into ? Le yinto ebizwa ngokuba yi-Service mesh, itekhnoloji eyongeza umaleko wokutsalwa kwinethiwekhi. Sithintela yonke okanye inxalenye yetrafikhi kwiqela kwaye senze iseti ethile yokusebenza ngayo. Eyiphi? Ngokomzekelo, senza umzila ohlakaniphile, okanye siphumeza indlela ye-circuit breaker, sinokuququzelela "i-canary deployment", ngokuyinxenye sitshintshe i-traffic kwinguqulo entsha yenkonzo, okanye sinokukhawulela intsebenziswano yangaphandle kunye nokulawula zonke iihambo ukusuka kwiqela ukuya kwi-cluster. inethiwekhi yangaphandle. Kuyenzeka ukuseta imigaqo-nkqubo yokulawula iihambo phakathi kwee-microservices ezahlukeneyo. Okokugqibela, sinokufumana yonke imephu yonxibelelwano lwenethiwekhi kwaye senze ingqokelela edibeneyo yeemetrics icace ngokupheleleyo kwizicelo.
Unokufunda malunga nendlela yokusebenza kuyo . I-Istio sisixhobo esinamandla ngokwenene esikuvumela ukuba usombulule imisebenzi emininzi kunye neengxaki. Kweli nqaku, ndingathanda ukuphendula imibuzo ephambili edla ngokuvela xa uqalwa nge-Istio. Oku kuya kukunceda ukuba ujongane nayo ngokukhawuleza.
ukuba isebenza njani
I-Istio ineendawo ezimbini eziphambili - indiza yokulawula kunye nedatha yedatha. Indiza yokulawula iqulethe izinto eziphambili eziqinisekisa ukusebenza okuchanekileyo kwabanye. Kwinguqulo yangoku (1.0) indiza yokulawula ineenxalenye ezintathu eziphambili: Umqhubi, uMxube, iCitadel. Asiyi kuqwalasela i-Citadel, iyafuneka ukuvelisa izatifikethi zokuqinisekisa i-TLS efanayo phakathi kweenkonzo. Makhe sijonge ngakumbi isixhobo kunye nenjongo yePilot kunye noMxube.
I-Pilot lelona candelo lolawulo lisasaza lonke ulwazi malunga nento esinayo kwiqela - iinkonzo, ii-endpoints zabo kunye nemigaqo yomzila (umzekelo, imithetho yokuthunyelwa kweCanary okanye imithetho ye-circuit breaker).
Umxube licandelo lolawulo lwenqwelomoya olukhethiweyo olubonelela ngokukwazi ukuqokelela iimethrikhi, iilogi, kunye naluphi na ulwazi malunga nokusebenzisana kwenethiwekhi. Ukwabeka esweni ukuthotyelwa kwemigaqo yoMgaqo-nkqubo kunye nokuthotyelwa kwemida yamaxabiso.
Inqwelomoya yedatha iphunyezwa kusetyenziswa izikhongozeli zeproksi ezisecaleni. Inamandla isetyenziswa ngokungagqibekanga. . Inokutshintshwa kolunye ukuphunyezwa, njenge nginx (nginmesh).
Ukuze i-Istio isebenze ngokucacileyo kwizicelo, kukho inkqubo yokutofa ezenzekelayo. Ukuphunyezwa kwamva nje kulungele i-Kubernetes 1.9+ iinguqulelo (i-mutational admission webhook). Kwiinguqulelo zeKubernetes 1.7, 1.8 kunokwenzeka ukusebenzisa i-Initializer.
Izikhongozeli zeSidecar ziqhagamshelwe kuPilot kusetyenziswa iprotocol yeGRPC, ekuvumela ukuba wenze ngcono imodeli yokutyhala yotshintsho olwenzeka kwiqela. I-GRPC isetyenzisiwe kuMthunywa ukususela kwinguqulo 1.6, kwi-Istio isetyenziswe ukususela kwinguqulo 0.8 kwaye i-pilot-agent - i-golang wrapper phezu komthunywa oqwalasela iinketho zokuqaliswa.
I-Pilot kunye ne-Mixer zizinto ezingenammiselo ngokupheleleyo, zonke iimeko zigcinwa kwimemori. Ulungelelwaniso lwabo lusekwe kwifom ye-Kubernetes Custom Resources, egcinwe kwi-etcd.
I-Agent ye-Istio ifumana idilesi yePilot kwaye ivule umsinga we-GRPC kuyo.
Njengoko benditshilo, i-Istio iphumeza yonke imisebenzi ecace ngokupheleleyo kwizicelo. Makhe sibone ukuba njani. I-algorithm yile:
- Kusetyenziswa inguqulelo entsha yenkonzo.
- Ngokuxhomekeke kwindlela ye-sidecar container injecting approach, isitya se-istio-init kunye nesitya se-istio-agent (umthunywa) zongezwa kwinqanaba lokusebenzisa uqwalaselo, okanye sele zifakwe ngesandla kwinkcazo ye-Kubernetes Pod entity.
- Isitya se-istio-init sisikripthi esisebenzisa imigaqo ye-iptables kwi-pod. Kukho iinketho ezimbini zokuqwalasela i-traffic ukuba isongelwe kwisitya se-istio-agent: sebenzisa iptables redirect rules, okanye . Ngexesha lokubhala, indlela engagqibekanga inemigaqo yokuqondisa ngokutsha. Kwi-istio-init, kunokwenzeka ukuqwalasela ukuba yeyiphi i-traffic ekufuneka ibanjwe kwaye ithunyelwe kwi-istio-agent. Umzekelo, ukuze uthintele zonke iitrafikhi ezingenayo kunye nazo zonke eziphumayo, kufuneka ubeke iiparamitha
-iи-bkwintsingiselo*. Ungakhankanya amazibuko athile okuthintela. Ukuze ungathinteli i-subnet ethile, ungayichaza usebenzisa iflegi-x. - Emva kokuba izikhongozeli ze-init zenziwe, ezona ziphambili ziqaliswa, kubandakanywa ne-pilot-agent (umthunywa). Iqhagamshela kwiPilot esele isetyenzisiwe nge-GRPC kwaye ifumana ulwazi malunga nazo zonke iinkonzo ezikhoyo kunye nemigaqo-nkqubo yendlela kwiqela. Ngokutsho kwedatha efunyenweyo, uqulunqa amaqela kwaye uwabele ngokuthe ngqo kwisiphelo sezicelo zethu kwiqela le-Kubernetes. Kukwayimfuneko ukuqaphela inqaku elibalulekileyo: umthunywa uqwalasela abaphulaphuli (IP, izibuko zibini) aqala ukumamela. Ngoko ke, xa izicelo zingena kwi-pod, ziqondiswe ngokutsha kusetyenziswa imigaqo ye-iptables eqondisayo kwi-sidecar, umthunywa unokukwazi ukucubungula ngempumelelo olu xhulumaniso kwaye aqonde apho ukuqhubela phambili ummeleli we-traffic. Kwakhona kweli nqanaba, ulwazi luthunyelwa kwi-Mixer, esiza kujonga ngayo kamva, kwaye i-spans yokulandelela ithunyelwa.
Ngenxa yoko, sifumana inethiwekhi epheleleyo yeeseva zommeli womthunywa esinokuyiqwalasela ukusuka kwindawo enye (Pilot). Zonke izicelo ezingenayo neziphumayo zithunyelwa ngomthunywa. Ngaphezu koko, kuphela i-TCP traffic iyabanjwa. Oku kuthetha ukuba inkonzo ye-IP ye-Kubernetes isonjululwe kusetyenziswa i-kube-dns ngaphezulu kwe-UDP ngaphandle kokutshintsha. Emva koko, emva kwesisombululo, isicelo esiphumayo siyamkelwa kwaye siqhutywe ngumthunywa, osele ethatha isigqibo sokuba yeyiphi isiphelo isicelo ekufuneka sithunyelwe kuyo (okanye singathunyelwanga, kwimeko yemigaqo-nkqubo yokufikelela okanye i-circuit breaker ye-algorithm).
Siyifumene iPilot, ngoku kufuneka siqonde ukuba iMixer isebenza njani kwaye kutheni ifuneka. Unokufunda amaxwebhu asemthethweni kuyo .
I-Mixer kwifom yayo yangoku iqulethwe ngamacandelo amabini: istio-telemetry, istio-policy (ngaphambi kokuba i-version 0.8 ibe yinto enye ye-istio-mixer). Bobabini bangabaxubi, nganye inoxanduva lomsebenzi wayo. I-Istio telemetry ifumana ulwazi malunga nokuba ngubani oya phi kwaye ngaziphi iiparamitha ukusuka kwi-sidecar Xela izikhongozeli nge-GRPC. Umgaqo-nkqubo we-Istio uyazamkela izicelo zokuHlola ukuqinisekisa ukuba imigaqo yePolisi yanelisiwe. Ukuhlolwa komgaqo-nkqubo, ngokuqinisekileyo, akwenziwanga kwisicelo ngasinye, kodwa kugcinwe kwi-cache kumxhasi (kwi-sidecar) ixesha elithile. Iitshekhi zengxelo zithunyelwa njengezicelo zebhetshi. Makhe sibone indlela yokuqwalasela kwaye zeziphi iiparameters kufuneka zithunyelwe emva kwexesha elifutshane.
Umxube kufuneka abe yinxalenye ekhoyo kakhulu eqinisekisa umsebenzi ongaphazamisekiyo kwindibano kunye nokucubungula idatha ye-telemetry. Inkqubo ifunyenwe njengesiphumo njengesithinteli esinamanqanaba amaninzi. Ekuqaleni, idatha ikhuselwe kwicala le-sidecar yezikhongozeli, emva koko kwicala lomxube, emva koko ithunyelwe kwinto ebizwa ngokuba yi-mixer backends. Ngenxa yoko, ukuba nawaphi na amacandelo enkqubo ayasilela, isithinteli siyakhula kwaye sigungxulwe emva kokuba inkqubo ibuyiselwe. I-Mixer backends zisiphelo sokuthumela idatha ye-telemetry: statsd, newrelic, njl. Ungabhala eyakho i-backend, ilula kakhulu, kwaye siza kubona ukuba yenziwa njani.
Ukushwankathela, iskimu sokusebenza ne-istio-telemetry simi ngolu hlobo lulandelayo.
- Inkonzo 1 ithumela isicelo kwinkonzo 2.
- Xa ushiya inkonzo 1, isicelo esongelwe kwikhareji yaso esecaleni.
- Umthunywa weSidecar ubeka iliso kwindlela isicelo esiya ngayo kwinkonzo yesi-2 kwaye silungiselela ulwazi oluyimfuneko.
- Emva koko uyithumela kwi-istio-telemetry usebenzisa isicelo seNgxelo.
- I-Istio-telemetry igqiba ukuba le Ngxelo kufuneka ithunyelwe ngasemva, apho kwaye yeyiphi idatha ekufuneka ithunyelwe.
- I-Istio-telemetry ithumela iNgxelo yedatha kwi-backend xa kuyimfuneko.
Ngoku makhe sibone indlela yokufaka i-Istio kwinkqubo, equka kuphela amacandelo aphambili (I-Pilot kunye nomthunywa we-sidecar).
Okokuqala, makhe sijonge kuqwalaselo oluphambili (umnatha) olufundwa nguPilot:
apiVersion: v1
kind: ConfigMap
metadata:
name: istio
namespace: istio-system
labels:
app: istio
service: istio
data:
mesh: |-
# пока что не включаем отправку tracing информации (pilot настроит envoy’и таким образом, что отправка не будет происходить)
enableTracing: false
# пока что не указываем mixer endpoint’ы, чтобы sidecar контейнеры не отправляли информацию туда
#mixerCheckServer: istio-policy.istio-system:15004
#mixerReportServer: istio-telemetry.istio-system:15004
# ставим временной промежуток, с которым будет envoy переспрашивать Pilot (это для старой версии envoy proxy)
rdsRefreshDelay: 5s
# default конфигурация для envoy sidecar
defaultConfig:
# аналогично как rdsRefreshDelay
discoveryRefreshDelay: 5s
# оставляем по умолчанию (путь к конфигурации и бинарю envoy)
configPath: "/etc/istio/proxy"
binaryPath: "/usr/local/bin/envoy"
# дефолтное имя запущенного sidecar контейнера (используется, например, в именах сервиса при отправке tracing span’ов)
serviceCluster: istio-proxy
# время, которое будет ждать envoy до того, как он принудительно завершит все установленные соединения
drainDuration: 45s
parentShutdownDuration: 1m0s
# по умолчанию используются REDIRECT правила iptables. Можно изменить на TPROXY.
#interceptionMode: REDIRECT
# Порт, на котором будет запущена admin панель каждого sidecar контейнера (envoy)
proxyAdminPort: 15000
# адрес, по которому будут отправляться trace’ы по zipkin протоколу (в начале мы отключили саму отправку, поэтому это поле сейчас не будет использоваться)
zipkinAddress: tracing-collector.tracing:9411
# statsd адрес для отправки метрик envoy контейнеров (отключаем)
# statsdUdpAddress: aggregator:8126
# выключаем поддержку опции Mutual TLS
controlPlaneAuthPolicy: NONE
# адрес, на котором будет слушать istio-pilot для того, чтобы сообщать информацию о service discovery всем sidecar контейнерам
discoveryAddress: istio-pilot.istio-system:15007
Onke amacandelo aphambili olawulo (inqwelomoya) aya kubekwa kwindawo yegama istio-system eKubernetes.
Ubuncinci, kufuneka sisebenzise i-Pilot kuphela. Kule nto sisebenzisayo
Kwaye siya kuqwalasela ngesandla i-sidecar yokutofa yesikhongozeli.
Init container:
initContainers:
- name: istio-init
args:
- -p
- "15001"
- -u
- "1337"
- -m
- REDIRECT
- -i
- '*'
- -b
- '*'
- -d
- ""
image: istio/proxy_init:1.0.0
imagePullPolicy: IfNotPresent
resources:
limits:
memory: 128Mi
securityContext:
capabilities:
add:
- NET_ADMIN
Kwaye i-sidecar:
name: istio-proxy
args:
- "bash"
- "-c"
- |
exec /usr/local/bin/pilot-agent proxy sidecar
--configPath
/etc/istio/proxy
--binaryPath
/usr/local/bin/envoy
--serviceCluster
service-name
--drainDuration
45s
--parentShutdownDuration
1m0s
--discoveryAddress
istio-pilot.istio-system:15007
--discoveryRefreshDelay
1s
--connectTimeout
10s
--proxyAdminPort
"15000"
--controlPlaneAuthPolicy
NONE
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: ISTIO_META_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: ISTIO_META_INTERCEPTION_MODE
value: REDIRECT
image: istio/proxyv2:1.0.0
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
memory: 2048Mi
securityContext:
privileged: false
readOnlyRootFilesystem: true
runAsUser: 1337
volumeMounts:
- mountPath: /etc/istio/proxy
name: istio-envoy
Ukuze yonke into iqale ngempumelelo, kufuneka wenze i-ServiceAccount, i-ClusterRole, i-ClusterRoleBinding, i-CRD ye-Pilot, iinkcazo ezinokuthi zifumaneke. .
Ngenxa yoko, inkonzo esifaka kuyo inqwelo esecaleni nomthunywa kufuneka iqale ngempumelelo, ifumane konke okufunyenweyo kumqhubi wenqwelo-moya kunye nezicelo zenkqubo.
Kubalulekile ukuqonda ukuba zonke iinxalenye zenqwelomoya zolawulo zizicelo ezingenammiselo kwaye zinokulinganiswa ngokuthe tye ngaphandle kweengxaki. Yonke idatha igcinwe kwi etcd ngendlela yeenkcazo eziqhelekileyo zezixhobo ze-Kubernetes.
Kwakhona, i-Istio (isalinga) iyakwazi ukuqhuba ngaphandle kweqela kunye nokukwazi ukubukela kunye nokufunyanwa kwenkonzo ye-fumble phakathi kwamaqela amaninzi e-Kubernetes. Unokufunda ngakumbi malunga noku .
Kufakelo lwamaqela amaninzi, qaphela le mida ilandelayo:
- I-Pod CIDR kunye ne-Service CIDR kufuneka zizodwa kuwo onke amaqela kwaye mazingadibana.
- Zonke ii-CIDR Pods kufuneka zifikeleleke kuyo nayiphi na i-CIDR Pods phakathi kwamaqela.
- Zonke iiseva ze-Kubernetes API kufuneka zifikeleleke omnye komnye.
Olu lulwazi lokuqala lokukunceda ukuba uqalise nge-Istio. Nangona kunjalo, kusekho imigibe emininzi. Ngokomzekelo, iimpawu zokuhambisa i-traffic yangaphandle (ngaphandle kweqela), iindlela zokulungisa ii-sidecars, iphrofayili, ukuseta umxube kunye nokubhala umxube womxube wesiko, ukuseta indlela yokulandelela kunye nokusebenza kwayo usebenzisa umthunywa.
Konke oku siza kukuqwalasela kwezi mpapasho zilandelayo. Buza imibuzo yakho, ndiza kuzama ukuyigubungela.
umthombo: www.habr.com