chii ? Iyi ndiyo inonzi Service mesh, tekinoroji inowedzera dhizaini yekubvisa pamusoro petiweki. Isu tinodzvanya zvese kana chikamu chetraffic musumbu uye kuita imwe seti yekushanda nayo. Chipi? Semuyenzaniso, tinoita smart routing, kana isu tinoshandisa yedunhu breaker nzira, tinogona kuronga "canary deployment", zvishoma tichichinjisa traffic kune imwe vhezheni yesevhisi, kana isu tinogona kudzikisira kupindirana kwekunze uye kudzora nzendo dzese kubva kuboka kuenda kunze network. Zvinogoneka kuseta mitemo yekutonga nzendo pakati peakasiyana mamicroservices. Chekupedzisira, tinogona kuwana mepu yese yekudyidzana kwenetiweki uye kuita kuti kuunganidzwa kwakabatana kwema metrics kuve pachena kune maapplication.
Iwe unogona kuverenga nezve meshini yebasa mukati . Istio chishandiso chine simba chaizvo chinokutendera iwe kugadzirisa akawanda mabasa nematambudziko. Muchikamu chino, ndinoda kupindura mibvunzo mikuru inowanzomuka kana uchitanga neIstio. Izvi zvichakubatsira kubata nazvo nekukurumidza.
Ainoita
Istio ine nzvimbo mbiri huru - ndege inodzora uye ndege yedata. Ndege yekudzora ine zvikamu zvikuru zvinovimbisa kushanda kwakarurama kwevamwe. Mushanduro yemazuva ano (1.0) ndege yekutonga ine zvikamu zvitatu zvikuru: Pilot, Mixer, Citadel. Isu hatizofunga nezveCitadel, inodiwa kugadzira zvitupa kuti tive nechokwadi chekuwirirana TLS pakati pemasevhisi. Ngatitarisei zvakanyanya pane mudziyo uye chinangwa chePilot uye Musanganiswa.
Pilot ndiyo chikamu chikuru chekutonga chinogovera ruzivo rwese pamusoro pezvatinazvo musumbu - masevhisi, magumo avo uye routing mitemo (semuenzaniso, mitemo yeCanary deployment kana redunhu breaker mitemo).
Musanganiswa chinhu chakasarudzika chekudzora ndege chikamu chinopa kugona kuunganidza metrics, matanda, uye chero ruzivo nezve network yekudyidzana. Anotarisawo kutevedza mitemo yePolisi uye kutevedzera mareti.
Iyo ndege yedata inoshandiswa uchishandisa sidecar proxy midziyo. Simba rinoshandiswa nekusingaperi. . Inogona kutsiviwa neimwe kushandiswa, senge nginx (nginmesh).
Kuti Istio ishande zvakajeka kune zvikumbiro, kune otomatiki jekiseni system. Ikozvino kuita kwakakodzera Kubernetes 1.9+ shanduro (mutational admission webhook). Kune Kubernetes shanduro 1.7, 1.8 zvinogoneka kushandisa Initializer.
Sidecar midziyo yakabatana nePilot uchishandisa iyo GRPC protocol, iyo inokutendera iwe kukwidziridza iyo yekusundidzira modhi yekuchinja kunoitika musumbu. GRPC yakashandiswa muNhume kubvira vhezheni 1.6, muIstio yave kushandiswa kubvira vhezheni 0.8 uye mutyairi-mumiririri - golang wrapper pamusoro penhume inogadzirisa sarudzo dzekutanga.
Pilot uye Mixer zvinhu zvisingaverengeki zvachose, nyika yese inochengetwa mundangariro. Kugadziriswa kwavo kwakaiswa muchimiro cheKubernetes Tsika Zviwanikwa, izvo zvakachengetwa mu etcd.
Istio-agent inowana kero yePilot uye inovhura rwizi rweGRPC kwairi.
Sezvandakataura, Istio inoshandisa mashandiro ese akajeka kune maapplication. Ngationei kuti sei. Iyo algorithm ndeiyi:
- Kutumira shanduro itsva yebasa.
- Zvichienderana neiyo sidecar mudziyo jekiseni nzira, iyo istio-init mudziyo uye istio-agent mudziyo (nhume) inowedzerwa padanho rekushandisa iyo kumisikidzwa, kana ivo vanogona kutoiswa nemaoko mune tsananguro yeKubernetes Pod entity.
- Iyo istio-init mudziyo ndeye script inoshandisa iyo iptables mitemo kune pod. Pane sarudzo mbiri dzekugadzirisa traffic kuti iputirwe muistio-agent mudziyo: shandisa iptables redirect mitemo, kana . Panguva yekunyora, iyo default maitiro ndeye redirect mitemo. Mune istio-init, zvinokwanisika kugadzirisa kuti ndeipi traffic inofanirwa kubatwa uye kutumirwa kune istio-agent. Semuyenzaniso, kuti udzivise zvese zvinopinda uye zvese zvinobuda traffic, unofanirwa kuseta iyo parameter
-iи-bmuchirevo*. Iwe unogona kutsanangura madoko chaiwo kuti utore. Kuti usatambise imwe subnet, unogona kuitsanangura uchishandisa mureza-x. - Mushure mokunge midziyo yeinit ichiitwa, iyo huru inotangwa, kusanganisira mutyairi-mumiririri (nhume). Inobatana nePilot yakatotumirwa kuburikidza neGRPC uye inogamuchira ruzivo nezvese aripo masevhisi uye marongero ekufambisa musumbu. Zvinoenderana nedata rakagamuchirwa, anogadzirisa masumbu uye anoapa iwo zvakananga kune ekupedzisira maapplication edu muKubernetes cluster. Izvo zvinodiwawo kucherechedza chinhu chakakosha: nhume inogadzirisa zvine simba vateereri (IP, port pairs) iyo inotanga kuteerera. Naizvozvo, kana zvikumbiro zvapinda mupodhi, zvinodzoserwa pachishandiswa redirect iptables mitemo musidecar, nhume inogona kutobudirira kugadzirisa aya makubatanidza uye kunzwisisa kupi kwekuwedzera proxy traffic. Zvakare panguva ino, ruzivo rwunotumirwa kuMusanganisi, iyo yatichatarisa gare gare, uye yekutevera spans inotumirwa.
Nekuda kweizvozvo, tinowana network yese yenhume proxy maseva atinogona kugadzirisa kubva pane imwe pfungwa (Pilot). Zvese zvikumbiro zvinopinda nekunze zvinoenda nenhume. Uyezve, TCP chete traffic inobatwa. Izvi zvinoreva kuti Kubernetes sevhisi IP inogadziriswa uchishandisa kube-dns pamusoro peUDP pasina kuchinja. Zvadaro, mushure mekugadzirisa, chikumbiro chinobuda chinogamuchirwa uye chinogadziriswa nenhume, iyo inotosarudza kuti ndeipi yekupedzisira chikumbiro chinofanira kutumirwa kune (kana kusatumirwa, munyaya yemitemo yekuwana kana muparadzi wedunhu regorgorithm).
Takafunga Pilot, ikozvino tinoda kunzwisisa kuti Mixer inoshanda sei uye nei ichidikanwa. Unogona kuverenga zviri pamutemo zvinyorwa zvayo .
Musanganiswa muchimiro chayo chemazuva ano chine zvikamu zviviri: istio-telemetry, istio-policy (pamberi pevhezheni 0.8 yaive imwe istio-mixer chikamu). Ose ari maviri musanganisi, imwe neimwe ine mutoro webasa rayo. Istio telemetry inogamuchira ruzivo rwekuti ndiani anoenda kupi uye neapi ma paramita kubva kusidecar Report midziyo kuburikidza neGRPC. Istio-policy inogamuchira Tarisa zvikumbiro kuti uone kuti mitemo yePolisi inogutswa. Policy cheki, hongu, haina kuitwa kune yega chikumbiro, asi inochengeterwa mutengi (mumota yepadivi) kwenguva yakati. Cheki dzemishumo dzinotumirwa sezvikumbiro zvebatch. Ngationei kuti tingagadzirisa sei uye ndeapi maparameter anofanira kutumirwa zvishoma gare gare.
Iyo Mixer inofanirwa kunge iri chikamu chinowanikwa zvakanyanya chinova nechokwadi chebasa risinga vhiringike pakuungana uye kugadzirisa data re telemetry. Iyo sisitimu inowanikwa semhedzisiro seyakawanda-level buffer. Pakutanga, data inovharirwa padivi pemota yemidziyo, ipapo padivi remusanganisi, yozotumirwa kune inonzi musanganiswa backends. Nekuda kweizvozvo, kana chimwe chezvikamu zvehurongwa chikatadza, buffer inokura uye inonyungudutswa mushure mekunge sisitimu yadzorerwa. Mixer backends ndiwo magumo ekutumira telemetry data: statsd, newrelic, nezvimwe. Iwe unogona kunyora yako backend, zviri nyore, uye isu tichaona kuti tozviita sei.
Kupfupisa, chirongwa chekushanda neistio-telemetry ndechinotevera.
- Sevhisi 1 inotumira chikumbiro kubasa 2.
- Paunenge uchisiya sevhisi 1, chikumbiro chinoputirwa mumotokari yayo yepadivi.
- Sidecar nhume inotarisisa kuti chikumbiro chinoenda sei kubasa 2 uye inogadzirira ruzivo rwakakosha.
- Wobva waitumira kune istio-telemetry uchishandisa Chikumbiro cheReport.
- Istio-telemetry inosarudza kana Chirevo ichi chichifanira kutumirwa kuseri, kwairi uye chii data chinofanira kutumirwa.
- Istio-telemetry inotumira Report data kune backend kana zvichidikanwa.
Iye zvino ngationei nzira yekuisa Istio muhurongwa, inongosanganisira chete zvikamu zvikuru (Pilot uye sidecar nhume).
Chekutanga, ngatitarisei iyo huru gadziriso (mesh) iyo Pilot inoverenga:
apiVersion: v1
kind: ConfigMap
metadata:
name: istio
namespace: istio-system
labels:
app: istio
service: istio
data:
mesh: |-
# пока что не включаем отправку tracing информации (pilot настроит envoy’и таким образом, что отправка не будет происходить)
enableTracing: false
# пока что не указываем mixer endpoint’ы, чтобы sidecar контейнеры не отправляли информацию туда
#mixerCheckServer: istio-policy.istio-system:15004
#mixerReportServer: istio-telemetry.istio-system:15004
# ставим временной промежуток, с которым будет envoy переспрашивать Pilot (это для старой версии envoy proxy)
rdsRefreshDelay: 5s
# default конфигурация для envoy sidecar
defaultConfig:
# аналогично как rdsRefreshDelay
discoveryRefreshDelay: 5s
# оставляем по умолчанию (путь к конфигурации и бинарю envoy)
configPath: "/etc/istio/proxy"
binaryPath: "/usr/local/bin/envoy"
# дефолтное имя запущенного sidecar контейнера (используется, например, в именах сервиса при отправке tracing span’ов)
serviceCluster: istio-proxy
# время, которое будет ждать envoy до того, как он принудительно завершит все установленные соединения
drainDuration: 45s
parentShutdownDuration: 1m0s
# по умолчанию используются REDIRECT правила iptables. Можно изменить на TPROXY.
#interceptionMode: REDIRECT
# Порт, на котором будет запущена admin панель каждого sidecar контейнера (envoy)
proxyAdminPort: 15000
# адрес, по которому будут отправляться trace’ы по zipkin протоколу (в начале мы отключили саму отправку, поэтому это поле сейчас не будет использоваться)
zipkinAddress: tracing-collector.tracing:9411
# statsd адрес для отправки метрик envoy контейнеров (отключаем)
# statsdUdpAddress: aggregator:8126
# выключаем поддержку опции Mutual TLS
controlPlaneAuthPolicy: NONE
# адрес, на котором будет слушать istio-pilot для того, чтобы сообщать информацию о service discovery всем sidecar контейнерам
discoveryAddress: istio-pilot.istio-system:15007
Ese makuru ekudzora zvikamu (ndege yekudzora) ichave iri mune namespace istio-system muKubernetes.
Pashoma, isu tinongoda kuendesa Pilot. Nokuda kweizvi tinoshandisa
Uye isu tichagadzirisa nemaoko iyo injecting sidecar yemudziyo.
Init container:
initContainers:
- name: istio-init
args:
- -p
- "15001"
- -u
- "1337"
- -m
- REDIRECT
- -i
- '*'
- -b
- '*'
- -d
- ""
image: istio/proxy_init:1.0.0
imagePullPolicy: IfNotPresent
resources:
limits:
memory: 128Mi
securityContext:
capabilities:
add:
- NET_ADMIN
Uye sidecar:
name: istio-proxy
args:
- "bash"
- "-c"
- |
exec /usr/local/bin/pilot-agent proxy sidecar
--configPath
/etc/istio/proxy
--binaryPath
/usr/local/bin/envoy
--serviceCluster
service-name
--drainDuration
45s
--parentShutdownDuration
1m0s
--discoveryAddress
istio-pilot.istio-system:15007
--discoveryRefreshDelay
1s
--connectTimeout
10s
--proxyAdminPort
"15000"
--controlPlaneAuthPolicy
NONE
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: ISTIO_META_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: ISTIO_META_INTERCEPTION_MODE
value: REDIRECT
image: istio/proxyv2:1.0.0
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
memory: 2048Mi
securityContext:
privileged: false
readOnlyRootFilesystem: true
runAsUser: 1337
volumeMounts:
- mountPath: /etc/istio/proxy
name: istio-envoy
Kuti zvese zvitange zvinobudirira, unofanirwa kugadzira ServiceAccount, ClusterRole, ClusterRoleBinding, CRD yePilot, tsananguro dzayo dzinogona kuwanikwa. .
Nekuda kweizvozvo, sevhisi yatinobaya padivi nenhume inofanira kutanga zvinobudirira, kugamuchira zvese zvakawanikwa kubva kumutyairi uye kugadzirisa zvikumbiro.
Izvo zvakakosha kuti unzwisise kuti zvese zvigadziriso zvendege zvikamu zvikumbiro zvisingaverengeki uye zvinogona kuyerwa zvakadzika pasina matambudziko. Yese data inochengetwa mu etcd muchimiro chetsika tsananguro yeKubernetes zviwanikwa.
Zvakare, Istio (ichiri kuyedza) inokwanisa kumhanya kunze kwesumbu uye kugona kuona uye fumble sevhisi kuwanikwa pakati akati wandei Kubernetes masumbu. Unogona kuverenga zvakawanda pamusoro peizvi .
Nekumisikidzwa kwema-multi-cluster, ziva nezvezvipimo zvinotevera:
- Pod CIDR neSevhisi CIDR dzinofanirwa kuve dzakasiyana mumasumbu ese uye hazvifanirwe kupindirana.
- Ese maCIDR Pods anofanirwa kuwanikwa kubva kune chero maCIDR Pods pakati pemasumbu.
- Ese Kubernetes API maseva anofanirwa kuwanikwa kune mumwe nemumwe.
Iri ndiro ruzivo rwekutanga kukubatsira kuti utange neIstio. Zvisinei, kuchine misungo yakawanda. Semuyenzaniso, maficha ekufambisa ekunze traffic (kunze kwesumbu), nzira dzekugadzirisa masidecars, profiling, kumisikidza musanganiswa uye kunyora tsika musanganiswa backend, kumisikidza nzira yekutevera uye kushanda kwayo uchishandisa nhume.
Zvose izvi tichazviongorora mumabhuku anotevera. Bvunza mibvunzo yako, ini ndichaedza kuvavhara.
Source: www.habr.com