Yuav ua li cas ? Qhov no yog lub npe hu ua Service mesh, ib qho kev siv tshuab uas ntxiv ib txheej ntawm abstraction hla lub network. Peb cuam tshuam tag nrho lossis ib feem ntawm cov tsheb khiav hauv pawg thiab ua ib qho kev ua haujlwm nrog nws. Qhov twg? Piv txwv li, peb ua cov kev txawj ntse, los yog siv ib txoj hauv kev sib txuas, peb tuaj yeem npaj "kev xa tawm canary", ib nrab hloov tsheb mus rau qhov kev pabcuam tshiab, lossis peb tuaj yeem txwv kev sib cuam tshuam sab nraud thiab tswj txhua qhov kev mus los ntawm pawg mus rau sab nraud. network. Nws muaj peev xwm los teeb tsa txoj cai tswjfwm kev mus ncig ntawm microservices sib txawv. Thaum kawg, peb tuaj yeem ntes tag nrho daim ntawv qhia kev sib tham hauv network thiab ua kom muaj kev sib koom ua ke ntawm kev sib sau ua ke pob tshab rau cov ntawv thov.
Koj tuaj yeem nyeem txog cov txheej txheem ua haujlwm hauv . Istio yog lub cuab yeej muaj zog tiag tiag uas tuaj yeem daws tau ntau yam haujlwm thiab teeb meem. Hauv tsab xov xwm no kuv xav teb cov lus nug tseem ceeb uas feem ntau tshwm sim thaum pib ua haujlwm nrog Istio. Qhov no yuav pab koj daws nws sai dua.
Yuav ua li cas nws ua hauj lwm
Istio muaj ob thaj chaw tseem ceeb - tswj lub dav hlau thiab cov ntaub ntawv dav hlau. Lub dav hlau tswj muaj cov khoom tseem ceeb uas ua kom muaj kev ua haujlwm raug ntawm tus so. Nyob rau hauv tam sim no version (1.0), lub dav hlau tswj muaj peb lub ntsiab Cheebtsam: Pilot, Tov Khoom, Citadel. Peb yuav tsis xav txog Citadel; nws yuav tsum tau tsim cov ntawv pov thawj los xyuas kom meej tias kev ua haujlwm ntawm kev sib nrig sib TLS ntawm cov kev pabcuam. Cia peb saib ze rau ntawm tus qauv tsim thiab lub hom phiaj ntawm Pilot thiab Mixer.
Pilot yog lub hauv paus tswj hwm uas faib tag nrho cov ntaub ntawv hais txog qhov peb muaj nyob rau hauv pawg - cov kev pabcuam, lawv cov ntsiab lus kawg thiab cov kev cai tswjfwm (piv txwv li, cov cai rau kev xa mus rau Canary lossis cov cai hauv Circuit Court breaker).
Tov khoom yog ib qho kev xaiv tswj lub dav hlau tivthaiv uas muab lub peev xwm los sau cov metrics, cav thiab txhua yam ntaub ntawv hais txog kev sib tham hauv network. Nws kuj tseem saib xyuas kev ua raws li Txoj Cai Lij Choj thiab ua raws li kev txwv tus nqi.
Cov ntaub ntawv dav hlau yog siv los siv cov thawv ntim khoom tso npe. Lub neej ntawd muaj zog . Nws tuaj yeem hloov nrog lwm qhov kev siv, piv txwv li nginx (nginmesh).
Yuav kom Istio ua hauj lwm tag nrho pob tshab rau daim ntaub ntawv, muaj ib qho kev txhaj tshuaj tsis siv neeg. Qhov tseeb kev siv yog tsim rau Kubernetes versions 1.9+ (kev hloov pauv nkag webhook). Rau Kubernetes versions 1.7, 1.8 nws tuaj yeem siv Initializer.
Sidecar ntim txuas rau Pilot siv GRPC raws tu qauv, uas tso cai rau koj los txhim kho tus qauv rau kev thawb cov kev hloov pauv tshwm sim hauv pawg. GRPC tau pib siv rau hauv Envoy txij li version 1.6, hauv Istio nws tau siv txij li version 0.8 thiab yog tus kws tsav dav hlau - tus neeg sawv cev ntawm golang wrapper tshaj tus neeg sawv cev uas teeb tsa qhov kev teeb tsa.
Pilot thiab Tov Khoom yog cov khoom tsis muaj xeev tag nrho, txhua lub xeev tau khaws cia hauv lub cim xeeb. Cov kev teeb tsa rau lawv yog teem rau hauv daim ntawv ntawm Kubernetes Custom Resources, uas tau txais kev cawmdim hauv lwm yam.
Istio-tus neeg sawv cev tau txais qhov chaw nyob Pilot thiab qhib GRPC kwj rau nws.
Raws li kuv tau hais, Istio siv tag nrho cov haujlwm ua tiav pob tshab rau cov ntawv thov. Cia peb xav seb yuav ua li cas. Lub algorithm yog zoo li no:
- Peb yuav xa ib tug tshiab version ntawm qhov kev pab cuam.
- Nyob ntawm txoj hauv kev ntawm kev txhaj tshuaj ntawm lub thawv ntim khoom, lub thawv istio-init thiab istio-tus neeg sawv cev lub thawv (tus neeg sawv cev) tau ntxiv rau ntawm theem ntawm kev thov kev teeb tsa, lossis lawv tuaj yeem muab tso rau hauv Pod piav qhia ntawm Kubernetes qhov chaw. .
- Lub thawv istio-init yog ib tsab ntawv uas siv cov cai iptables rau lub plhaub. Muaj ob txoj kev xaiv rau kev teeb tsa tsheb thauj mus los hauv lub thawv istio-tus neeg sawv cev: siv iptables redirect txoj cai, lossis . Thaum lub sijhawm sau ntawv, txoj hauv kev ua ntej yog nrog cov cai hloov pauv. Istio-init tso cai rau koj los teeb tsa yam kev tsheb yuav tsum tau cuam tshuam thiab xa mus rau istio-tus neeg sawv cev. Piv txwv li, txhawm rau cuam tshuam tag nrho cov khoom nkag thiab tawm mus, koj yuav tsum teeb tsa cov kev txwv
-iи-brau hauv lub ntsiab lus*. Koj tuaj yeem teev cov chaw nres nkoj tshwj xeeb los cuam tshuam. Txhawm rau kom tsis txhob cuam tshuam ib qho subnet tshwj xeeb, koj tuaj yeem qhia nws siv tus chij-x. - Tom qab lub init ntim raug tua, lub ntsiab sawv daws yuav launched, nrog rau tus neeg tsav tsheb-tus neeg saib xyuas (tus sawv cev). Nws txuas mus rau tus kws tsav dav hlau uas twb tau siv lawm los ntawm GRPC thiab tau txais cov ntaub ntawv hais txog tag nrho cov kev pabcuam uas twb muaj lawm thiab cov cai tswjfwm hauv pawg. Raws li cov ntaub ntawv tau txais, nws teeb tsa pawg thiab muab lawv ncaj qha mus rau qhov kawg ntawm peb cov ntawv thov hauv Kubernetes pawg. Nws tseem yog ib qho tseem ceeb kom nco ntsoov ib qho tseem ceeb: tus neeg sawv cev dynamically configures mloog (IP, chaw nres nkoj khub) uas nws pib mloog. Yog li ntawd, thaum thov nkag mus rau hauv lub pod thiab raug xa rov qab siv redirect iptables cov cai rau sidecar, tus neeg sawv cev tuaj yeem ua tiav cov kev sib txuas no thiab nkag siab qhov twg cov tsheb yuav tsum tau tso npe tom ntej. Tsis tas li ntawd nyob rau theem no, cov ntaub ntawv raug xa mus rau Tov Khoom, uas peb yuav saib tom qab, thiab xa cov tracing spans.
Yog li ntawd, peb tau txais tag nrho cov network ntawm envoy proxy servers, uas peb tuaj yeem teeb tsa los ntawm ib qho taw qhia (Pilot). Tag nrho cov inbound thiab outbound thov mus los ntawm envoy. Ntxiv mus, tsuas yog TCP tsheb thauj mus los yog cuam tshuam. Qhov no txhais tau hais tias Kubernetes kev pabcuam IP raug daws siv kube-dns dhau UDP yam tsis hloov pauv. Tom qab ntawd, tom qab kev daws teeb meem, qhov kev thov tawm mus yog cuam tshuam thiab ua tiav los ntawm tus neeg sawv cev, uas txiav txim siab qhov kawg qhov kev thov yuav tsum raug xa mus (lossis tsis xa, nyob rau hauv cov ntaub ntawv ntawm kev nkag mus lossis cov txheej txheem Circuit Court breaker algorithm).
Peb tau txheeb xyuas Pilot, tam sim no peb yuav tsum nkag siab tias Mixer ua haujlwm li cas thiab vim li cas nws thiaj xav tau. Koj tuaj yeem nyeem cov ntaub ntawv tseem ceeb ntawm nws .
Tov khoom hauv nws daim ntawv tam sim no muaj ob yam: istio-telemetry, istio-policy (ua ntej version 0.8 qhov no yog ib qho istio-mixer tivthaiv). Ob leeg yog cov khoom sib tov, txhua tus yog lub luag haujlwm rau nws txoj haujlwm. Istio telemetry tau txais cov ntaub ntawv ntawm GRPC los ntawm sidecar Report ntim txog leej twg mus qhov twg thiab nrog dab tsi tsis. Istio-policy lees txais Daim Ntawv Thov Kev Tshawb Fawb los xyuas seb Txoj Cai Lij Choj puas tau ua tiav. Poilicy checks yog, ntawm chav kawm, tsis tau ua rau txhua qhov kev thov, tab sis yog cached ntawm tus neeg siv khoom (hauv tsheb) rau ib lub sijhawm. Kev tshaj tawm cov tshev raug xa los ntawm kev thov batch. Peb yuav pom yuav ua li cas rau configure nws thiab raws nraim li cas parameters yuav tsum tau xa me ntsis tom qab.
Tov khoom yog npaj los ua ib qho khoom siv muaj txiaj ntsig uas ua kom muaj kev ua haujlwm zoo ntawm telemetry cov ntaub ntawv sau thiab ua tiav. Lub kaw lus xaus li ntau theem tsis. Thaum xub thawj, cov ntaub ntawv yog buffered ntawm sidecar sab ntawm lub ntim, ces nyob rau sab tov khoom thiab ces xa mus rau lub thiaj li hu ua mixer backends. Yog li ntawd, yog tias ib qho ntawm cov khoom siv tsis ua haujlwm, qhov tsis tuaj yeem loj hlob thiab ntws tawm tom qab lub kaw lus rov qab los. Tov khoom backends yog qhov kawg rau xa cov ntaub ntawv telemetry: statsd, newrelic, thiab lwm yam. Koj tuaj yeem sau koj tus kheej backend, nws yooj yim heev, thiab peb yuav pom yuav ua li cas.
Los ntawm txoj kev, lub tswv yim rau kev ua hauj lwm nrog istio-telemetry yog raws li nram no.
- Kev Pabcuam 1 xa kev thov rau kev pabcuam 2.
- Thaum tawm hauv kev pabcuam 1, qhov kev thov yog qhwv hauv nws tus kheej lub tsheb.
- Sidecar envoy saib xyuas qhov kev thov mus rau qhov kev pabcuam 2 thiab npaj cov ntaub ntawv tsim nyog.
- Tom qab ntawd nws xa nws mus rau istio-telemetry siv Daim Ntawv Ceeb Toom thov.
- Istio-telemetry txiav txim siab seb Daim Ntawv Qhia no yuav tsum tau xa mus rau cov backends, qhov twg thiab cov ntaub ntawv twg yuav tsum tau xa.
- Istio-telemetry xa Cov ntaub ntawv Qhia rau lub backend yog tias tsim nyog.
Tam sim no cia saib yuav ua li cas xa Istio hauv lub kaw lus, tsuas yog cov khoom tseem ceeb (pilot thiab tus neeg saib xyuas tsheb).
Ua ntej, cia saib lub ntsiab configuration (mesh) uas Pilot nyeem:
apiVersion: v1
kind: ConfigMap
metadata:
name: istio
namespace: istio-system
labels:
app: istio
service: istio
data:
mesh: |-
# пока что не включаем отправку tracing информации (pilot настроит envoy’и таким образом, что отправка не будет происходить)
enableTracing: false
# пока что не указываем mixer endpoint’ы, чтобы sidecar контейнеры не отправляли информацию туда
#mixerCheckServer: istio-policy.istio-system:15004
#mixerReportServer: istio-telemetry.istio-system:15004
# ставим временной промежуток, с которым будет envoy переспрашивать Pilot (это для старой версии envoy proxy)
rdsRefreshDelay: 5s
# default конфигурация для envoy sidecar
defaultConfig:
# аналогично как rdsRefreshDelay
discoveryRefreshDelay: 5s
# оставляем по умолчанию (путь к конфигурации и бинарю envoy)
configPath: "/etc/istio/proxy"
binaryPath: "/usr/local/bin/envoy"
# дефолтное имя запущенного sidecar контейнера (используется, например, в именах сервиса при отправке tracing span’ов)
serviceCluster: istio-proxy
# время, которое будет ждать envoy до того, как он принудительно завершит все установленные соединения
drainDuration: 45s
parentShutdownDuration: 1m0s
# по умолчанию используются REDIRECT правила iptables. Можно изменить на TPROXY.
#interceptionMode: REDIRECT
# Порт, на котором будет запущена admin панель каждого sidecar контейнера (envoy)
proxyAdminPort: 15000
# адрес, по которому будут отправляться trace’ы по zipkin протоколу (в начале мы отключили саму отправку, поэтому это поле сейчас не будет использоваться)
zipkinAddress: tracing-collector.tracing:9411
# statsd адрес для отправки метрик envoy контейнеров (отключаем)
# statsdUdpAddress: aggregator:8126
# выключаем поддержку опции Mutual TLS
controlPlaneAuthPolicy: NONE
# адрес, на котором будет слушать istio-pilot для того, чтобы сообщать информацию о service discovery всем sidecar контейнерам
discoveryAddress: istio-pilot.istio-system:15007
Peb yuav tso tag nrho cov kev tswj hwm tseem ceeb hauv namespace istio-system hauv Kubernetes.
Yam tsawg kawg, peb tsuas yog yuav tsum xa Pilot. Rau qhov no peb yuav siv
Thiab peb yuav manually configure lub txhaj tshuaj sidecar ntawm lub thawv.
Init container:
initContainers:
- name: istio-init
args:
- -p
- "15001"
- -u
- "1337"
- -m
- REDIRECT
- -i
- '*'
- -b
- '*'
- -d
- ""
image: istio/proxy_init:1.0.0
imagePullPolicy: IfNotPresent
resources:
limits:
memory: 128Mi
securityContext:
capabilities:
add:
- NET_ADMIN
Thiab sidecar:
name: istio-proxy
args:
- "bash"
- "-c"
- |
exec /usr/local/bin/pilot-agent proxy sidecar
--configPath
/etc/istio/proxy
--binaryPath
/usr/local/bin/envoy
--serviceCluster
service-name
--drainDuration
45s
--parentShutdownDuration
1m0s
--discoveryAddress
istio-pilot.istio-system:15007
--discoveryRefreshDelay
1s
--connectTimeout
10s
--proxyAdminPort
"15000"
--controlPlaneAuthPolicy
NONE
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: ISTIO_META_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: ISTIO_META_INTERCEPTION_MODE
value: REDIRECT
image: istio/proxyv2:1.0.0
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
memory: 2048Mi
securityContext:
privileged: false
readOnlyRootFilesystem: true
runAsUser: 1337
volumeMounts:
- mountPath: /etc/istio/proxy
name: istio-envoy
Txhawm rau kom txhua yam pib ua tiav, koj yuav tsum tsim kom muaj ServiceAccount, ClusterRole, ClusterRoleBinding, CRD rau Pilot, cov lus piav qhia uas tuaj yeem pom .
Yog li ntawd, cov kev pab cuam uas peb txhaj ib tug sidecar nrog envoy yuav tsum tau ua tiav, tau txais tag nrho cov kev tshawb pom los ntawm tus tsav thiab cov txheej txheem thov.
Nws yog ib qho tseem ceeb kom nkag siab tias txhua qhov kev tswj hwm lub dav hlau yog cov ntawv thov tsis muaj neeg nyob thiab tuaj yeem ua rau kab rov tav tsis muaj teeb meem. Tag nrho cov ntaub ntawv tau muab khaws cia rau hauv lwm yam hauv daim ntawv ntawm kev cai piav qhia ntawm Kubernetes cov peev txheej.
Istio kuj (tseem sim) muaj peev xwm khiav tawm sab nraud ib pawg thiab muaj peev xwm saib thiab qhia kev pabcuam nrhiav pom ntawm ob peb Kubernetes pawg. Koj tuaj yeem nyeem ntxiv txog qhov no .
Rau kev teeb tsa ntau pawg, xav txog cov kev txwv hauv qab no:
- Pod CIDR thiab Kev Pabcuam CIDR yuav tsum muaj qhov tshwj xeeb thoob plaws txhua pawg thiab yuav tsum tsis txhob sib tshooj.
- Txhua Pod CIDRs yuav tsum ncav cuag los ntawm ib qho Pod CIDRs ntawm pawg.
- Tag nrho Kubernetes API servers yuav tsum nkag mus rau ib leeg.
Nov yog cov lus qhia yooj yim los pab koj pib nrog Istio. Txawm li cas los xij, tseem muaj ntau qhov pitfalls. Piv txwv li, cov yam ntxwv ntawm routing sab nraud tsheb (sab nraum pawg), mus kom ze rau debugging sidecars, profiling, teem ib tug tov khoom thiab sau ib tug kev cai tov khoom backend, teeb tsa lub tracing mechanism thiab nws cov hauj lwm siv envoy.
Peb yuav xav txog txhua yam no hauv cov ntawv tshaj tawm hauv qab no. Nug koj cov lus nug, Kuv yuav sim ua kom meej rau lawv.
Tau qhov twg los: www.hab.com