Kubernetes教程FG075-Kubernetes服务网格(Istio)配置与实战
内容简介
本篇文章主要介绍Kubernetes中服务网格(Istio)的配置与使用方法。风哥教程参考Kubernetes官方文档服务网格相关内容,结合生产环境实际操作场景,详细讲解Istio的安装、配置和最佳实践。
目录大纲
Part01-基础概念与理论知识
1.1 服务网格概述
服务网格是一种专门用于管理服务间通信的基础设施层,它可以:
- 流量管理:控制服务间的流量和API调用
- 服务发现:自动发现服务并管理服务注册
- 负载均衡:在多个服务实例之间分发流量
- 熔断:当服务不可用时,自动停止向其发送请求
- 重试:当请求失败时,自动重试
- 超时管理:设置请求超时时间
- 安全通信:提供服务间的TLS加密
- 监控与追踪:监控服务性能和追踪请求链路
1.2 Istio架构
Istio的架构包括:
- 数据平面:
- Envoy:轻量级代理,部署为sidecar
- 负责服务间通信、流量管理、安全等
- 控制平面:
- Istiod:负责配置管理、服务发现、证书管理等
- Pilot:负责流量管理和服务发现
- Galley:负责配置验证
- Citadel:负责安全和证书管理
Part02-生产环境规划与建议
2.1 服务网格部署策略
- 部署模式:
- Sidecar模式:每个Pod中部署一个Envoy代理
- Gateway模式:在集群边界部署Gateway
- 部署范围:
- 全集群部署:为所有服务启用服务网格
- 选择性部署:只为特定服务启用服务网格
- 性能考虑:
- 资源消耗:每个sidecar约消耗10-20m CPU和100-200MB内存
- 网络延迟:增加约1-5ms的延迟
2.2 Istio配置建议
- 资源配置:
- 为Istiod设置合理的资源请求和限制
- 为Envoy sidecar设置合理的资源请求和限制
- 网络配置:
- 确保集群网络支持Pod间通信
- 配置适当的网络策略
- 安全配置:
- 启用mTLS加密
- 配置适当的授权策略
Part03-生产环境项目实施方案
3.1 Istio安装
安装Istio,风哥提示:。
下载Istio
# 下载Istio
[root@fgedu-master ~]# curl -L https://istio.io/downloadIstio | sh –
[root@fgedu-master ~]# curl -L https://istio.io/downloadIstio | sh –
,风哥提示:。
Downloading istio-1.16.0 from https://github.com/istio/istio/releases/download/1.16.0/istio-1.16.0-linux-amd64.tar.gz …
Downloading istio-1.16.0 from https://github.com/istio/istio/releases/download/1.16.0/istio-1.16.0-linux-amd64.tar.gz …
Istio 1.16.0 Download Complete!
Istio has been successfully downloaded into the istio-1.16.0 folder on your system.Next steps:
– Add the istioctl client to your path with: export PATH=$PATH:$(pwd)/istio-1.16.0/bin
– For more information, visit https://istio.io/docs/setup/install/
安装Istio
# 进入Istio目录
[root@fgedu-master ~]# cd istio-1.16.0
[root@fgedu-master ~]# cd istio-1.16.0
# 添加istioctl到PATH
[root@fgedu-master istio-1.16.0]# export PATH=$PATH:$(pwd)/bin
[root@fgedu-master istio-1.16.0]# export PATH=$PATH:$(pwd)/bin
# 安装Istio
[root@fgedu-master istio-1.16.0]# istioctl install –set profile=default -y
[root@fgedu-master istio-1.16.0]# istioctl install –set profile=default -y
Detected that your cluster does not support third party JWT authentication.
Falling back to less secure first party JWT.
✔ Istio core installed
✔ Istiod installed
✔ Ingress gateways installed
✔ Egress gateways installed
✔ Installation complete
Falling back to less secure first party JWT.
✔ Istio core installed
✔ Istiod installed
✔ Ingress gateways installed
✔ Egress gateways installed
✔ Installation complete
验证安装
# 查看Istio组件
[root@fgedu-master ~]# kubectl get pods -n istio-system
[root@fgedu-master ~]# kubectl get pods -n istio-system
NAME READY STATUS RESTARTS AGE
istio-egressgateway-6f8598c89b-2k8x9 1/1 Running 0 5m
istio-ingressgateway-78d6878595-5k9x8 1/1 Running 0 5m
istiod-7f9f85b84d-9k8x9 1/1 Running 0 5m
istio-egressgateway-6f8598c89b-2k8x9 1/1 Running 0 5m
istio-ingressgateway-78d6878595-5k9x8 1/1 Running 0 5m
istiod-7f9f85b84d-9k8x9 1/1 Running 0 5m
3.2 服务网格配置
配置服务网格:
启用自动注入
# 为命名空间启用自动注入
[root@fgedu-master ~]# kubectl label namespace default istio-injection=enabled
[root@fgedu-master ~]# kubectl label namespace default istio-injection=enabled
namespace/default labeled
部署应用
# 部署应用
[root@fgedu-master ~]# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml
[root@fgedu-master ~]# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml
service/details created
serviceaccount/bookinfo-details created
deployment.apps/details-v1 created
service/ratings created
serviceaccount/bookinfo-ratings created
deployment.apps/ratings-v1 created
service/reviews created
serviceaccount/bookinfo-reviews created
deployment.apps/reviews-v1 created
deployment.apps/reviews-v2 created
deployment.apps/reviews-v3 created
service/productpage created
serviceaccount/bookinfo-productpage created
deployment.apps/productpage-v1 created
serviceaccount/bookinfo-details created
deployment.apps/details-v1 created
service/ratings created
serviceaccount/bookinfo-ratings created
deployment.apps/ratings-v1 created
service/reviews created
serviceaccount/bookinfo-reviews created
deployment.apps/reviews-v1 created
deployment.apps/reviews-v2 created
deployment.apps/reviews-v3 created
service/productpage created
serviceaccount/bookinfo-productpage created
deployment.apps/productpage-v1 created
查看Pod状态
# 查看Pod状态
[root@fgedu-master ~]# kubectl get pods
[root@fgedu-master ~]# kubectl get pods
NAME READY STATUS RESTARTS AGE
details-v1-558b8b4b76-2k8x9 2/2 Running 0 10m
productpage-v1-668bc79964-5k9x8 2/2 Running 0 10m
ratings-v1-7c5c9f596c-9k8x9 2/2 Running 0 10m
reviews-v1-6b8b945955-2k8x9 2/2 Running 0 10m,学习交流加群风哥微信: itpux-com。
reviews-v2-558b8b4b76-5k9x8 2/2 Running 0 10m
reviews-v3-7c5c9f596c-2k8x9 2/2 Running 0 10m
details-v1-558b8b4b76-2k8x9 2/2 Running 0 10m
productpage-v1-668bc79964-5k9x8 2/2 Running 0 10m
ratings-v1-7c5c9f596c-9k8x9 2/2 Running 0 10m
reviews-v1-6b8b945955-2k8x9 2/2 Running 0 10m,学习交流加群风哥微信: itpux-com。
reviews-v2-558b8b4b76-5k9x8 2/2 Running 0 10m
reviews-v3-7c5c9f596c-2k8x9 2/2 Running 0 10m
3.3 流量管理
配置流量管理。
创建VirtualService
# 创建VirtualService
[root@fgedu-master ~]# cat > virtualservice.yaml << EOF apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: reviews namespace: default spec: hosts: - reviews http: - route: - destination: host: reviews subset: v1 weight: 50 - destination: host: reviews subset: v2 weight: 50 EOF
[root@fgedu-master ~]# cat > virtualservice.yaml << EOF apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: reviews namespace: default spec: hosts: - reviews http: - route: - destination: host: reviews subset: v1 weight: 50 - destination: host: reviews subset: v2 weight: 50 EOF
# 应用VirtualService配置
[root@fgedu-master ~]# kubectl apply -f virtualservice.yaml
[root@fgedu-master ~]# kubectl apply -f virtualservice.yaml
创建DestinationRule
# 创建DestinationRule
[root@fgedu-master ~]# cat > destinationrule.yaml << EOF apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: reviews namespace: default spec: host: reviews subsets: - name: v1 labels: version: v1 - name: v2 labels: version: v2 - name: v3 labels: version: v3 EOF
[root@fgedu-master ~]# cat > destinationrule.yaml << EOF apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: reviews namespace: default spec: host: reviews subsets: - name: v1 labels: version: v1 - name: v2 labels: version: v2 - name: v3 labels: version: v3 EOF
# 应用DestinationRule配置
[root@fgedu-master ~]# kubectl apply -f destinationrule.yaml
[root@fgedu-master ~]# kubectl apply -f destinationrule.yaml
测试流量管理
# 测试流量管理
[root@fgedu-master ~]# for i in {1..10}; do curl -s http://productpage.fgedu.net.cn/reviews | grep -o “Reviewer[0-9]” | head -1; done
[root@fgedu-master ~]# for i in {1..10}; do curl -s http://productpage.fgedu.net.cn/reviews | grep -o “Reviewer[0-9]” | head -1; done
Reviewer1
Reviewer2
Reviewer1
Reviewer2
Reviewer1
Reviewer2
Reviewer1
Reviewer2
Reviewer1
Reviewer2
Reviewer2
Reviewer1
Reviewer2
Reviewer1
Reviewer2
Reviewer1
Reviewer2
Reviewer1
Reviewer2
Part04-生产案例与实战讲解
4.1 企业级服务网格部署
某企业需要部署服务网格,用于管理其微服务架构的服务间通信。
案例背景
- 微服务数量:10个微服务
- 集群规模:5个节点
- 业务需求:,学习交流加群风哥QQ113257174。
- 流量管理:实现灰度发布
- 安全通信:服务间TLS加密
- 监控与追踪:监控服务性能和追踪请求链路
- 故障处理:实现熔断和重试
部署方案
# 1. 安装Istio
# 下载Istio
curl -L https://istio.io/downloadIstio | sh –
# 进入Istio目录
cd istio-1.16.0
# 添加istioctl到PATH
export PATH=$PATH:$(pwd)/bin
# 安装Istio
istioctl install –set profile=default -y
# 2. 配置服务网格
# 为命名空间启用自动注入
kubectl label namespace fgedu-production istio-injection=enabled
# 3. 部署应用
# 部署用户服务
cat > user-service.yaml << EOF apiVersion: apps/v1 kind: Deployment metadata: name: user-service namespace: fgedu-production spec: replicas: 3 selector: matchLabels: app: user-service template: metadata: labels: app: user-service version: v1 spec: containers: - name: user-service image: fgedu/user-service:v1.0 ports: - containerPort: 8080 --- apiVersion: v1 kind: Service metadata: name: user-service namespace: fgedu-production spec: selector: app: user-service ports: - port: 80 targetPort: 8080 type: ClusterIP EOF kubectl apply -f user-service.yaml # 部署订单服务 cat > order-service.yaml << EOF apiVersion: apps/v1 kind: Deployment metadata: name: order-service namespace: fgedu-production spec: replicas: 3 selector: matchLabels: app: order-service template: metadata: labels: app: order-service version: v1 spec: containers: - name: order-service image: fgedu/order-service:v1.0 ports: - containerPort: 8080 --- apiVersion: v1 kind: Service metadata: name: order-service namespace: fgedu-production spec: selector: app: order-service ports: - port: 80,更多视频教程www.fgedu.net.cn。 targetPort: 8080 type: ClusterIP EOF kubectl apply -f order-service.yaml # 4. 配置流量管理 # 创建VirtualService cat > virtualservice.yaml << EOF apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: user-service namespace: fgedu-production spec: hosts: - user-service http: - route: - destination: host: user-service subset: v1 weight: 100 EOF kubectl apply -f virtualservice.yaml # 创建DestinationRule cat > destinationrule.yaml << EOF apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: user-service namespace: fgedu-production spec: host: user-service subsets: - name: v1 labels: version: v1 - name: v2 labels: version: v2 EOF kubectl apply -f destinationrule.yaml # 5. 配置安全 # 启用mTLS cat > peerauthentication.yaml << EOF apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: default namespace: fgedu-production spec: mtls: mode: STRICT EOF kubectl apply -f peerauthentication.yaml # 6. 配置监控 # 部署Prometheus和Grafana istioctl install --set addonComponents.grafana.enabled=true --set addonComponents.prometheus.enabled=true -y # 7. 验证部署 kubectl get pods -n fgedu-production kubectl get services -n fgedu-production kubectl get virtualservices -n fgedu-production kubectl get destinationrules -n fgedu-production
# 下载Istio
curl -L https://istio.io/downloadIstio | sh –
# 进入Istio目录
cd istio-1.16.0
# 添加istioctl到PATH
export PATH=$PATH:$(pwd)/bin
# 安装Istio
istioctl install –set profile=default -y
# 2. 配置服务网格
# 为命名空间启用自动注入
kubectl label namespace fgedu-production istio-injection=enabled
# 3. 部署应用
# 部署用户服务
cat > user-service.yaml << EOF apiVersion: apps/v1 kind: Deployment metadata: name: user-service namespace: fgedu-production spec: replicas: 3 selector: matchLabels: app: user-service template: metadata: labels: app: user-service version: v1 spec: containers: - name: user-service image: fgedu/user-service:v1.0 ports: - containerPort: 8080 --- apiVersion: v1 kind: Service metadata: name: user-service namespace: fgedu-production spec: selector: app: user-service ports: - port: 80 targetPort: 8080 type: ClusterIP EOF kubectl apply -f user-service.yaml # 部署订单服务 cat > order-service.yaml << EOF apiVersion: apps/v1 kind: Deployment metadata: name: order-service namespace: fgedu-production spec: replicas: 3 selector: matchLabels: app: order-service template: metadata: labels: app: order-service version: v1 spec: containers: - name: order-service image: fgedu/order-service:v1.0 ports: - containerPort: 8080 --- apiVersion: v1 kind: Service metadata: name: order-service namespace: fgedu-production spec: selector: app: order-service ports: - port: 80,更多视频教程www.fgedu.net.cn。 targetPort: 8080 type: ClusterIP EOF kubectl apply -f order-service.yaml # 4. 配置流量管理 # 创建VirtualService cat > virtualservice.yaml << EOF apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: user-service namespace: fgedu-production spec: hosts: - user-service http: - route: - destination: host: user-service subset: v1 weight: 100 EOF kubectl apply -f virtualservice.yaml # 创建DestinationRule cat > destinationrule.yaml << EOF apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: user-service namespace: fgedu-production spec: host: user-service subsets: - name: v1 labels: version: v1 - name: v2 labels: version: v2 EOF kubectl apply -f destinationrule.yaml # 5. 配置安全 # 启用mTLS cat > peerauthentication.yaml << EOF apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: default namespace: fgedu-production spec: mtls: mode: STRICT EOF kubectl apply -f peerauthentication.yaml # 6. 配置监控 # 部署Prometheus和Grafana istioctl install --set addonComponents.grafana.enabled=true --set addonComponents.prometheus.enabled=true -y # 7. 验证部署 kubectl get pods -n fgedu-production kubectl get services -n fgedu-production kubectl get virtualservices -n fgedu-production kubectl get destinationrules -n fgedu-production
4.2 微服务架构服务网格实战
某企业采用微服务架构,需要使用服务网格管理服务间通信。。。
案例背景
- 微服务数量:5个微服务
- 技术栈:Spring Boot
- 业务需求:
- 灰度发布:逐步将流量切换到新版本
- 服务保护:实现熔断和限流
- 可观测性:监控服务性能和追踪请求链路
部署方案
# 1. 安装Istio
[root@fgedu-master ~]# istioctl install –set profile=default -y
[root@fgedu-master ~]# istioctl install –set profile=default -y
# 2. 为命名空间启用自动注入
[root@fgedu-master ~]# kubectl label namespace fgedu-microservices istio-injection=enabled
[root@fgedu-master ~]# kubectl label namespace fgedu-microservices istio-injection=enabled
# 3. 部署微服务
[root@fgedu-master ~]# cat > microservices.yaml << EOFapiVersion: apps/v1 kind: Deployment metadata: name: user-service,更多学习教程公众号风哥教程itpux_com。 namespace: fgedu-microservices spec: replicas: 3 selector: matchLabels: app: user-service template: metadata: labels: app: user-service version: v1 spec: containers: - name: user-service image: fgedu/user-service:v1.0 ports: - containerPort: 8080 --- apiVersion: v1 kind: Service metadata: name: user-service namespace: fgedu-microservices spec: selector: app: user-service ports: - port: 80 targetPort: 8080 type: ClusterIP --- apiVersion: apps/v1 kind: Deployment metadata: name: order-service namespace: fgedu-microservices spec: replicas: 3 selector: matchLabels: app: order-service template: metadata: labels: app: order-service version: v1 spec: containers: - name: order-service image: fgedu/order-service:v1.0 ports: - containerPort: 8080 --- apiVersion: v1 kind: Service metadata: name: order-service namespace: fgedu-microservices spec: selector: app: order-service ports: - port: 80 targetPort: 8080 type: ClusterIP EOF
[root@fgedu-master ~]# cat > microservices.yaml << EOFapiVersion: apps/v1 kind: Deployment metadata: name: user-service,更多学习教程公众号风哥教程itpux_com。 namespace: fgedu-microservices spec: replicas: 3 selector: matchLabels: app: user-service template: metadata: labels: app: user-service version: v1 spec: containers: - name: user-service image: fgedu/user-service:v1.0 ports: - containerPort: 8080 --- apiVersion: v1 kind: Service metadata: name: user-service namespace: fgedu-microservices spec: selector: app: user-service ports: - port: 80 targetPort: 8080 type: ClusterIP --- apiVersion: apps/v1 kind: Deployment metadata: name: order-service namespace: fgedu-microservices spec: replicas: 3 selector: matchLabels: app: order-service template: metadata: labels: app: order-service version: v1 spec: containers: - name: order-service image: fgedu/order-service:v1.0 ports: - containerPort: 8080 --- apiVersion: v1 kind: Service metadata: name: order-service namespace: fgedu-microservices spec: selector: app: order-service ports: - port: 80 targetPort: 8080 type: ClusterIP EOF
# 应用微服务配置
[root@fgedu-master ~]# kubectl apply -f microservices.yaml
[root@fgedu-master ~]# kubectl apply -f microservices.yaml
# 4. 配置灰度发布
[root@fgedu-master ~]# cat > virtualservice-gray.yaml << EOF apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: user-service namespace: fgedu-microservices spec: hosts: - user-service http: - route: - destination: host: user-service subset: v1 weight: 90 - destination: host: user-service subset: v2 weight: 10 EOF。
[root@fgedu-master ~]# cat > virtualservice-gray.yaml << EOF apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: user-service namespace: fgedu-microservices spec: hosts: - user-service http: - route: - destination: host: user-service subset: v1 weight: 90 - destination: host: user-service subset: v2 weight: 10 EOF。
,from K8S+DB视频:www.itpux.com。
# 应用VirtualService配置
[root@fgedu-master ~]# kubectl apply -f virtualservice-gray.yaml
# 应用VirtualService配置
[root@fgedu-master ~]# kubectl apply -f virtualservice-gray.yaml
# 5. 配置熔断
[root@fgedu-master ~]# cat > destinationrule-circuit.yaml << EOF apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: order-service namespace: fgedu-microservices spec: host: order-service subsets: - name: v1 labels: version: v1 trafficPolicy: connectionPool: tcp: maxConnections: 100 http: http1MaxPendingRequests: 100 maxRequestsPerConnection: 10 outlierDetection: consecutive5xxErrors: 5 interval: 5s baseEjectionTime: 30s EOF
[root@fgedu-master ~]# cat > destinationrule-circuit.yaml << EOF apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: order-service namespace: fgedu-microservices spec: host: order-service subsets: - name: v1 labels: version: v1 trafficPolicy: connectionPool: tcp: maxConnections: 100 http: http1MaxPendingRequests: 100 maxRequestsPerConnection: 10 outlierDetection: consecutive5xxErrors: 5 interval: 5s baseEjectionTime: 30s EOF
# 应用DestinationRule配置
[root@fgedu-master ~]# kubectl apply -f destinationrule-circuit.yaml
[root@fgedu-master ~]# kubectl apply -f destinationrule-circuit.yaml
# 6. 验证部署
[root@fgedu-master ~]# kubectl get pods -n fgedu-microservices
[root@fgedu-master ~]# kubectl get services -n fgedu-microservices
[root@fgedu-master ~]# kubectl get virtualservices -n fgedu-microservices
[root@fgedu-master ~]# kubectl get destinationrules -n fgedu-microservices
[root@fgedu-master ~]# kubectl get pods -n fgedu-microservices
[root@fgedu-master ~]# kubectl get services -n fgedu-microservices
[root@fgedu-master ~]# kubectl get virtualservices -n fgedu-microservices
[root@fgedu-master ~]# kubectl get destinationrules -n fgedu-microservices
Part05-风哥经验总结与分享
5.1 Istio最佳实践
- 从小规模开始:先在测试环境或小规模生产环境中部署Istio
- 合理配置资源:为Istio组件和Envoy sidecar设置合理的资源请求和限制
- 使用自动注入:为命名空间启用自动注入,简化部署
- 配置流量管理:使用VirtualService和DestinationRule管理流量
- 启用安全特性:启用mTLS加密和授权策略
- 监控与追踪:部署Prometheus和Grafana监控服务性能
- 故障处理:配置熔断、重试和超时
- 灰度发布:使用Istio实现灰度发布
- 定期更新:定期更新Istio版本,获取新特性和安全补丁
- 文档化:详细记录Istio配置和使用方法
5.2 常见问题与解决方案
问题 原因 解决方案
服务通信失败 网络策略阻止 配置适当的网络策略
性能下降 Envoy资源配置不足 增加Envoy的资源限制
自动注入失败 命名空间标签错误 检查命名空间标签
配置冲突 VirtualService配置冲突 检查VirtualService配置
安全策略错误 mTLS配置不当 检查mTLS配置
监控数据缺失 Prometheus配置错误 检查Prometheus配置
灰度发布失败 权重配置错误 检查权重配置
熔断触发 连接池配置不当 调整连接池配置
服务通信失败 网络策略阻止 配置适当的网络策略
性能下降 Envoy资源配置不足 增加Envoy的资源限制
自动注入失败 命名空间标签错误 检查命名空间标签
配置冲突 VirtualService配置冲突 检查VirtualService配置
安全策略错误 mTLS配置不当 检查mTLS配置
监控数据缺失 Prometheus配置错误 检查Prometheus配置
灰度发布失败 权重配置错误 检查权重配置
熔断触发 连接池配置不当 调整连接池配置
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
联系我们
在线咨询:
微信号:itpux-com
工作日:9:30-18:30,节假日休息