# 下载Istio
[root@k8s-master ~]# curl -L https://istio.io/downloadIstio | sh –
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 4700 100 4700 0 0 5000 0 –:–:– –:–:– –:–:– 5000
Downloading istio-1.20.0 from https://github.com/istio/istio/releases/download/1.20.0/istio-1.20.0-linux-amd6学习交流加群风哥QQ1132571744.tar.gz …
istio-1.20.0/linux-amd64/LICENSE
istio-1.20.0/linux-amd64/README.md
…
Downloaded istio-1.20.0.

[root@k8s-master ~]# cd istio-1.20.0
[root@k8s-master istio-1.20.0]# export PATH=$PWD/bin:$PATH

# 安装Istio
[root@k8s-master istio-1.20.0]# istioctl install –set profile=demo -y
✔ Istio core installed
✔ Istiod installed
✔ Ingress gateways installed
✔ Egress gateways installed
✔ Installation complete

# 验证安装
[root@k8s-master ~]# kubectl get pods -n istio-system
NAME READY STATUS RESTARTS AGE
istio-egressgateway-abc12-xyz789 1/1 Running 0 2m
istio-ingressgateway-abc12-xyz789 1/1 Running 0 2m
istiod-abc12-xyz789 1/1 Running 0 2m

# 启用命名空间自动注入
[root@k8s-master ~]# kubectl label namespace fgedu-prod istio-injection=enabled
namespace/fgedu-prod labeled

# 部署示例应用
[root@k8s-master ~]# cat > fgedu-istio-app.yaml << 'EOF' apiVersion: apps/v1 kind: Deployment metadata: name: fgedu-app-v1 namespace: fgedu-prod spec: replicas: 2 selector: matchLabels: app: fgedu-app version: v1 template: metadata: labels: app: fgedu-app version: v1 spec: containers: - name: app image: nginx:1.25 ports: - containerPort: 80 --- apiVersion: apps/v1 kind: Deployment metadata: name: fgedu-app-v2 namespace: fgedu-prod spec: replicas: 1 selector: matchLabels: app: fgedu-app version: v2 template: metadata: labels: app: fgedu-app version: v2 spec: containers: - name: app image: nginx:1.26 ports: - containerPort: 80 --- apiVersion: v1 kind: Service metadata: name: fgedu-app namespace: fgedu-prod spec: ports: - port: 80 targetPort: 80 selector: app: fgedu-app EOF [root@k8s-master ~]# kubectl apply -f fgedu-istio-app.yaml deployment.apps/fgedu-app-v1 created deployment.apps/fgedu-app-v2 created service/fgedu-app created # 创建DestinationRule [root@k8s-master ~]# cat > fgedu-destination-rule.yaml << 'EOF' apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: fgedu-app namespace: fgedu-prod spec: host: fgedu-app subsets: - name: v1 labels: version: v1 - name: v2 labels: version: v2 EOF [root@k8s-master ~]# kubectl apply -f fgedu-destination-rule.yaml destinationrule.networking.istio.io/fgedu-app created # 配置金丝雀发布 [root@k8s-master ~]# cat > fgedu-virtual-service.yaml << 'EOF' apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: fgedu-app namespace: fgedu-prod spec: hosts: - fgedu-app http: - route: - destination: host: fgedu-app subset: v1 weight: 90 - destination: host: fgedu-app subset: v2 weight: 10 EOF [root@k8s-master ~]# kubectl apply -f fgedu-virtual-service.yaml virtualservice.networking.istio.io/fgedu-app created

# 安装Kiali
[root@k8s-master ~]# kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.20/samples/addons/kiali.yaml
deployment.apps/kiali created
service/kiali created
configmap/kiali created

# 安装Prometheus
[root@k8s-master ~]# kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.20/samples/addons/prometheus.yaml
deployment.apps/prometheus created
service/prometheus created
configmap/prometheus created

# 安装Grafana
[root@k8s-master ~]# kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.20/samples/addons/grafana.yaml
deployment.apps/grafana created
service/grafana created
configmap/istio-grafana-dashboards created

# 安装Jaeger
[root@k8s-master ~]# kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.20/samples/addons/jaeger.yaml
deployment.apps/jaeger created
service/jaeger created

# 查看Istio组件
[root@k8s-master ~]# kubectl get pods -n istio-system
NAME READY STATUS RESTARTS AGE
grafana-abc12-xyz789 1/1 Running 0 2m
istio-egressgateway-abc12-xyz789 1/1 Running 0 10m
istio-ingressgateway-abc12-xyz789 1/1 Running 0 10m
istiod-abc12-xyz789 1/1 Running 0 10m
jaeger-abc12-xyz789 1/1 Running 0 1m
kiali-abc12-xyz789 1/1 Running 0 3m
prometheus-abc12-xyz789 1/1 Running 0 2m

# 访问Kiali Dashboard
[root@k8s-master ~]# istioctl dashboard kiali
http://localhost:20001/kiali

# 启用严格mTLS
[root@k8s-master ~]# cat > fgedu-peer-authentication.yaml << 'EOF' apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: default namespace: fgedu-prod spec: mtls: mode: STRICT EOF [root@k8s-master ~]# kubectl apply -f fgedu-peer-authentication.yaml peerauthentication.security.istio.io/default created # 配置授权策略 [root@k8s-master ~]# cat > fgedu-auth-policy.yaml << 'EOF' apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: fgedu-app-policy namespace: fgedu-prod spec: selector: matchLabels: app: fgedu-app action: ALLOW rules: - from: - source: principals: ["cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"] to: - operation: methods: ["GET", "POST"] paths: ["/api/*"] EOF [root@k8s-master ~]# kubectl apply -f fgedu-auth-policy.yaml authorizationpolicy.security.istio.io/fgedu-app-policy created # 配置速率限制 [root@k8s-master ~]# cat > fgedu-rate-limit.yaml << 'EOF' apiVersion: networking.istio.io/v1beta1 kind: EnvoyFilter metadata: name: fgedu-ratelimit namespace: fgedu-prod spec: workloadSelector: labels: app: fgedu-app configPatches: - applyTo: HTTP_FILTER match: context: SIDECAR_INBOUND listener: filterChain: filter: name: "envoy.更多视频教程www.fgedu.net.cnfilters.network.http_connection_from PG视频:www.itpux.commanager" patch: operation: INSERT_BEFORE value: name: envoy.filters.http.ratelimit typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit domain: fgedu-ratelimit rate_limit_service: grpc_service: envoy_grpc: cluster_name: rate_limit_service transport_api_version: V3 EOF [root@k8s-master ~]# kubectl apply -f fgedu-rate-limit.yaml envoyfilter.networking.istio.io/fgedu-ratelimit created