日本熟妇hd丰满老熟妇,中文字幕一区二区三区在线不卡 ,亚洲成片在线观看,免费女同在线一区二区

AI 助理
備案控制臺
文檔
輸入文檔關鍵字查找
首頁 服務網格 實踐教程 產品教程 Ambient Mesh模式 入門示例

入門示例

更新時間:
產品詳情
我的收藏

本文介紹如何快速將應用部署到Ambient Mesh模式。

前提條件

  • 已創建符合以下條件的Kubernetes集群。更多信息,請參見使用限制

    • 網絡插件:從ASM 1.21版本開始, 兼容支持Terway和Flannel網絡插件,kube-proxy代理支持iptables和IPVS模式。 同時, 支持Terway插件下的IPvlan模式以及NetworkPolicy能力。

    • 操作系統:支持Alibaba Cloud Linux 2和Alibaba Cloud Linux 3。

    • 如果需要在ACK Serverless集群、 Edge集群、注冊集群中使用Ambient Mesh模式, 請提交工單獲得技術支持。

  • 已創建啟用Ambient Mesh模式的ASM實例。

    創建服務網格頁面的數據面模式區域,選中啟用Ambient Mesh模式,其他配置項請按照實際情況進行配置。具體操作,請參見創建ASM實例

  • 已為ASM實例添加ACK集群。具體操作,請參見添加集群到ASM實例

  • 已創建入口網關。具體操作,請參見創建入口網關

  • 已按照實際操作系統及平臺,下載Istioctl服務網格調試工具。詳細信息,請參見Istio

重要

在本操作文檔中,您可能需要反復切換 Kubernetes 上下文(context)以操作數據面集群和控制面集群。為了避免誤操作,請您在每次上下文切換時,務必確認當前上下文是否正確。您可以使用kubectx簡化上下文切換的操作,具體步驟,請參見kubectx。您也可以通過開啟通過數據面集群KubeAPI訪問Istio資源,使用數據面集群KubeAPI直接操作控制面集群。

步驟一:部署示例應用

本文使用bookinfo作為示例應用。更多信息,請參見在ASM實例關聯的集群中部署應用

ACK集群中部署示例應用

  1. 登錄ASM控制臺,在左側導航欄,選擇服務網格 > 網格管理

  2. 網格管理頁面,單擊目標實例名稱,然后在左側導航欄,選擇網格實例 > 全局命名空間

  3. 全局命名空間頁面的數據面模式列,單擊default命名空間對應的切換為Ambient Mesh模式,然后在確認對話框,單擊確定

  4. 部署Bookinfo應用。

    1. 使用以下內容創建bookinfo.yaml。

      展開查看YAML內容

      apiVersion: v1
kind: Service
metadata:
  name: details
  labels:
    app: details
    service: details
spec:
  ports:
  - port: 9080
    name: http
  selector:
    app: details
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: bookinfo-details
  labels:
    account: details
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: details-v1
  labels:
    app: details
    version: v1
spec:
  replicas: 1
  selector:
    matchLabels:
      app: details
      version: v1
  template:
    metadata:
      labels:
        app: details
        version: v1
    spec:
      serviceAccountName: bookinfo-details
      containers:
      - name: details
        image: registry-cn-hangzhou.ack.aliyuncs.com/acs/examples-bookinfo-details-v1:1.19.1
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 9080
---
##################################################################################################
# Ratings service
##################################################################################################
apiVersion: v1
kind: Service
metadata:
  name: ratings
  labels:
    app: ratings
    service: ratings
spec:
  ports:
  - port: 9080
    name: http
  selector:
    app: ratings
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: bookinfo-ratings
  labels:
    account: ratings
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: ratings-v1
  labels:
    app: ratings
    version: v1
spec:
  replicas: 1
  selector:
    matchLabels:
      app: ratings
      version: v1
  template:
    metadata:
      labels:
        app: ratings
        version: v1
    spec:
      serviceAccountName: bookinfo-ratings
      containers:
      - name: ratings
        image: registry-cn-hangzhou.ack.aliyuncs.com/acs/examples-bookinfo-ratings-v1:1.19.1
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 9080
---
##################################################################################################
# Reviews service
##################################################################################################
apiVersion: v1
kind: Service
metadata:
  name: reviews
  labels:
    app: reviews
    service: reviews
spec:
  ports:
  - port: 9080
    name: http
  selector:
    app: reviews
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: bookinfo-reviews
  labels:
    account: reviews
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: reviews-v1
  labels:
    app: reviews
    version: v1
spec:
  replicas: 1
  selector:
    matchLabels:
      app: reviews
      version: v1
  template:
    metadata:
      labels:
        app: reviews
        version: v1
    spec:
      serviceAccountName: bookinfo-reviews
      containers:
      - name: reviews
        image: registry-cn-hangzhou.ack.aliyuncs.com/acs/examples-bookinfo-reviews-v1:1.19.1
        imagePullPolicy: IfNotPresent
        env:
        - name: LOG_DIR
          value: "/tmp/logs"
        ports:
        - containerPort: 9080
        volumeMounts:
        - name: tmp
          mountPath: /tmp
        - name: wlp-output
          mountPath: /opt/ibm/wlp/output
      volumes:
      - name: wlp-output
        emptyDir: {}
      - name: tmp
        emptyDir: {}
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: reviews-v2
  labels:
    app: reviews
    version: v2
spec:
  replicas: 1
  selector:
    matchLabels:
      app: reviews
      version: v2
  template:
    metadata:
      labels:
        app: reviews
        version: v2
    spec:
      serviceAccountName: bookinfo-reviews
      containers:
      - name: reviews
        image: registry-cn-hangzhou.ack.aliyuncs.com/acs/examples-bookinfo-reviews-v2:1.19.1
        imagePullPolicy: IfNotPresent
        env:
        - name: LOG_DIR
          value: "/tmp/logs"
        ports:
        - containerPort: 9080
        volumeMounts:
        - name: tmp
          mountPath: /tmp
        - name: wlp-output
          mountPath: /opt/ibm/wlp/output
      volumes:
      - name: wlp-output
        emptyDir: {}
      - name: tmp
        emptyDir: {}
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: reviews-v3
  labels:
    app: reviews
    version: v3
spec:
  replicas: 1
  selector:
    matchLabels:
      app: reviews
      version: v3
  template:
    metadata:
      labels:
        app: reviews
        version: v3
    spec:
      serviceAccountName: bookinfo-reviews
      containers:
      - name: reviews
        image: registry-cn-hangzhou.ack.aliyuncs.com/acs/examples-bookinfo-reviews-v3:1.19.1
        imagePullPolicy: IfNotPresent
        env:
        - name: LOG_DIR
          value: "/tmp/logs"
        ports:
        - containerPort: 9080
        volumeMounts:
        - name: tmp
          mountPath: /tmp
        - name: wlp-output
          mountPath: /opt/ibm/wlp/output
      volumes:
      - name: wlp-output
        emptyDir: {}
      - name: tmp
        emptyDir: {}
---
##################################################################################################
# Productpage services
##################################################################################################
apiVersion: v1
kind: Service
metadata:
  name: productpage
  labels:
    app: productpage
    service: productpage
spec:
  ports:
  - port: 9080
    name: http
  selector:
    app: productpage
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: bookinfo-productpage
  labels:
    account: productpage
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: productpage-v1
  labels:
    app: productpage
    version: v1
spec:
  replicas: 1
  selector:
    matchLabels:
      app: productpage
      version: v1
  template:
    metadata:
      annotations:
        prometheus.io/scrape: "true"
        prometheus.io/port: "9080"
        prometheus.io/path: "/metrics"
      labels:
        app: productpage
        version: v1
    spec:
      serviceAccountName: bookinfo-productpage
      containers:
      - name: productpage
        image: registry-cn-hangzhou.ack.aliyuncs.com/acs/examples-bookinfo-productpage-v1:1.19.1
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 9080
        volumeMounts:
        - name: tmp
          mountPath: /tmp
      volumes:
      - name: tmp
        emptyDir: {}
---

    2. 執行以下命令,在default命名空間中部署該示例應用。

      kubectl apply -f  bookinfo.yaml

  5. 部署Sleep應用。

    1. 使用以下內容創建sleep.yaml。

      展開查看YAML內容

      apiVersion: v1
kind: ServiceAccount
metadata:
  name: sleep
---
apiVersion: v1
kind: Service
metadata:
  name: sleep
  labels:
    app: sleep
    service: sleep
spec:
  ports:
  - port: 80
    name: http
  selector:
    app: sleep
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: sleep
spec:
  replicas: 1
  selector:
    matchLabels:
      app: sleep
  template:
    metadata:
      labels:
        app: sleep
    spec:
      terminationGracePeriodSeconds: 0
      serviceAccountName: sleep
      containers:
      - name: sleep
        image: curlimages/curl	registry-cn-hangzhou.ack.aliyuncs.com/ack-demo/curl:asm-sleep
        command: ["/bin/sleep", "infinity"]
        imagePullPolicy: IfNotPresent
        volumeMounts:
        - mountPath: /etc/sleep/tls
          name: secret-volume
      volumes:
      - name: secret-volume
        secret:
          secretName: sleep-secret
          optional: true
---

    2. 執行以下命令,在default命名空間中部署該示例應用。

      kubectl apply -f  sleep.yaml

  6. 部署Notsleep應用。

    1. 使用以下內容創建notsleep.yaml。

      展開查看YAML內容

      apiVersion: v1
kind: ServiceAccount
metadata:
  name: notsleep
---
apiVersion: v1
kind: Service
metadata:
  name: notsleep
  labels:
    app: notsleep
    service: notsleep
spec:
  ports:
  - port: 80
    name: http
  selector:
    app: notsleep
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: notsleep
spec:
  replicas: 1
  selector:
    matchLabels:
      app: notsleep
  template:
    metadata:
      labels:
        app: notsleep
    spec:
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 100
            podAffinityTerm:
              labelSelector:
                matchExpressions:
                - key: app
                  operator: In
                  values:
                  - productpage
              topologyKey: kubernetes.io/hostname 
      terminationGracePeriodSeconds: 0
      serviceAccountName: notsleep
      containers:
      - name: notsleep
        image: registry-cn-hangzhou.ack.aliyuncs.com/ack-demo/curl:asm-sleep
        command: ["/bin/sleep", "3650d"]
        imagePullPolicy: IfNotPresent
        volumeMounts:
        - mountPath: /etc/sleep/tls
          name: secret-volume
      volumes:
      - name: secret-volume
        secret:
          secretName: notsleep-secret
          optional: true
---

    2. 執行以下命令,在default命名空間中部署該示例應用。

      kubectl apply -f  notsleep.yaml

在ASM實例中部署網格資源

  1. 使用以下內容,創建bookinfo-gateway.yaml文件。

    YAML文件用于創建網關規則Gateway對象和虛擬服務VirtualService對象。

    展開查看bookinfo-gateway.yaml

    apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: bookinfo-gateway
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: bookinfo
spec:
  hosts:
  - "*"
  gateways:
  - bookinfo-gateway
  http:
  - match:
    - uri:
        exact: /productpage
    - uri:
        prefix: /static
    - uri:
        exact: /login
    - uri:
        exact: /logout
    - uri:
        prefix: /api/v1/products
    route:
    - destination:
        host: productpage
        port:
          number: 9080

  2. 在ASM實例對應的KubeConfig環境下,執行以下命令,部署網格資源。

    kubectl apply -f bookinfo-gateway.yaml

驗證基本功能

  1. 執行以下命令,設置入口網關的環境變量。

    export GATEWAY_HOST=istio-ingressgateway.istio-system
export GATEWAY_SERVICE_ACCOUNT=ns/istio-system/sa/istio-ingressgateway

  2. 測試bookinfo應用程序,查看在有無網關的情況下能否正常運行。

    1. 執行以下命令:

      kubectl exec deploy/sleep -- curl -s "http://$GATEWAY_HOST/productpage" | grep -o "<title>.*</title>"

      預期輸出:

      <title>Simple Bookstore App</title>

    2. 執行以下命令:

      kubectl exec deploy/sleep -- curl -s http://productpage:9080/ | grep -o "<title>.*</title>"

      預期輸出:

      <title>Simple Bookstore App</title>

    3. 執行以下命令:

      kubectl exec deploy/notsleep -- curl -s http://productpage:9080/ | grep -o "<title>.*</title>"

      預期輸出:

      <title>Simple Bookstore App</title>

      以上結果表明在有無網關下的情況下,bookinfo應用程序均可以正常運行。

步驟二:啟用授權策略

將應用程序添加到Ambient Mesh后,您可以使用L4授權策略來保護應用程序訪問。例如,可以根據客戶端工作負載身份控制對服務的訪問。

L4授權策略

  1. 使用以下內容,創建productpage-viewer.yaml。

    YAML文件用于定義授權策略,顯式允許sleep應用和網關服務賬戶調用該productpage服務。

    apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage-viewer
 namespace: default
spec:
 selector:
   matchLabels:
     app: productpage
 action: ALLOW
 rules:
 - from:
   - source:
       principals:
       - cluster.local/ns/default/sa/sleep
       - cluster.local/ns/istio-system/sa/istio-ingressgateway

  2. 在ASM實例對應的KubeConfig環境下,執行以下命令,部署授權策略。

    kubectl apply -f productpage-viewer.yaml

  3. 驗證授權策略是否生效。

    1. 執行以下命令:

      kubectl exec deploy/sleep -- curl -s "http://$GATEWAY_HOST/productpage" | grep -o "<title>.*</title>"

      預期輸出:

      <title>Simple Bookstore App</title>

    2. 執行以下命令:

      kubectl exec deploy/sleep -- curl -s http://productpage:9080/ | grep -o "<title>.*</title>"

      預期輸出:

      <title>Simple Bookstore App</title>

    3. 執行以下命令:

      kubectl exec deploy/notsleep -- curl -s http://productpage:9080/ | grep -o "<title>.*</title>"

      預期輸出:

      command terminated with exit code 56

      以上結果表明授權策略生效。

L7授權策略

使用Kubernetes Gateway API,可以為bookinfo-productpage服務賬戶部署Waypoint代理,該代理用于productpage服務。任何流向productpage服務的流量都將由該7層代理路由。

  1. 執行以下命令,為bookinfo-productpage服務賬戶部署Waypoint代理。

    istioctl x waypoint apply --service-account bookinfo-productpage

  2. 執行以下命令,查看productpage的Waypoint代理狀態。

    kubectl get gtw bookinfo-productpage -o yaml

    展開查看預期輸出

    apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
  annotations:
    gateway.istio.io/controller-version: "5"
    istio.io/for-service-account: bookinfo-productpage
  creationTimestamp: "2023-08-10T08:35:51Z"
  generation: 1
  name: bookinfo-productpage
  namespace: default
  resourceVersion: "7828921"
  uid: c085b788-a8fa-4a2c-8376-18d08689****
spec:
  gatewayClassName: istio-waypoint
  listeners:
  - allowedRoutes:
      namespaces:
        from: Same
    name: mesh
    port: 15008
    protocol: HBONE
status:
  conditions:
  - lastTransitionTime: "2023-08-10T08:35:51Z"
    message: Handled by Istio controller
    observedGeneration: 1
    reason: Accepted
    status: "True"
    type: Accepted

  3. 修改AuthorizationPolicy。

    1. 將productpage-viewer.yaml文件修改為如下內容,明確允許sleep和網關服務賬戶通過GET方式訪問productpage服務,但不允許執行其他操作。

      apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage-viewer
 namespace: default
spec:
 selector:
   matchLabels:
     istio.io/gateway-name: bookinfo-productpage
 action: ALLOW
 rules:
 - from:
   - source:
       principals:
       - cluster.local/ns/default/sa/sleep
       - cluster.local/ns/istio-system/sa/istio-ingressgateway
   to:
   - operation:
       methods: ["GET"]

    2. 執行以下命令,重新部署AuthorizationPolicy。

      kubectl apply -f productpage-viewer.yaml

  4. 驗證授權策略是否生效。

    1. 執行以下命令:

      kubectl exec deploy/sleep -- curl -s "http://$GATEWAY_HOST/productpage" -X DELETE

      預期輸出:

       RBAC: access denied

    2. 執行以下命令:

      kubectl exec deploy/notsleep -- curl -s http://productpage:9080/

      預期輸出:

        RBAC: access denied

    3. 執行以下命令:

      kubectl exec deploy/sleep -- curl -s http://productpage:9080/ | grep -o "<title>.*</title>"

      預期輸出:

       <title>Simple Bookstore App</title>

      以上結果表明授權策略生效。

步驟三:定義L7路由規則

  1. 執行以下命令,為reviews服務部署Waypoint代理,以便任何流向reviews服務的流量都將由Waypoint代理進行路由。

    istioctl x waypoint apply --service-account bookinfo-reviews

  2. 使用以下內容,創建reviews.yaml。

    配置流量路由以將90%的請求發送到reviews-v1,將10%的請求發送到reviews-v2。

    展開查看reviews.yaml

    apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: reviews
spec:
  host: reviews
  trafficPolicy:
    loadBalancer:
      simple: RANDOM
  subsets:
  - name: v1
    labels:
      version: v1
  - name: v2
    labels:
      version: v2
  - name: v3
    labels:
      version: v3
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: reviews
spec:
  hosts:
    - reviews
  http:
  - route:
    - destination:
        host: reviews
        subset: v1
      weight: 90
    - destination:
        host: reviews
        subset: v2
      weight: 10

  3. 執行以下命令,部署DestinationRule。

    kubectl apply -f reviews.yaml

  4. 執行以下命令, 驗證100個請求中是否約10%的流量流向reviews-v2。

    kubectl exec deploy/sleep -- sh -c "for i in \$(seq 1 100); do curl -s http://$GATEWAY_HOST/productpage | grep reviews-v.-; done"

    預期輸出:

            <u>reviews-v1-5896f547f5-48zcn</u>
        <u>reviews-v1-5896f547f5-48zcn</u>
        <u>reviews-v2-5d99885bc9-qb5cv</u>
        <u>reviews-v1-5896f547f5-48zcn</u>
        <u>reviews-v1-5896f547f5-48zcn</u>
        <u>reviews-v1-5896f547f5-48zcn</u>
        <u>reviews-v1-5896f547f5-48zcn</u>
        <u>reviews-v1-5896f547f5-48zcn</u>
        <u>reviews-v1-5896f547f5-48zcn</u>
        <u>reviews-v1-5896f547f5-48zcn</u>

    預期輸出表明L7路由規則生效。

步驟四:清理資源

執行以下命令,清理本文創建的資源對象。

istioctl x waypoint delete  --service-account bookinfo-productpage
istioctl x waypoint delete --service-account bookinfo-reviews
kubectl delete authorizationpolicy productpage-viewer