Yini ? Lokhu okubizwa nge-Service mesh, ubuchwepheshe obungeza ungqimba lokukhipha phezu kwenethiwekhi. Sivimba yonke noma ingxenye yethrafikhi ku-cluster futhi senze isethi ethile yokusebenza ngayo. Yiphi? Isibonelo, senza umzila ohlakaniphile, noma sisebenzisa indlela ye-circuit breaker, singahlela "ukuthunyelwa kwe-canary", sishintshe ingxenye yethrafikhi ibe yinguqulo entsha yesevisi, noma singakhawulela ukusebenzisana kwangaphandle futhi silawule lonke uhambo olusuka kuqoqo ukuya inethiwekhi yangaphandle. Kungenzeka ukusetha imithetho yenqubomgomo yokulawula uhambo phakathi kwama-microservices ahlukene. Ekugcineni, singathola yonke imephu yokusebenzisana yenethiwekhi futhi senze iqoqo elihlanganisiwe lamamethrikhi libe sobala ngokuphelele ezinhlelweni zokusebenza.
Ungafunda mayelana nendlela yokusebenza ku . I-Istio iyithuluzi elinamandla ngempela elikuvumela ukuthi uxazulule imisebenzi eminingi nezinkinga. Kulesi sihloko, ngithanda ukuphendula imibuzo eyinhloko evame ukuvela lapho uqala nge-Istio. Lokhu kuzokusiza ukuthi ubhekane nakho ngokushesha.
Ukuthi isebenza kanjani
I-Istio iqukethe izindawo ezimbili eziyinhloko - indiza yokulawula kanye nendiza yedatha. Indiza yokulawula iqukethe izingxenye eziyinhloko eziqinisekisa ukusebenza okulungile kokunye. Kunguqulo yamanje (1.0) indiza yokulawula inezingxenye ezintathu eziyinhloko: I-Pilot, i-Mixer, i-Citadel. Ngeke sicabangele i-Citadel, iyadingeka ukukhiqiza izitifiketi ukuze kuqinisekiswe i-TLS ehambisanayo phakathi kwamasevisi. Ake sibhekisise idivayisi nenjongo ye-Pilot ne-Mixer.
I-Pilot iyingxenye yokulawula eyinhloko esabalalisa lonke ulwazi mayelana nalokho esinakho ku-cluster - amasevisi, izindawo zazo zokugcina kanye nemithetho yomzila (isibonelo, imithetho yokuthunyelwa kwe-Canary noma imithetho ye-circuit breaker).
I-Mixer iyingxenye yendiza yokulawula ozikhethela yona enikeza ikhono lokuqoqa amamethrikhi, amalogi, nanoma yiluphi ulwazi mayelana nokusebenzisana kwenethiwekhi. Uphinde aqaphe ukulandelwa kwemithetho Yenqubomgomo kanye nokuhambisana nemikhawulo yamazinga.
Indiza yedatha isetshenziswa kusetshenziswa iziqukathi zommeleli oseceleni. Inamandla isetshenziswa ngokuzenzakalelayo. . Ingashintshwa ngokunye ukuqaliswa, okufana ne-nginx (nginmesh).
Ukuze i-Istio isebenze ngokusobala ngokuphelele ezinhlelweni zokusebenza, kunohlelo lomjovo oluzenzakalelayo. Ukuqaliswa kwakamuva kulungele izinguqulo ze-Kubernetes 1.9+ (i-mutational admission webhook). Ezinguqulweni ze-Kubernetes 1.7, 1.8 kungenzeka ukusebenzisa i-Initializer.
Iziqukathi ze-Sidecar zixhunywe ku-Pilot kusetshenziswa iphrothokholi ye-GRPC, ekuvumela ukuthi uthuthukise imodeli yokusunduza ngezinguquko ezenzeka kuqoqo. I-GRPC isetshenziswe ku-Envoy kusukela kunguqulo 1.6, ku-Istio isetshenziswe kusukela enguqulweni engu-0.8 futhi iyi-ejenti yomshayeli - i-golang wrapper phezu kwenxusa elungiselela izinketho zokuqalisa.
I-Pilot ne-Mixer yizici ezingenamthetho ngokuphelele, zonke izifunda zigcinwa enkumbulweni. Ukucushwa kwazo kusethwe ngendlela ye-Kubernetes Custom Resources, egcinwa ku- etcd.
I-Istio-ejenti ithola ikheli le-Pilot bese ivula ukusakaza kwe-GRPC kuyo.
Njengoba ngishilo, i-Istio isebenzisa konke ukusebenza ngokusobala ngokuphelele ezinhlelweni zokusebenza. Ake sibone ukuthi kanjani. I-algorithm yile:
- Isebenzisa inguqulo entsha yesevisi.
- Kuye ngendlela yokujova yesiqukathi se-sidecar, isiqukathi se-istio-init nesiqukathi se-istio-ejenti (isithunywa) kwengezwa esigabeni sokusebenzisa ukucushwa, noma kakade zingafakwa mathupha encazelweni yebhizinisi le-Kubernetes Pod.
- Isiqukathi se-istio-init yiskripthi esisebenzisa imithetho ye-iptables ku-pod. Kunezinketho ezimbili zokumisa ithrafikhi ukuthi isongwe esitsheni se-istio-ejenti: sebenzisa imithetho yokuqondisa kabusha iptables, noma . Ngesikhathi sokubhala, indlela ezenzakalelayo inemithetho yokuqondisa kabusha. Ku-istio-init, kungenzeka ukulungisa ukuthi iyiphi ithrafikhi okufanele ivinjwe futhi ithunyelwe kumenzeli we-istio. Isibonelo, ukuze unqande yonke ithrafikhi engenayo nayo yonke ephumayo, udinga ukusetha amapharamitha
-iи-bibe yincazelo*. Ungacacisa izimbobo ezithile ozozinqamula. Ukuze ungavimbeli i-subnet ethile, ungayicacisa usebenzisa ifulegi-x. - Ngemva kokubulawa kweziqukathi ze-init, okuyinhloko kwethulwa, kuhlanganise ne-pilot-ejenti (umthunywa). Ixhuma ku-Pilot esivele isetshenzisiwe nge-GRPC futhi ithola ulwazi mayelana nawo wonke amasevisi akhona kanye nezinqubomgomo zomzila kuqoqo. Ngokusho kwedatha etholiwe, ulungiselela amaqoqo futhi uwanikeze ngokuqondile ekugcineni kwezinhlelo zethu zokusebenza kuqoqo le-Kubernetes. Kuyadingeka futhi ukuqaphela iphuzu elibalulekile: isithunywa simisa abalaleli ngamandla (IP, port pair) esiqala ukulalela. Ngakho-ke, lapho izicelo zingena ku-pod, ziqondiswa kabusha kusetshenziswa imithetho ye-iptables yokuqondisa kabusha ku-sidecar, umthunywa usengakwazi kakade ukucubungula ngempumelelo lokhu kuxhumana futhi aqonde ukuthi angaqhubeka kuphi ummeleli wethrafikhi. Futhi kulesi sigaba, ulwazi luthunyelwa ku-Mixer, esizobheka kamuva, futhi izikhala zokulandelela zithunyelwa.
Njengomphumela, sithola yonke inethiwekhi yamaseva ommeleli wezithunywa esingakwazi ukuwalungisa ukusuka endaweni eyodwa (Pilot). Zonke izicelo ezingenayo neziphumayo zithunyelwa ngenxusa. Ngaphezu kwalokho, ithrafikhi ye-TCP kuphela ebanjiwe. Lokhu kusho ukuthi i-IP yesevisi ye-Kubernetes ixazululwa kusetshenziswa i-kube-dns phezu kwe-UDP ngaphandle kokushintsha. Bese, ngemva kwesinqumo, isicelo esiphumayo siyabanjwa futhi sicutshungulwe yisithunywa, esivele sinquma ukuthi iyiphi indawo yokugcina isicelo okufanele sithunyelwe kuyo (noma ingathunyelwa, esimweni sezinqubomgomo zokufinyelela noma umaphuli wesifunda we-algorithm).
Sithole i-Pilot, manje sidinga ukuqonda ukuthi i-Mixer isebenza kanjani nokuthi kungani idingeka. Ungafunda imibhalo esemthethweni yayo .
I-Mixer ngendlela yayo yamanje iqukethe izingxenye ezimbili: i-istio-telemetry, i-istio-policy (ngaphambi kwenguqulo engu-0.8 kwakuyingxenye eyodwa ye-istio-mixer). Zombili zingama-mixers, ngayinye enesibopho somsebenzi wayo. I-Istio telemetry ithola ulwazi mayelana nokuthi ubani oya kuphi futhi namaphi amapharamitha asuka eziqukathi ze-sidecar Bika nge-GRPC. Inqubomgomo ye-Istio yamukela izicelo zokuthi Hlola ukuze kuqinisekiswe ukuthi imithetho Yenqubomgomo iyaneliswa. Ukuhlolwa kwenqubomgomo, vele, akwenziwa kuso sonke isicelo, kodwa kugcinwe kunqolobane yeklayenti (enqoleni eseceleni) isikhathi esithile. Ukuhlolwa kombiko kuthunyelwa njengezicelo zenqwaba. Ake sibone ukuthi singamisa kanjani nokuthi yiziphi imingcele okufanele zithunyelwe kamuva.
I-Mixer kufanele ibe ingxenye etholakala kakhulu eqinisekisa umsebenzi ongaphazamiseki ekuhlanganiseni nasekucubunguleni idatha ye-telemetry. Uhlelo lutholwa njengomphumela njengebhafa enamazinga amaningi. Ekuqaleni, idatha ifakwa ku-buffer ohlangothini lwe-sidecar yeziqukathi, bese kuba ohlangothini lwe-mixer, bese ithunyelwa kulokho okubizwa ngokuthi i-backends ye-mixer. Ngenxa yalokho, uma noma iyiphi ingxenye yesistimu ihluleka, isigcinalwazi siyakhula futhi siyaguquguquka ngemva kokubuyiselwa kwesistimu. I-Mix backends yiziphetho zokuthumela idatha ye-telemetry: statsd, newrelic, njll. Ungabhala i-backend yakho, kulula kakhulu, futhi sizobona ukuthi sikwenza kanjani.
Ukufingqa, uhlelo lokusebenza ne-istio-telemetry lumi kanje.
- Isevisi 1 ithumela isicelo kusevisi 2.
- Lapho ushiya isevisi 1, isicelo sigoqwa enqoleni yaso eseceleni.
- Umthunywa we-Sidecar uqapha ukuthi isicelo siya kanjani kusevisi 2 futhi ulungiselela imininingwane edingekayo.
- Bese iyithumela ku-istio-telemetry isebenzisa isicelo sombiko.
- I-Istio-telemetry inquma ukuthi lo Mbiko kufanele uthunyelwe ku-backend, kuphi futhi iyiphi idatha okufanele ithunyelwe.
- I-Istio-telemetry ithumela idatha yombiko ku-backend uma kudingeka.
Manje ake sibone indlela yokufaka i-Istio ohlelweni, ehlanganisa kuphela izingxenye eziyinhloko (I-Pilot kanye ne-sidecar envoy).
Okokuqala, ake sibheke ukucushwa okuyinhloko (i-mesh) efundwa yi-Pilot:
apiVersion: v1
kind: ConfigMap
metadata:
name: istio
namespace: istio-system
labels:
app: istio
service: istio
data:
mesh: |-
# пока что не включаем отправку tracing информации (pilot настроит envoy’и таким образом, что отправка не будет происходить)
enableTracing: false
# пока что не указываем mixer endpoint’ы, чтобы sidecar контейнеры не отправляли информацию туда
#mixerCheckServer: istio-policy.istio-system:15004
#mixerReportServer: istio-telemetry.istio-system:15004
# ставим временной промежуток, с которым будет envoy переспрашивать Pilot (это для старой версии envoy proxy)
rdsRefreshDelay: 5s
# default конфигурация для envoy sidecar
defaultConfig:
# аналогично как rdsRefreshDelay
discoveryRefreshDelay: 5s
# оставляем по умолчанию (путь к конфигурации и бинарю envoy)
configPath: "/etc/istio/proxy"
binaryPath: "/usr/local/bin/envoy"
# дефолтное имя запущенного sidecar контейнера (используется, например, в именах сервиса при отправке tracing span’ов)
serviceCluster: istio-proxy
# время, которое будет ждать envoy до того, как он принудительно завершит все установленные соединения
drainDuration: 45s
parentShutdownDuration: 1m0s
# по умолчанию используются REDIRECT правила iptables. Можно изменить на TPROXY.
#interceptionMode: REDIRECT
# Порт, на котором будет запущена admin панель каждого sidecar контейнера (envoy)
proxyAdminPort: 15000
# адрес, по которому будут отправляться trace’ы по zipkin протоколу (в начале мы отключили саму отправку, поэтому это поле сейчас не будет использоваться)
zipkinAddress: tracing-collector.tracing:9411
# statsd адрес для отправки метрик envoy контейнеров (отключаем)
# statsdUdpAddress: aggregator:8126
# выключаем поддержку опции Mutual TLS
controlPlaneAuthPolicy: NONE
# адрес, на котором будет слушать istio-pilot для того, чтобы сообщать информацию о service discovery всем sidecar контейнерам
discoveryAddress: istio-pilot.istio-system:15007
Zonke izingxenye eziyinhloko zokulawula (indiza yokulawula) zizotholakala ku-istio-system ye-namespace e-Kubernetes.
Okungenani, sidinga kuphela ukusebenzisa i-Pilot. Kulokhu sisebenzisa
Futhi sizolungiselela mathupha i-sidecar yokujova yesiqukathi.
Init container:
initContainers:
- name: istio-init
args:
- -p
- "15001"
- -u
- "1337"
- -m
- REDIRECT
- -i
- '*'
- -b
- '*'
- -d
- ""
image: istio/proxy_init:1.0.0
imagePullPolicy: IfNotPresent
resources:
limits:
memory: 128Mi
securityContext:
capabilities:
add:
- NET_ADMIN
Futhi i-sidecar:
name: istio-proxy
args:
- "bash"
- "-c"
- |
exec /usr/local/bin/pilot-agent proxy sidecar
--configPath
/etc/istio/proxy
--binaryPath
/usr/local/bin/envoy
--serviceCluster
service-name
--drainDuration
45s
--parentShutdownDuration
1m0s
--discoveryAddress
istio-pilot.istio-system:15007
--discoveryRefreshDelay
1s
--connectTimeout
10s
--proxyAdminPort
"15000"
--controlPlaneAuthPolicy
NONE
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: ISTIO_META_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: ISTIO_META_INTERCEPTION_MODE
value: REDIRECT
image: istio/proxyv2:1.0.0
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
memory: 2048Mi
securityContext:
privileged: false
readOnlyRootFilesystem: true
runAsUser: 1337
volumeMounts:
- mountPath: /etc/istio/proxy
name: istio-envoy
Ukuze yonke into iqale ngempumelelo, udinga ukudala i-ServiceAccount, i-ClusterRole, i-ClusterRoleBinding, i-CRD ye-Pilot, izincazelo zayo ezingatholakala. .
Njengomphumela walokho, isevisi esijova kuyo inqola eseceleni nesithunywa kufanele iqale ngempumelelo, ithole konke okutholakele kumshayeli wendiza futhi icubungule izicelo.
Kubalulekile ukuqonda ukuthi zonke izingxenye zendiza yokulawula ziyizinhlelo zokusebenza ezingenasici futhi zingakalwa ngokuvundlile ngaphandle kwezinkinga. Yonke idatha igcinwa ku- etcd ngendlela yezincazelo zangokwezifiso zezinsiza ze-Kubernetes.
Futhi, i-Istio (isahlola) inamandla okugijima ngaphandle kweqoqo kanye nekhono lokubuka nokuphuthaza ukutholwa kwesevisi phakathi kwamaqoqo amaningana e-Kubernetes. Ungafunda okwengeziwe ngalokhu .
Ukuze kufakwe amaqoqo amaningi, qaphela imikhawulo elandelayo:
- I-Pod CIDR kanye ne-Service CIDR kufanele ihluke kuwo wonke amaqoqo futhi akumele igqagqane.
- Wonke ama-CIDR Pods kufanele afinyeleleke kunoma iyiphi i-CIDR Pods phakathi kwamaqoqo.
- Wonke amaseva e-Kubernetes API kufanele afinyeleleke kuwo wonke.
Lolu ulwazi lokuqala lokukusiza ukuthi uqalise nge-Istio. Nokho, kusenezingibe eziningi. Isibonelo, izici zokuhambisa ithrafikhi yangaphandle (ngaphandle kweqoqo), izindlela zokulungisa amaphutha ezimoto eziseceleni, ukwenza iphrofayela, ukusetha isixube nokubhala i-backend ye-mixer yangokwezifiso, ukusetha indlela yokulandelela nokusebenza kwayo kusetshenziswa isithunywa.
Konke lokhu sizokucabangela ezincwadini ezilandelayo. Buza imibuzo yakho, ngizozama ukuyihlanganisa.
Source: www.habr.com