Istio是一個開源的服務網格,提供流量管理、可觀測性,以及安全和策略等能力。在Kubernetes中配合使用Istio,可以幫助您更好地管理和控制容器應用,提高應用程序的性能、安全性和可靠性。本文以Bookinfo應用為例,介紹自建Kubernetes集群通過VNode對接ECI的場景下,如何使用Istio。
背景信息
Istio是一個開源的服務網格(Service Mesh)平臺,用于管理微服務之間的流量以及處理各種網絡通信和安全問題。Istio可以與Kubernetes集成,提供標準、安全的流量管理,簡化部署和運維工作。
Bookinfo是一個樣例應用,它模仿在線書店的一個目錄,可以顯示一本書的信息,包括書籍描述,書籍詳細信息(ISBN、頁數等),以及關于這本書的一些評論。Bookinfo是一個異構應用,由四個使用不同語言編寫的微服務組成,可以演示多種Istio特性。Bookinfo包含的四個微服務如下:
Productpage:為Python服務,會調用Details和Reviews兩個服務,用來生成頁面。同時,Productpage還包含登錄和登出功能。
Details:為Ruby服務,包含了書籍的信息。
Reviews:為Java服務,包含了書籍相關的評論。Reviews包含3個版本:
v1版本不會調用Ratings服務。
v2版本會調用Ratings服務,并使用1到5個黑色星形圖標來顯示評分信息。
v3版本會調用Ratings服務,并使用1到5個紅色星形圖標來顯示評分信息。
Ratings:為Node.js服務,包含了由書籍評價組成的評級信息。
更多信息,請參見Istio Bookinfo。
前提條件
本文適用于自建Kubernetes集群,請確保您的集群滿足以下條件:
自建Kubernetes集群中已部署VNode。
如果您的Kubernetes集群部署在線下IDC,請確保已打通IDC與阿里云的網絡。
如果您的Kubernetes集群部署在ECS上,且使用的網絡插件為Flannel,請確保已在集群中部署CCM,保證ECI與標準節點上的Pod可以正常通信。具體操作,請參見部署CCM。
準備工作
安裝Istio。具體操作,請參見Istio快速入門。
創建Namespace并配置Label。
kubectl create namespace istio-test kubectl label namespace istio-test istio-injection=enabled
操作步驟
部署Bookinfo應用
將以下內容保存為bookinfo.yaml。
說明下述YAML示例中已增加nodeSelector實現將Pod調度到VNode,您也可以配置eci-profile來實現。更多信息,請參見將Pod調度到VNode和使用eci-profile調度Pod到VNode。
# Copyright Istio Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ################################################################################################## # This file defines the services, service accounts, and deployments for the Bookinfo sample. # # To apply all 4 Bookinfo services, their corresponding service accounts, and deployments: # # kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml # # Alternatively, you can deploy any resource separately: # # kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l service=reviews # reviews Service # kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l account=reviews # reviews ServiceAccount # kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l app=reviews,version=v3 # reviews-v3 Deployment ################################################################################################## ################################################################################################## # Details service ################################################################################################## apiVersion: v1 kind: Service metadata: name: details labels: app: details service: details spec: ports: - port: 9080 name: http selector: app: details --- apiVersion: v1 kind: ServiceAccount metadata: name: bookinfo-details labels: account: details --- apiVersion: apps/v1 kind: Deployment metadata: name: details-v1 labels: app: details version: v1 spec: replicas: 1 selector: matchLabels: app: details version: v1 template: metadata: labels: app: details version: v1 spec: nodeSelector: #配置特定的nodeSelector k8s.aliyun.com/vnode: "true" tolerations: #配置特定的tolerations - key: k8s.aliyun.com/vnode operator: "Equal" value: "true" effect: "NoSchedule" serviceAccountName: bookinfo-details containers: - name: details image: docker.io/istio/examples-bookinfo-details-v1:1.16.4 imagePullPolicy: IfNotPresent ports: - containerPort: 9080 securityContext: runAsUser: 1000 --- ################################################################################################## # Ratings service ################################################################################################## apiVersion: v1 kind: Service metadata: name: ratings labels: app: ratings service: ratings spec: ports: - port: 9080 name: http selector: app: ratings --- apiVersion: v1 kind: ServiceAccount metadata: name: bookinfo-ratings labels: account: ratings --- apiVersion: apps/v1 kind: Deployment metadata: name: ratings-v1 labels: app: ratings version: v1 spec: replicas: 1 selector: matchLabels: app: ratings version: v1 template: metadata: labels: app: ratings version: v1 spec: nodeSelector: #配置特定的nodeSelector k8s.aliyun.com/vnode: "true" tolerations: #配置特定的tolerations - key: k8s.aliyun.com/vnode operator: "Equal" value: "true" effect: "NoSchedule" serviceAccountName: bookinfo-ratings containers: - name: ratings image: docker.io/istio/examples-bookinfo-ratings-v1:1.16.4 imagePullPolicy: IfNotPresent ports: - containerPort: 9080 securityContext: runAsUser: 1000 --- ################################################################################################## # Reviews service ################################################################################################## apiVersion: v1 kind: Service metadata: name: reviews labels: app: reviews service: reviews spec: ports: - port: 9080 name: http selector: app: reviews --- apiVersion: v1 kind: ServiceAccount metadata: name: bookinfo-reviews labels: account: reviews --- apiVersion: apps/v1 kind: Deployment metadata: name: reviews-v1 labels: app: reviews version: v1 spec: replicas: 1 selector: matchLabels: app: reviews version: v1 template: metadata: labels: app: reviews version: v1 spec: nodeSelector: #配置特定的nodeSelector k8s.aliyun.com/vnode: "true" tolerations: #配置特定的tolerations - key: k8s.aliyun.com/vnode operator: "Equal" value: "true" effect: "NoSchedule" serviceAccountName: bookinfo-reviews containers: - name: reviews image: docker.io/istio/examples-bookinfo-reviews-v1:1.16.4 imagePullPolicy: IfNotPresent env: - name: LOG_DIR value: "/tmp/logs" ports: - containerPort: 9080 volumeMounts: - name: tmp mountPath: /tmp - name: wlp-output mountPath: /opt/ibm/wlp/output securityContext: runAsUser: 1000 volumes: - name: wlp-output emptyDir: {} - name: tmp emptyDir: {} --- apiVersion: apps/v1 kind: Deployment metadata: name: reviews-v2 labels: app: reviews version: v2 spec: replicas: 1 selector: matchLabels: app: reviews version: v2 template: metadata: labels: app: reviews version: v2 spec: nodeSelector: #配置特定的nodeSelector k8s.aliyun.com/vnode: "true" tolerations: #配置特定的tolerations - key: k8s.aliyun.com/vnode operator: "Equal" value: "true" effect: "NoSchedule" serviceAccountName: bookinfo-reviews containers: - name: reviews image: docker.io/istio/examples-bookinfo-reviews-v2:1.16.4 imagePullPolicy: IfNotPresent env: - name: LOG_DIR value: "/tmp/logs" ports: - containerPort: 9080 volumeMounts: - name: tmp mountPath: /tmp - name: wlp-output mountPath: /opt/ibm/wlp/output securityContext: runAsUser: 1000 volumes: - name: wlp-output emptyDir: {} - name: tmp emptyDir: {} --- apiVersion: apps/v1 kind: Deployment metadata: name: reviews-v3 labels: app: reviews version: v3 spec: replicas: 1 selector: matchLabels: app: reviews version: v3 template: metadata: labels: app: reviews version: v3 spec: nodeSelector: #配置特定的nodeSelector k8s.aliyun.com/vnode: "true" tolerations: #配置特定的tolerations - key: k8s.aliyun.com/vnode operator: "Equal" value: "true" effect: "NoSchedule" serviceAccountName: bookinfo-reviews containers: - name: reviews image: docker.io/istio/examples-bookinfo-reviews-v3:1.16.4 imagePullPolicy: IfNotPresent env: - name: LOG_DIR value: "/tmp/logs" ports: - containerPort: 9080 volumeMounts: - name: tmp mountPath: /tmp - name: wlp-output mountPath: /opt/ibm/wlp/output securityContext: runAsUser: 1000 volumes: - name: wlp-output emptyDir: {} - name: tmp emptyDir: {} --- ################################################################################################## # Productpage services ################################################################################################## apiVersion: v1 kind: Service metadata: name: productpage labels: app: productpage service: productpage spec: ports: - port: 9080 name: http selector: app: productpage --- apiVersion: v1 kind: ServiceAccount metadata: name: bookinfo-productpage labels: account: productpage --- apiVersion: apps/v1 kind: Deployment metadata: name: productpage-v1 labels: app: productpage version: v1 spec: replicas: 1 selector: matchLabels: app: productpage version: v1 template: metadata: labels: app: productpage version: v1 spec: nodeSelector: #配置特定的nodeSelector k8s.aliyun.com/vnode: "true" tolerations: #配置特定的tolerations - key: k8s.aliyun.com/vnode operator: "Equal" value: "true" effect: "NoSchedule" serviceAccountName: bookinfo-productpage containers: - name: productpage image: docker.io/istio/examples-bookinfo-productpage-v1:1.16.4 imagePullPolicy: IfNotPresent ports: - containerPort: 9080 volumeMounts: - name: tmp mountPath: /tmp securityContext: runAsUser: 1000 volumes: - name: tmp emptyDir: {} ---部署Bookinfo。
kubectl -n istio-test apply -f bookinfo.yaml預期返回:
查看Bookinfo運行情況。
kubectl -n istio-test get pods -o wide預期返回:
檢查Services。
kubectl -n istio-test get services預期返回:
部署Gateway
將以下內容保存為bookinfo-gateway.yaml。
apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: bookinfo-gateway spec: selector: istio: ingressgateway # use istio default controller servers: - port: number: 80 name: http protocol: HTTP hosts: - "*" --- apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: bookinfo spec: hosts: - "*" gateways: - bookinfo-gateway http: - match: - uri: exact: /productpage - uri: prefix: /static - uri: exact: /login - uri: exact: /logout - uri: prefix: /api/v1/products route: - destination: host: productpage port: number: 9080部署Gateway。
kubectl -n istio-test apply -f bookinfo-gateway.yaml預期返回:
查看Gateway。
kubectl -n istio-test get gateway預期返回:
驗證Bookinfo服務
確定Istio Gateway的Host地址。
請根據集群情況選擇Istio Ingress Service,本文使用LoadBalancer方式:
kubectl -n istio-system get service istio-ingressgateway預期返回:
通過返回信息可以得到istio-ingressgateway的Host地址(
IP:Port格式)為10.96.XX.XX:80。創建一個測試Pod,用于驗證服務。
將以下內容保存為test-pod.yaml。
apiVersion: v1 kind: Pod metadata: name: centos spec: nodeSelector: k8s.aliyun.com/vnode: "true" tolerations: - key: k8s.aliyun.com/vnode operator: "Equal" value: "true" effect: "NoSchedule" containers: - name: eip image: registry-vpc.cn-shanghai.aliyuncs.com/eci_open/centos:7 command: - bash - -c - sleep inf部署Pod。
kubectl apply -f test-pod.yaml
登錄測試Pod,然后執行命令驗證服務。
kubectl exec -it centos -- bashcurl -s http://10.96.XX.XX:80/productpage | grep -o "<title>.*</title>"其中
10.96.XX.XX:80為步驟1獲取的Host地址。如果返回<title>Simple BookStore App<title>,則表示Istio已經成功運行在VNode上。示例如下:
文檔內容是否對您有幫助?