube-node-lease Active 10d
kube-public Active 10d
kube-system Active 10d
# 查看注入配置
$ kubectl get mutatingwebhookconfigurations
输出示例如下:
NAME WEBHOOKS AGE
istio-sidecar-injector 1 5m
4. Istio配置详解
Istio支持多种配置Profile,可以根据实际需求选择合适的配置。from:www.itpux.com
配置Profile说明
$ istioctl profile list
输出示例如下:
Istio configuration profiles:
default
demo
empty
minimal
openshift
preview
remote
# 查看default Profile配置
$ istioctl profile dump default
输出示例如下:
components:
base:
enabled: true
cni:
enabled: false
egressGateways:
– enabled: false
name: istio-egressgateway
ingressGateways:
– enabled: true
name: istio-ingressgateway
istiodRemote:
enabled: false
pilot:
enabled: true
hub: docker.io/istio
tag: 1.22.0
values:
defaultRevision: “”
global:
configValidation: true
istioNamespace: istio-system
istiod:
enableAnalysis: false
logAsJson: false
logging:
level: default:info
meshID: “”
mountMtlsCerts: false
multiCluster:
clusterName: “”
enabled: false
network: “”
omitSidecarInjectorConfigMap: false
operatorManageWebhooks: false
pilotCertProvider: istiod
priorityClassName: “”
proxy:
autoInject: enabled
clusterDomain: cluster.local
componentLogLevel: “”
enableCoreDump: false
excludeIPRanges: “”
excludeInboundPorts: “”
excludeOutboundPorts: “”
image: proxyv2
includeIPRanges: “*”
logLevel: warning
privileged: false
readinessFailureThreshold: 30
readinessInitialDelaySeconds: 1
readinessPeriodSeconds: 2
readinessSuccessThreshold: 1
resources:
limits:
cpu: “2”
memory: 1Gi
requests:
cpu: 100m
memory: 128Mi
statusPort: 15020
tracer: zipkin
proxy_init:
image: proxyv2
resources:
limits:
cpu: 2000m
memory: 1024Mi
requests:
cpu: 10m
memory: 10Mi
sds:
token:
aud: istio-ca
sts:
servicePort: 0
tracer:
datadog: {}
lightstep: {}
stackdriver: {}
zipkin: {}
useMCP: false
# 查看demo Profile配置(包含更多组件)
$ istioctl profile dump demo
自定义配置安装
$ cat > istio-config.yaml << EOF apiVersion: install.istio.io/v1alpha1 kind: IstioOperator metadata: namespace: istio-system name: istio-config spec: profile: default hub: docker.io/istio tag: 1.22.0 meshConfig: accessLogFile: /dev/stdout enableAutoMtls: true defaultConfig: proxyMetadata: ISTIO_META_DNS_CAPTURE: "true" ISTIO_META_DNS_AUTO_ALLOCATE: "true" components: pilot: enabled: true k8s: resources: requests: cpu: 500m memory: 2048Mi hpaSpec: minReplicas: 2 maxReplicas: 5 ingressGateways: - name: istio-ingressgateway enabled: true k8s: resources: requests: cpu: 200m memory: 256Mi hpaSpec: minReplicas: 2 maxReplicas: 5 service: type: LoadBalancer ports: - port: 80 targetPort: 8080 name: http2 - port: 443 targetPort: 8443 name: https egressGateways: - name: istio-egressgateway enabled: true k8s: resources: requests: cpu: 100m memory: 128Mi values: global: mtls: enabled: true proxy: resources: requests: cpu: 100m memory: 128Mi limits: cpu: 2000m memory: 1024Mi pilot: autoscaleEnabled: true EOF # 使用自定义配置安装 $ istioctl install -f istio-config.yaml -y 输出示例如下: ✔ Istio core installed ✔ Istiod installed ✔ Ingress gateways installed ✔ Egress gateways installed ✔ Installation complete
5. Istio网关配置
Istio Gateway用于管理入站和出站流量,是服务网格的入口点。风哥提示:生产环境建议配置多个Gateway实现流量隔离。
步骤1:创建Gateway
$ cat > gateway.yaml << EOF apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: fgedu-gateway namespace: default spec: selector: istio: ingressgateway servers: - port: number: 80 name: http protocol: HTTP hosts: - "*.fgedu.net.cn" - "fgedu.net.cn" - port: number: 443 name: https protocol: HTTPS tls: mode: SIMPLE credentialName: fgedu-tls-secret hosts: - "*.fgedu.net.cn" - "fgedu.net.cn" EOF # 应用Gateway配置 $ kubectl apply -f gateway.yaml 输出示例如下: gateway.networking.istio.io/fgedu-gateway created # 查看Gateway $ kubectl get gateway 输出示例如下: NAME AGE fgedu-gateway 10s
步骤2:配置VirtualService
$ cat > virtualservice.yaml << EOF apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: fgedu-vs namespace: default spec: hosts: - "www.fgedu.net.cn" gateways: - fgedu-gateway http: - match: - uri: prefix: /api route: - destination: host: api-service port: number: 8080 - match: - uri: prefix: / route: - destination: host: web-service port: number: 80 EOF # 应用VirtualService配置 $ kubectl apply -f virtualservice.yaml 输出示例如下: virtualservice.networking.istio.io/fgedu-vs created # 查看VirtualService $ kubectl get virtualservice 输出示例如下: NAME GATEWAYS HOSTS AGE fgedu-vs ["fgedu-gateway"] ["www.fgedu.net.cn"] 10s
6. Istio流量管理
Istio提供丰富的流量管理功能,包括流量分割、故障注入、超时重试等。更多学习教程公众号风哥教程itpux_com
步骤1:配置流量分割
$ cat > destinationrule.yaml << EOF apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: api-service namespace: default spec: host: api-service subsets: - name: v1 labels: version: v1 - name: v2 labels: version: v2 - name: v3 labels: version: v3 EOF # 应用DestinationRule $ kubectl apply -f destinationrule.yaml 输出示例如下: destinationrule.networking.istio.io/api-service created # 创建金丝雀发布配置 $ cat > canary.yaml << EOF apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: api-canary namespace: default spec: hosts: - api-service http: - route: - destination: host: api-service subset: v1 weight: 90 - destination: host: api-service subset: v2 weight: 10 EOF # 应用金丝雀配置 $ kubectl apply -f canary.yaml 输出示例如下: virtualservice.networking.istio.io/api-canary created # 查看流量分配 $ kubectl get virtualservice api-canary -o yaml 输出示例如下: ... spec: hosts: - api-service http: - route: - destination: host: api-service subset: v1 weight: 90 - destination: host: api-service subset: v2 weight: 10
步骤2:配置超时和重试
$ cat > timeout-retry.yaml << EOF apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: api-timeout namespace: default spec: hosts: - api-service http: - route: - destination: host: api-service subset: v1 timeout: 10s retries: attempts: 3 perTryTimeout: 3s retryOn: gateway-error,connect-failure,refused-stream EOF # 应用配置 $ kubectl apply -f timeout-retry.yaml 输出示例如下: virtualservice.networking.istio.io/api-timeout created
7. Istio安全配置
Istio提供强大的安全功能,包括mTLS、授权策略等。from:www.itpux.com
步骤1:配置mTLS
$ cat > peerauthentication.yaml << EOF apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: default namespace: default spec: mtls: mode: STRICT EOF # 应用配置 $ kubectl apply -f peerauthentication.yaml 输出示例如下: peerauthentication.security.istio.io/default created # 查看配置 $ kubectl get peerauthentication 输出示例如下: NAME MODE AGE default STRICT 10s
步骤2:配置授权策略
$ cat > authorizationpolicy.yaml << EOF apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: api-authz namespace: default spec: selector: matchLabels: app: api-service action: ALLOW rules: - from: - source: principals: ["cluster.local/ns/default/sa/web-service"] to: - operation: methods: ["GET", "POST"] paths: ["/api/*"] - from: - source: namespaces: ["istio-system"] EOF # 应用配置 $ kubectl apply -f authorizationpolicy.yaml 输出示例如下: authorizationpolicy.security.istio.io/api-authz created # 查看授权策略 $ kubectl get authorizationpolicy 输出示例如下: NAME AGE api-authz 10s
8. Istio验证与测试
完成安装后,需要部署示例应用验证Istio功能。
步骤1:部署Bookinfo示例应用
$ kubectl apply -f istio-1.22.0/samples/bookinfo/platform/kube/bookinfo.yaml
输出示例如下:
service/details created
serviceaccount/bookinfo-details created
deployment.apps/details-v1 created
service/ratings created
serviceaccount/bookinfo-ratings created
deployment.apps/ratings-v1 created
service/reviews created
serviceaccount/bookinfo-reviews created
deployment.apps/reviews-v1 created
deployment.apps/reviews-v2 created
deployment.apps/reviews-v3 created
service/productpage created
serviceaccount/bookinfo-productpage created
deployment.apps/productpage-v1 created
# 查看Pod状态
$ kubectl get pods
输出示例如下:
NAME READY STATUS RESTARTS AGE
details-v1-79f774bdb9-abc12 2/2 Running 0 1m
productpage-v1-6b746f74dc-def34 2/2 Running 0 1m
ratings-v1-b6994bb9-hij56 2/2 Running 0 1m
reviews-v1-545db77b95-klm78 2/2 Running 0 1m
reviews-v2-7bf8c96465-nop90 2/2 Running 0 1m
reviews-v3-84779c7bbc-qrs12 2/2 Running 0 1m
# 查看服务
$ kubectl get svc
输出示例如下:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
details ClusterIP 10.96.0.102
productpage ClusterIP 10.96.0.103
ratings ClusterIP 10.96.0.104
reviews ClusterIP 10.96.0.105
# 验证应用是否正常
$ kubectl exec “$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}’)” -c ratings — curl -sS productpage:9080/productpage | grep -o “
输出示例如下:
步骤2:配置应用网关
$ kubectl apply -f istio-1.22.0/samples/bookinfo/networking/bookinfo-gateway.yaml
输出示例如下:
gateway.networking.istio.io/bookinfo-gateway created
virtualservice.networking.istio.io/bookinfo created
# 获取Ingress Gateway地址
$ kubectl get svc istio-ingressgateway -n istio-system
输出示例如下:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingressgateway LoadBalancer 10.96.0.100 192.168.1.100 15021:31234/TCP,80:31235/TCP,443:31236/TCP 10m
# 设置环境变量
$ export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}’)
$ export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name==”http2″)].port}’)
$ export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT
# 测试访问
$ curl -I http://$GATEWAY_URL/productpage
输出示例如下:
HTTP/1.1 200 OK
content-type: text/html; charset=utf-8
content-length: 4184
server: istio-envoy
date: Fri, 15 Mar 2026 10:00:00 GMT
x-envoy-upstream-service-time: 15
# 查看代理状态
$ istioctl proxy-status
输出示例如下:
NAME CLUSTER CDS LDS EDS RDS ECDS ISTIOD VERSION
details-v1-79f774bdb9-abc12.default Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-7c8d9e6f5g-hij34 1.22.0
istio-ingressgateway-6b9d7c8d5d-abc12.istio-system Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-7c8d9e6f5g-hij34 1.22.0
productpage-v1-6b746f74dc-def34.default Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-7c8d9e6f5g-hij34 1.22.0
ratings-v1-b6994bb9-hij56.default Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-7c8d9e6f5g-hij34 1.22.0
reviews-v1-545db77b95-klm78.default Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-7c8d9e6f5g-hij34 1.22.0
reviews-v2-7bf8c96465-nop90.default Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-7c8d9e6f5g-hij34 1.22.0
reviews-v3-84779c7bbc-qrs12.default Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-7c8d9e6f5g-hij34 1.22.0
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
