1. Linkerd概述与环境规划
Linkerd是一个开源的服务网格平台,提供了流量管理、服务间通信安全、可观测性等功能。Linkerd基于Rust编写的轻量级代理,为微服务架构提供了低延迟、高可靠性的服务间通信能力。更多学习教程www.fgedu.net.cn
1.1 Linkerd版本说明
Linkerd目前主要版本为2.x系列,本教程以Linkerd 2.14.0为例进行详细讲解。Linkerd 2.x版本相比之前版本在性能、稳定性和功能方面都有显著提升,支持更多的服务网格特性。
$ linkerd version
Client version: stable-2.14.0
Server version: stable-2.14.0
# 查看Kubernetes版本
$ kubectl version
Client Version: v1.27.0
Server Version: v1.27.0
# 查看系统版本
$ cat /etc/os-release
NAME=”Oracle Linux Server”
VERSION=”8.9″
ID=”ol”
PRETTY_NAME=”Oracle Linux Server 8.9″
# 查看内核版本
$ uname -r
5.4.17-2136.302.7.2.el8uek.x86_64
1.2 环境规划
本次安装环境规划如下:
master01.fgedu.net.cn (192.168.1.51) – 控制平面节点
master02.fgedu.net.cn (192.168.1.52) – 控制平面节点
master03.fgedu.net.cn (192.168.1.53) – 控制平面节点
worker01.fgedu.net.cn (192.168.1.61) – 工作节点
worker02.fgedu.net.cn (192.168.1.62) – 工作节点
Linkerd版本:2.14.0
Kubernetes版本:1.27.0
安装方式:使用linkerd CLI
网络模式:Linkerd CNI
存储:NFS/Kubernetes Persistent Volume
2. 硬件环境要求
Linkerd作为服务网格平台,对硬件资源要求相对较低,适合在资源受限的环境中使用。学习交流加群风哥微信: itpux-com
2.1 物理主机环境要求
– CPU:至少4核
– 内存:至少16GB
– 磁盘:系统盘120GB SSD + 数据盘200GB SSD
# 工作节点要求
– CPU:至少8核
– 内存:至少32GB
– 磁盘:系统盘120GB SSD + 数据盘500GB SSD
# 检查控制平面节点资源
# free -h
total used free shared buff/cache available
Mem: 16G 4.2G 10G 256M 1.8G 11G
Swap: 8G 0B 8G
# 检查工作节点资源
# free -h
total used free shared buff/cache available
Mem: 32G 8.4G 22G 512M 3.6G 23G
# 检查磁盘空间
# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 120G 20G 100G 17% /
/dev/sdb1 200G 50G 150G 25% /var/lib/containers
2.2 vSphere虚拟主机环境要求
– 控制平面节点:
– vCPU:4核
– 内存:16GB
– 磁盘:系统盘120GB SSD + 数据盘200GB SSD
– 网络:VMXNET3网卡,10Gbps网络
– 工作节点:
– vCPU:8核
– 内存:32GB
– 磁盘:系统盘120GB SSD + 数据盘500GB SSD
– 网络:VMXNET3网卡,10Gbps网络
资源池配置:
– CPU预留:控制平面2GHz,工作节点4GHz
– 内存预留:控制平面8GB,工作节点16GB
– 内存限制:控制平面16GB,工作节点32GB
– CPU份额:正常
– 内存份额:正常
2.3 云平台主机环境要求
– 控制平面节点:
– 实例规格:ecs.g6.2xlarge或同等规格
– vCPU:8核
– 内存:32GB
– 系统盘:SSD云盘 120GB
– 数据盘:SSD云盘 200GB
– 网络带宽:10Gbps以上
– 工作节点:
– 实例规格:ecs.g6.4xlarge或同等规格
– vCPU:16核
– 内存:64GB
– 系统盘:SSD云盘 120GB
– 数据盘:SSD云盘 500GB
– 网络带宽:10Gbps以上
存储配置:
– OSS对象存储:用于存储镜像和备份
– NAS文件存储:用于共享数据
– 云盘快照:定期备份集群数据
3. 操作系统环境准备
在安装Linkerd之前,需要对操作系统进行必要的配置和优化。
3.1 操作系统版本检查
# cat /etc/os-release
NAME=”Oracle Linux Server”
VERSION=”8.9″
ID=”ol”
PRETTY_NAME=”Oracle Linux Server 8.9″
# 检查内核版本
# uname -r
5.4.17-2136.302.7.2.el8uek.x86_64
# 检查SELinux状态
# getenforce
Enforcing
# 检查防火墙状态
# systemctl status firewalld
● firewalld.service – firewalld – dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running)
3.2 依赖服务安装
# curl -LO “https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl”
# chmod +x kubectl
# mv kubectl /usr/local/bin/
# 安装linkerd CLI
# curl -sL https://run.linkerd.io/install | sh
# export PATH=$PATH:$HOME/.linkerd2/bin
# 验证依赖安装
# kubectl version
Client Version: v1.27.0
# linkerd version
Client version: stable-2.14.0
3.3 Kubernetes集群准备
# kubectl cluster-info
Kubernetes control plane is running at https://master01.fgedu.net.cn:6443
CoreDNS is running at https://master01.fgedu.net.cn:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
# 检查节点状态
# kubectl get nodes
NAME STATUS ROLES AGE VERSION
master01.fgedu.net.cn Ready control-plane,master 1h v1.27.0
master02.fgedu.net.cn Ready control-plane,master 1h v1.27.0
master03.fgedu.net.cn Ready control-plane,master 1h v1.27.0
worker01.fgedu.net.cn Ready worker 1h v1.27.0
worker02.fgedu.net.cn Ready worker 1h v1.27.0
# 检查集群服务
# kubectl get pods -n kube-system
4. Linkerd安装配置
完成环境准备后,开始安装Linkerd。
4.1 安装Linkerd
# linkerd check –pre
# 安装Linkerd
# linkerd install | kubectl apply -f –
# 输出案例如下:
namespace/linkerd created
clusterrole.rbac.authorization.k8s.io/linkerd-linkerd-identity created
clusterrolebinding.rbac.authorization.k8s.io/linkerd-linkerd-identity created
serviceaccount/linkerd-identity created
customresourcedefinition.apiextensions.k8s.io/identities.linkerd.io created
customresourcedefinition.apiextensions.k8s.io/trustanchors.linkerd.io created
secret/linkerd-identity-issuer created
deployment.apps/linkerd-identity created
service/linkerd-identity created
clusterrole.rbac.authorization.k8s.io/linkerd-linkerd-controller created
clusterrolebinding.rbac.authorization.k8s.io/linkerd-linkerd-controller created
serviceaccount/linkerd-controller created
customresourcedefinition.apiextensions.k8s.io/serviceprofiles.linkerd.io created
customresourcedefinition.apiextensions.k8s.io/trafficsplits.split.smi-spec.io created
configmap/linkerd-config created
deployment.apps/linkerd-controller created
service/linkerd-controller-api created
service/linkerd-destination created
deployment.apps/linkerd-destination created
service/linkerd-proxy-injector created
deployment.apps/linkerd-proxy-injector created
# 验证安装
# linkerd check
# 检查Linkerd组件
# kubectl get pods -n linkerd
NAME READY STATUS RESTARTS AGE
linkerd-controller-1234567890-abcde 3/3 Running 0 10m
linkerd-destination-1234567890-abcde 3/3 Running 0 10m
linkerd-identity-1234567890-abcde 2/2 Running 0 10m
linkerd-proxy-injector-1234567890-abcde 2/2 Running 0 10m
# 查看Linkerd版本
# linkerd version
Client version: stable-2.14.0
Server version: stable-2.14.0
4.2 安装Linkerd Viz
# linkerd viz install | kubectl apply -f –
# 检查Viz组件
# kubectl get pods -n linkerd-viz
NAME READY STATUS RESTARTS AGE
linkerd-viz-1234567890-abcde 3/3 Running 0 5m
linkerd-prometheus-1234567890-abcde 2/2 Running 0 5m
linkerd-grafana-1234567890-abcde 2/2 Running 0 5m
linkerd-web-1234567890-abcde 2/2 Running 0 5m
# 访问Viz dashboard
# linkerd viz dashboard
4.3 启用Sidecar注入
# kubectl annotate namespace default linkerd.io/inject=enabled
# 验证注入配置
# kubectl get namespace default -o yaml | grep linkerd.io/inject
linkerd.io/inject: enabled
# 部署示例应用
# kubectl apply -f https://raw.githubusercontent.com/linkerd/linkerd2/main/examples/emojivoto/emojivoto.yaml
# 检查Pod状态
# kubectl get pods
NAME READY STATUS RESTARTS AGE
emoji-1234567890-abcde 2/2 Running 0 5m
vote-bot-1234567890-abcde 2/2 Running 0 5m
voting-1234567890-abcde 2/2 Running 0 5m
web-1234567890-abcde 2/2 Running 0 5m
5. Linkerd配置优化
为了提高Linkerd的性能和稳定性,需要进行一些配置优化。
5.1 资源配置优化
# vi linkerd-resources.yaml
apiVersion: install.linkerd.io/v1beta1
kind: LinkerdInstall
metadata:
name: linkerd
namespace: linkerd
spec:
identity:
replicas: 3
controller:
replicas: 3
resources:
requests:
cpu: 1
memory: 1Gi
limits:
cpu: 2
memory: 2Gi
proxy:
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 512Mi
# 应用配置
# linkerd install -f linkerd-resources.yaml | kubectl apply -f –
# 验证配置
# kubectl get pods -n linkerd
5.2 网络配置优化
# vi linkerd-network.yaml
apiVersion: install.linkerd.io/v1beta1
kind: LinkerdInstall
metadata:
name: linkerd
namespace: linkerd
spec:
proxy:
logLevel: info
inboundPort: 4143
outboundPort: 4140
portScheme: default
# 应用配置
# linkerd install -f linkerd-network.yaml | kubectl apply -f –
# 验证配置
# kubectl get cm linkerd-config -n linkerd -o yaml
5.3 安全配置优化
# vi linkerd-security.yaml
apiVersion: install.linkerd.io/v1beta1
kind: LinkerdInstall
metadata:
name: linkerd
namespace: linkerd
spec:
identity:
issuer:
scheme: kubernetes.io/tls
policy:
enabled: true
# 应用配置
# linkerd install -f linkerd-security.yaml | kubectl apply -f –
# 验证配置
# kubectl get cm linkerd-config -n linkerd -o yaml
6. Linkerd服务网格管理
本节介绍Linkerd服务网格的基本管理操作。
6.1 服务网格状态管理
# linkerd check
# 查看Linkerd组件
# kubectl get pods -n linkerd
# 查看Linkerd服务
# kubectl get services -n linkerd
# 查看Linkerd配置
# kubectl get cm -n linkerd
6.2 流量管理
# vi service-profile.yaml
apiVersion: linkerd.io/v1alpha2
kind: ServiceProfile
metadata:
name: emojivoto.emoji.svc.cluster.local
namespace: default
spec:
routes:
– name: get-emojis
condition:
method: GET
pathRegex: /emojis
isRetryable: true
# 应用服务配置
# kubectl apply -f service-profile.yaml
# 查看服务配置
# kubectl get serviceprofiles
# 创建流量分割
# vi traffic-split.yaml
apiVersion: split.smi-spec.io/v1alpha1
kind: TrafficSplit
metadata:
name: voting-split
namespace: default
spec:
service: voting-svc
backends:
– service: voting-v1
weight: 50
– service: voting-v2
weight: 50
# 应用流量分割
# kubectl apply -f traffic-split.yaml
# 查看流量分割
# kubectl get trafficsplits
6.3 服务网格监控
# linkerd viz stat deploy
# 查看服务间通信
# linkerd viz edges deploy
# 查看Pod状态
# linkerd viz stat pod
# 访问Viz dashboard
# linkerd viz dashboard
7. Linkerd安全配置
Linkerd提供了多种安全功能,包括mTLS、授权策略、安全上下文等。
7.1 mTLS配置
# linkerd viz authz
# 配置mTLS策略
# vi mtls-policy.yaml
apiVersion: policy.linkerd.io/v1beta1
kind: Server
metadata:
name: emoji-server
namespace: default
spec:
podSelector:
matchLabels:
app: emoji
port: 8080
proxyProtocol: HTTP/1
—
apiVersion: policy.linkerd.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: emoji-authz
namespace: default
spec:
server:
name: emoji-server
allow:
– principals:
– cluster.local/ns/default/sa/web
# 应用mTLS策略
# kubectl apply -f mtls-policy.yaml
# 验证mTLS配置
# kubectl get servers
# kubectl get authorizationpolicies
7.2 授权策略
# vi authorization-policy.yaml
apiVersion: policy.linkerd.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: default-authz
namespace: default
spec:
server:
name: default-server
allow:
– principals:
– “*”
# 应用授权策略
# kubectl apply -f authorization-policy.yaml
# 验证授权策略
# kubectl get authorizationpolicies
7.3 安全上下文
# vi linkerd-security-context.yaml
apiVersion: install.linkerd.io/v1beta1
kind: LinkerdInstall
metadata:
name: linkerd
namespace: linkerd
spec:
proxy:
securityContext:
runAsUser: 2102
runAsGroup: 2102
runAsNonRoot: true
# 应用配置
# linkerd install -f linkerd-security-context.yaml | kubectl apply -f –
# 验证配置
# kubectl get pods -n linkerd
8. Linkerd可观测性
Linkerd提供了完整的可观测性功能,包括监控、日志和追踪。
8.1 监控配置
# linkerd viz install | kubectl apply -f –
# 查看监控组件
# kubectl get pods -n linkerd-viz
# 访问Viz dashboard
# linkerd viz dashboard
# 查看服务网格状态
# linkerd viz stat deploy
# 查看服务间通信
# linkerd viz edges deploy
8.2 日志配置
# vi linkerd-logging.yaml
apiVersion: install.linkerd.io/v1beta1
kind: LinkerdInstall
metadata:
name: linkerd
namespace: linkerd
spec:
proxy:
logLevel: info
# 应用配置
# linkerd install -f linkerd-logging.yaml | kubectl apply -f –
# 查看日志
# kubectl logs -n linkerd linkerd-controller-1234567890-abcde
8.3 追踪配置
# linkerd jaeger install | kubectl apply -f –
# 查看Jaeger组件
# kubectl get pods -n linkerd-jaeger
# 访问Jaeger
# linkerd jaeger dashboard
# 配置追踪采样率
# vi linkerd-tracing.yaml
apiVersion: install.linkerd.io/v1beta1
kind: LinkerdInstall
metadata:
name: linkerd
namespace: linkerd
spec:
tracing:
enabled: true
sampling: 1.0
# 应用配置
# linkerd install -f linkerd-tracing.yaml | kubectl apply -f –
# 验证追踪配置
# kubectl get cm linkerd-config -n linkerd -o yaml
9. Linkerd性能优化
在生产环境中,需要对Linkerd进行性能优化以提高服务网格运行效率。from:www.itpux.com
9.1 资源配置优化
# vi linkerd-performance.yaml
apiVersion: install.linkerd.io/v1beta1
kind: LinkerdInstall
metadata:
name: linkerd
namespace: linkerd
spec:
controller:
replicas: 3
resources:
requests:
cpu: 2
memory: 2Gi
limits:
cpu: 4
memory: 4Gi
proxy:
resources:
requests:
cpu: 200m
memory: 256Mi
limits:
cpu: 1000m
memory: 1Gi
# 应用配置
# linkerd install -f linkerd-performance.yaml | kubectl apply -f –
# 验证配置
# kubectl get pods -n linkerd
9.2 网络优化
# vi linkerd-network-performance.yaml
apiVersion: install.linkerd.io/v1beta1
kind: LinkerdInstall
metadata:
name: linkerd
namespace: linkerd
spec:
proxy:
inboundPort: 4143
outboundPort: 4140
portScheme: default
logLevel: warn
# 应用配置
# linkerd install -f linkerd-network-performance.yaml | kubectl apply -f –
# 验证配置
# kubectl get cm linkerd-config -n linkerd -o yaml
9.3 代理优化
# vi linkerd-proxy.yaml
apiVersion: install.linkerd.io/v1beta1
kind: LinkerdInstall
metadata:
name: linkerd
namespace: linkerd
spec:
proxy:
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 512Mi
logLevel: warn
# 应用配置
# linkerd install -f linkerd-proxy.yaml | kubectl apply -f –
# 验证配置
# kubectl get cm linkerd-config -n linkerd -o yaml
10. Linkerd升级迁移
本节介绍Linkerd的版本升级和数据迁移方法。
10.1 Linkerd版本升级
# kubectl get cm -n linkerd -o yaml > /backup/linkerd-config-$(date +%Y%m%d).yaml
# 升级Linkerd
# linkerd upgrade | kubectl apply -f –
# 验证升级
# linkerd version
Client version: stable-2.14.1
Server version: stable-2.14.1
# 检查Linkerd组件
# kubectl get pods -n linkerd
10.2 Linkerd配置迁移
# kubectl get all -n linkerd -o yaml > /backup/linkerd-all-$(date +%Y%m%d).yaml
# 在新集群上导入配置
# kubectl apply -f /backup/linkerd-all-20240405.yaml
# 验证配置
# kubectl get pods -n linkerd
11. Linkerd备份恢复
本节介绍Linkerd的备份和恢复方法。
11.1 Linkerd备份
# kubectl get cm -n linkerd -o yaml > /backup/linkerd-config-$(date +%Y%m%d).yaml
# kubectl get secrets -n linkerd -o yaml > /backup/linkerd-secrets-$(date +%Y%m%d).yaml
# kubectl get services -n linkerd -o yaml > /backup/linkerd-services-$(date +%Y%m%d).yaml
# 备份Linkerd资源
# kubectl get all -n linkerd -o yaml > /backup/linkerd-all-$(date +%Y%m%d).yaml
# 验证备份
# ls -la /backup/
11.2 Linkerd恢复
# kubectl delete namespace linkerd
# 恢复Linkerd配置
# kubectl apply -f /backup/linkerd-all-20240405.yaml
# 验证恢复
# kubectl get pods -n linkerd
# linkerd version
11.3 Linkerd监控脚本
# vi /data/linkerd/scripts/linkerd_monitor.sh
#!/bin/bash
LOG_FILE=”/var/log/linkerd_monitor.log”
ALERT_EMAIL=”admin@fgedu.net.cn”
check_linkerd_status() {
echo “$(date): Checking linkerd status…” >> $LOG_FILE
pods=$(kubectl get pods -n linkerd | grep -v STATUS | wc -l)
running_pods=$(kubectl get pods -n linkerd | grep Running | wc -l)
echo “$(date): Total pods: $pods, Running pods: $running_pods” >> $LOG_FILE
if [ “$pods” -ne “$running_pods” ]; then
echo “$(date): Not all linkerd pods are running” >> $LOG_FILE
echo “Not all linkerd pods are running: $running_pods/$pods” | mail -s “Linkerd Alert” $ALERT_EMAIL
fi
}
check_service_mesh() {
echo “$(date): Checking service mesh…” >> $LOG_FILE
services=$(kubectl get services | grep -v STATUS | wc -l)
echo “$(date): Total services: $services” >> $LOG_FILE
if [ “$services” -eq 0 ]; then
echo “$(date): No services found” >> $LOG_FILE
echo “No services found in service mesh” | mail -s “Linkerd Alert” $ALERT_EMAIL
fi
}
check_viz() {
echo “$(date): Checking viz…” >> $LOG_FILE
viz_pods=$(kubectl get pods -n linkerd-viz 2>/dev/null | grep -v STATUS | wc -l)
echo “$(date): Total viz pods: $viz_pods” >> $LOG_FILE
if [ “$viz_pods” -eq 0 ]; then
echo “$(date): No viz pods found” >> $LOG_FILE
echo “No viz pods found in service mesh” | mail -s “Linkerd Alert” $ALERT_EMAIL
fi
}
main() {
check_linkerd_status
check_service_mesh
check_viz
}
main
# 添加执行权限
# chmod +x /data/linkerd/scripts/linkerd_monitor.sh
# 添加定时任务
# crontab -e
*/15 * * * * /data/linkerd/scripts/linkerd_monitor.sh
通过以上步骤,Linkerd安装配置、性能优化、升级迁移、备份恢复等内容已全部完成。Linkerd作为轻量级服务网格平台,能够高效地管理和控制服务间通信,是微服务架构的理想选择。
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
