1. Istio概述与环境规划
Istio是一个开源的服务网格平台,提供了流量管理、服务间通信安全、可观测性等功能。Istio基于Envoy代理,为微服务架构提供了统一的流量管理、安全策略和可观测性能力。更多学习教程www.fgedu.net.cn
1.1 Istio版本说明
Istio目前主要版本为1.x系列,本教程以Istio 1.18.0为例进行详细讲解。Istio 1.18.x版本相比之前版本在性能、稳定性和功能方面都有显著提升,支持更多的服务网格特性。
$ istioctl version
client version: 1.18.0
distributor version: 1.18.0
data plane version: 1.18.0 (10 proxies)
# 查看Kubernetes版本
$ kubectl version
Client Version: v1.27.0
Server Version: v1.27.0
# 查看系统版本
$ cat /etc/os-release
NAME=”Oracle Linux Server”
VERSION=”8.9″
ID=”ol”
PRETTY_NAME=”Oracle Linux Server 8.9″
# 查看内核版本
$ uname -r
5.4.17-2136.302.7.2.el8uek.x86_64
1.2 环境规划
本次安装环境规划如下:
master01.fgedu.net.cn (192.168.1.51) – 控制平面节点
master02.fgedu.net.cn (192.168.1.52) – 控制平面节点
master03.fgedu.net.cn (192.168.1.53) – 控制平面节点
worker01.fgedu.net.cn (192.168.1.61) – 工作节点
worker02.fgedu.net.cn (192.168.1.62) – 工作节点
Istio版本:1.18.0
Kubernetes版本:1.27.0
安装方式:使用istioctl
网络模式:Istio CNI
存储:NFS/Kubernetes Persistent Volume
2. 硬件环境要求
Istio作为服务网格平台,对硬件资源要求根据服务数量和流量而定。学习交流加群风哥微信: itpux-com
2.1 物理主机环境要求
– CPU:至少8核
– 内存:至少32GB
– 磁盘:系统盘120GB SSD + 数据盘200GB SSD
# 工作节点要求
– CPU:至少16核
– 内存:至少64GB
– 磁盘:系统盘120GB SSD + 数据盘500GB SSD
# 检查控制平面节点资源
# free -h
total used free shared buff/cache available
Mem: 32G 4.2G 26G 256M 1.8G 27G
Swap: 8G 0B 8G
# 检查工作节点资源
# free -h
total used free shared buff/cache available
Mem: 64G 8.4G 54G 512M 3.6G 55G
# 检查磁盘空间
# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 120G 20G 100G 17% /
/dev/sdb1 200G 50G 150G 25% /var/lib/containers
2.2 vSphere虚拟主机环境要求
– 控制平面节点:
– vCPU:8核
– 内存:32GB
– 磁盘:系统盘120GB SSD + 数据盘200GB SSD
– 网络:VMXNET3网卡,10Gbps网络
– 工作节点:
– vCPU:16核
– 内存:64GB
– 磁盘:系统盘120GB SSD + 数据盘500GB SSD
– 网络:VMXNET3网卡,10Gbps网络
资源池配置:
– CPU预留:控制平面4GHz,工作节点8GHz
– 内存预留:控制平面16GB,工作节点32GB
– 内存限制:控制平面32GB,工作节点64GB
– CPU份额:正常
– 内存份额:正常
2.3 云平台主机环境要求
– 控制平面节点:
– 实例规格:ecs.g6.4xlarge或同等规格
– vCPU:16核
– 内存:64GB
– 系统盘:SSD云盘 120GB
– 数据盘:SSD云盘 200GB
– 网络带宽:10Gbps以上
– 工作节点:
– 实例规格:ecs.g6.8xlarge或同等规格
– vCPU:32核
– 内存:128GB
– 系统盘:SSD云盘 120GB
– 数据盘:SSD云盘 500GB
– 网络带宽:10Gbps以上
存储配置:
– OSS对象存储:用于存储镜像和备份
– NAS文件存储:用于共享数据
– 云盘快照:定期备份集群数据
3. 操作系统环境准备
在安装Istio之前,需要对操作系统进行必要的配置和优化。
3.1 操作系统版本检查
# cat /etc/os-release
NAME=”Oracle Linux Server”
VERSION=”8.9″
ID=”ol”
PRETTY_NAME=”Oracle Linux Server 8.9″
# 检查内核版本
# uname -r
5.4.17-2136.302.7.2.el8uek.x86_64
# 检查SELinux状态
# getenforce
Enforcing
# 检查防火墙状态
# systemctl status firewalld
● firewalld.service – firewalld – dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running)
3.2 依赖服务安装
# curl -LO “https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl”
# chmod +x kubectl
# mv kubectl /usr/local/bin/
# 安装istioctl
# curl -L https://istio.io/downloadIstio | sh –
# cd istio-1.18.0
# mv bin/istioctl /usr/local/bin/
# 验证依赖安装
# kubectl version
Client Version: v1.27.0
# istioctl version
client version: 1.18.0
3.3 Kubernetes集群准备
# kubectl cluster-info
Kubernetes control plane is running at https://master01.fgedu.net.cn:6443
CoreDNS is running at https://master01.fgedu.net.cn:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
# 检查节点状态
# kubectl get nodes
NAME STATUS ROLES AGE VERSION
master01.fgedu.net.cn Ready control-plane,master 1h v1.27.0
master02.fgedu.net.cn Ready control-plane,master 1h v1.27.0
master03.fgedu.net.cn Ready control-plane,master 1h v1.27.0
worker01.fgedu.net.cn Ready worker 1h v1.27.0
worker02.fgedu.net.cn Ready worker 1h v1.27.0
# 检查集群服务
# kubectl get pods -n kube-system
4. Istio安装配置
完成环境准备后,开始安装Istio。
4.1 安装Istio
# istioctl install –set profile=default -y
# 输出案例如下:
✔ Istio core installed
✔ Istiod installed
✔ Ingress gateways installed
✔ Egress gateways installed
✔ Installation complete
# 验证安装
# istioctl verify-install
# 检查Istio组件
# kubectl get pods -n istio-system
NAME READY STATUS RESTARTS AGE
istio-ingressgateway-1234567890-abcde 1/1 Running 0 10m
istiod-1234567890-abcde 1/1 Running 0 10m
# 查看Istio版本
# istioctl version
client version: 1.18.0
distributor version: 1.18.0
data plane version: 1.18.0 (2 proxies)
4.2 配置Istio
# vi istio-config.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
name: istio-control-plane
namespace: istio-system
spec:
profile: default
components:
pilot:
k8s:
resources:
requests:
cpu: 1
memory: 1Gi
limits:
cpu: 2
memory: 2Gi
ingressGateways:
– name: istio-ingressgateway
k8s:
resources:
requests:
cpu: 1
memory: 1Gi
limits:
cpu: 2
memory: 2Gi
# 应用配置
# istioctl install -f istio-config.yaml -y
# 验证配置
# kubectl get pods -n istio-system
4.3 启用Sidecar注入
# kubectl label namespace default istio-injection=enabled
# 验证注入配置
# kubectl get namespace default -o yaml | grep istio-injection
istio-injection: enabled
# 部署示例应用
# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml
# 检查Pod状态
# kubectl get pods
NAME READY STATUS RESTARTS AGE
details-v1-1234567890-abcde 2/2 Running 0 5m
productpage-v1-1234567890-abcde 2/2 Running 0 5m
ratings-v1-1234567890-abcde 2/2 Running 0 5m
reviews-v1-1234567890-abcde 2/2 Running 0 5m
reviews-v2-1234567890-abcde 2/2 Running 0 5m
reviews-v3-1234567890-abcde 2/2 Running 0 5m
5. Istio配置优化
为了提高Istio的性能和稳定性,需要进行一些配置优化。
5.1 资源配置优化
# vi istio-resources.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
name: istio-control-plane
namespace: istio-system
spec:
profile: default
components:
pilot:
k8s:
resources:
requests:
cpu: 2
memory: 2Gi
limits:
cpu: 4
memory: 4Gi
ingressGateways:
– name: istio-ingressgateway
k8s:
resources:
requests:
cpu: 2
memory: 2Gi
limits:
cpu: 4
memory: 4Gi
# 应用配置
# istioctl install -f istio-resources.yaml -y
# 验证配置
# kubectl get pods -n istio-system
5.2 网络配置优化
# vi istio-network.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
name: istio-control-plane
namespace: istio-system
spec:
profile: default
meshConfig:
accessLogFile: “/dev/stdout”
defaultConfig:
proxyMetadata:
ISTIO_META_DNS_CAPTURE: “true”
# 应用配置
# istioctl install -f istio-network.yaml -y
# 验证配置
# kubectl get cm istio -n istio-system -o yaml
5.3 安全配置优化
# vi istio-security.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
name: istio-control-plane
namespace: istio-system
spec:
profile: default
meshConfig:
enableAutoMtls: true
defaultConfig:
proxyMetadata:
ISTIO_META_TLS_ENABLED: “true”
# 应用配置
# istioctl install -f istio-security.yaml -y
# 验证配置
# kubectl get cm istio -n istio-system -o yaml
6. Istio服务网格管理
本节介绍Istio服务网格的基本管理操作。
6.1 服务网格状态管理
# istioctl status
# 查看Istio组件
# kubectl get pods -n istio-system
# 查看Istio服务
# kubectl get services -n istio-system
# 查看Istio配置
# kubectl get cm -n istio-system
6.2 流量管理
# vi virtual-service.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: bookinfo
namespace: default
spec:
hosts:
– “*”
gateways:
– bookinfo-gateway
http:
– route:
– destination:
host: productpage
port:
number: 9080
# 应用虚拟服务
# kubectl apply -f virtual-service.yaml
# 创建目标规则
# vi destination-rule.yaml
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: reviews
namespace: default
spec:
host: reviews
subsets:
– name: v1
labels:
version: v1
– name: v2
labels:
version: v2
– name: v3
labels:
version: v3
# 应用目标规则
# kubectl apply -f destination-rule.yaml
# 验证流量管理
# kubectl get virtualservices
# kubectl get destinationrules
6.3 服务网格监控
# istioctl install –set addonComponents.grafana.enabled=true –set addonComponents.prometheus.enabled=true -y
# 查看监控组件
# kubectl get pods -n istio-system | grep -E “prometheus|grafana”
# 访问Grafana
# kubectl port-forward svc/grafana 3000:3000 -n istio-system
# 访问Prometheus
# kubectl port-forward svc/prometheus 9090:9090 -n istio-system
7. Istio安全配置
Istio提供了多种安全功能,包括mTLS、授权策略、安全上下文等。
7.1 mTLS配置
# vi mtls.yaml
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: default
spec:
mtls:
mode: STRICT
# 应用mTLS配置
# kubectl apply -f mtls.yaml
# 验证mTLS配置
# kubectl get peerauthentication
7.2 授权策略
# vi authorization-policy.yaml
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-all
namespace: default
spec:
rules:
– from:
– source:
principals: [“*”]
to:
– operation:
methods: [“*”]
paths: [“*”]
# 应用授权策略
# kubectl apply -f authorization-policy.yaml
# 验证授权策略
# kubectl get authorizationpolicy
7.3 安全上下文
# vi istio-security-context.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
name: istio-control-plane
namespace: istio-system
spec:
profile: default
components:
pilot:
k8s:
securityContext:
runAsUser: 1337
runAsGroup: 1337
runAsNonRoot: true
ingressGateways:
– name: istio-ingressgateway
k8s:
securityContext:
runAsUser: 1337
runAsGroup: 1337
runAsNonRoot: true
# 应用配置
# istioctl install -f istio-security-context.yaml -y
# 验证配置
# kubectl get pods -n istio-system
8. Istio可观测性
Istio提供了完整的可观测性功能,包括监控、日志和追踪。
8.1 监控配置
# istioctl install –set addonComponents.grafana.enabled=true –set addonComponents.prometheus.enabled=true –set addonComponents.kiali.enabled=true –set addonComponents.tracing.enabled=true -y
# 查看监控组件
# kubectl get pods -n istio-system | grep -E “prometheus|grafana|kiali|tracing”
# 访问Kiali
# kubectl port-forward svc/kiali 20001:20001 -n istio-system
# 访问Jaeger
# kubectl port-forward svc/jaeger 16686:16686 -n istio-system
8.2 日志配置
# vi istio-logging.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
name: istio-control-plane
namespace: istio-system
spec:
profile: default
meshConfig:
accessLogFile: “/dev/stdout”
accessLogEncoding: JSON
# 应用配置
# istioctl install -f istio-logging.yaml -y
# 查看日志
# kubectl logs -n istio-system istio-ingressgateway-1234567890-abcde
8.3 追踪配置
# vi istio-tracing.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
name: istio-control-plane
namespace: istio-system
spec:
profile: default
meshConfig:
enableTracing: true
defaultConfig:
tracing:
sampling: 100.0
zipkin:
address: jaeger-collector.istio-system:9411
# 应用配置
# istioctl install -f istio-tracing.yaml -y
# 验证追踪配置
# kubectl get svc jaeger-collector -n istio-system
9. Istio性能优化
在生产环境中,需要对Istio进行性能优化以提高服务网格运行效率。from:www.itpux.com
9.1 资源配置优化
# vi istio-performance.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
name: istio-control-plane
namespace: istio-system
spec:
profile: default
components:
pilot:
k8s:
resources:
requests:
cpu: 4
memory: 4Gi
limits:
cpu: 8
memory: 8Gi
ingressGateways:
– name: istio-ingressgateway
k8s:
resources:
requests:
cpu: 4
memory: 4Gi
limits:
cpu: 8
memory: 8Gi
# 应用配置
# istioctl install -f istio-performance.yaml -y
# 验证配置
# kubectl get pods -n istio-system
9.2 网络优化
# vi istio-network-performance.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
name: istio-control-plane
namespace: istio-system
spec:
profile: default
meshConfig:
defaultConfig:
proxyMetadata:
ISTIO_META_DNS_CAPTURE: “true”
ISTIO_META_CONNECT_TIMEOUT: “10s”
ISTIO_META_READ_TIMEOUT: “30s”
ISTIO_META_WRITE_TIMEOUT: “30s”
# 应用配置
# istioctl install -f istio-network-performance.yaml -y
# 验证配置
# kubectl get cm istio -n istio-system -o yaml
9.3 代理优化
# vi istio-proxy.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
name: istio-control-plane
namespace: istio-system
spec:
profile: default
meshConfig:
defaultConfig:
proxy:
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 512Mi
# 应用配置
# istioctl install -f istio-proxy.yaml -y
# 验证配置
# kubectl get cm istio -n istio-system -o yaml
10. Istio升级迁移
本节介绍Istio的版本升级和数据迁移方法。
10.1 Istio版本升级
# kubectl get cm -n istio-system -o yaml > /backup/istio-config-$(date +%Y%m%d).yaml
# 下载新版本Istio
# curl -L https://istio.io/downloadIstio | sh –
# 升级Istio
# cd istio-1.18.1
# istioctl upgrade -f istio-config.yaml
# 验证升级
# istioctl version
client version: 1.18.1
distributor version: 1.18.1
data plane version: 1.18.1 (10 proxies)
# 检查Istio组件
# kubectl get pods -n istio-system
10.2 Istio配置迁移
# kubectl get all -n istio-system -o yaml > /backup/istio-all-$(date +%Y%m%d).yaml
# 在新集群上导入配置
# kubectl apply -f /backup/istio-all-20240405.yaml
# 验证配置
# kubectl get pods -n istio-system
11. Istio备份恢复
本节介绍Istio的备份和恢复方法。
11.1 Istio备份
# kubectl get cm -n istio-system -o yaml > /backup/istio-config-$(date +%Y%m%d).yaml
# kubectl get secrets -n istio-system -o yaml > /backup/istio-secrets-$(date +%Y%m%d).yaml
# kubectl get services -n istio-system -o yaml > /backup/istio-services-$(date +%Y%m%d).yaml
# 备份Istio资源
# kubectl get all -n istio-system -o yaml > /backup/istio-all-$(date +%Y%m%d).yaml
# 验证备份
# ls -la /backup/
11.2 Istio恢复
# kubectl delete namespace istio-system
# 恢复Istio配置
# kubectl apply -f /backup/istio-all-20240405.yaml
# 验证恢复
# kubectl get pods -n istio-system
# istioctl version
11.3 Istio监控脚本
# vi /data/istio/scripts/istio_monitor.sh
#!/bin/bash
LOG_FILE=”/var/log/istio_monitor.log”
ALERT_EMAIL=”admin@fgedu.net.cn”
check_istio_status() {
echo “$(date): Checking istio status…” >> $LOG_FILE
pods=$(kubectl get pods -n istio-system | grep -v STATUS | wc -l)
running_pods=$(kubectl get pods -n istio-system | grep Running | wc -l)
echo “$(date): Total pods: $pods, Running pods: $running_pods” >> $LOG_FILE
if [ “$pods” -ne “$running_pods” ]; then
echo “$(date): Not all istio pods are running” >> $LOG_FILE
echo “Not all istio pods are running: $running_pods/$pods” | mail -s “Istio Alert” $ALERT_EMAIL
fi
}
check_service_mesh() {
echo “$(date): Checking service mesh…” >> $LOG_FILE
services=$(kubectl get services | grep -v STATUS | wc -l)
echo “$(date): Total services: $services” >> $LOG_FILE
if [ “$services” -eq 0 ]; then
echo “$(date): No services found” >> $LOG_FILE
echo “No services found in service mesh” | mail -s “Istio Alert” $ALERT_EMAIL
fi
}
check_gateway() {
echo “$(date): Checking gateway…” >> $LOG_FILE
gateway=$(kubectl get gateways -n istio-system 2>/dev/null | grep -v STATUS | wc -l)
echo “$(date): Total gateways: $gateway” >> $LOG_FILE
if [ “$gateway” -eq 0 ]; then
echo “$(date): No gateways found” >> $LOG_FILE
echo “No gateways found in service mesh” | mail -s “Istio Alert” $ALERT_EMAIL
fi
}
main() {
check_istio_status
check_service_mesh
check_gateway
}
main
# 添加执行权限
# chmod +x /data/istio/scripts/istio_monitor.sh
# 添加定时任务
# crontab -e
*/15 * * * * /data/istio/scripts/istio_monitor.sh
通过以上步骤,Istio安装配置、性能优化、升级迁移、备份恢复等内容已全部完成。Istio作为服务网格平台,能够高效地管理和控制服务间通信,是微服务架构的重要组成部分。
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
