Istio的流量管理示例一:VirtualService和流量负载均衡。
介绍
更多示例,建议参考:https://istio.io/latest/docs/examples/
示例文件
apiVersion: apps/v1
kind: Deployment
metadata:
name: site1
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: site1
server: httpd
template:
metadata:
name: site1
labels:
app: site1
server: httpd
spec:
containers:
- name: site1
image: busybox
imagePullPolicy: IfNotPresent
command: ["/bin/sh", "-c", "echo 'welcome to site1' > /var/www/index.html; httpd -f -p 8080 -h /var/www"]
ports:
- name: http
containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: site1
spec:
selector:
app: site1
ports:
- name: http
port: 8080
targetPort: 8080
protocol: TCP
apiVersion: apps/v1
kind: Deployment
metadata:
name: site2
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: site2
server: httpd
template:
metadata:
name: site2
labels:
app: site2
server: httpd
spec:
containers:
- name: site2
image: busybox
imagePullPolicy: IfNotPresent
command: ["/bin/sh", "-c", "echo 'welcome to site2' > /var/www/index.html; httpd -f -p 8080 -h /var/www"]
ports:
- name: http
containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: site2
spec:
selector:
app: site2
ports:
- name: http
port: 8080
targetPort: 8080
protocol: TCP
apiVersion: v1
kind: Service
metadata:
name: site-svc
spec:
selector:
server: httpd
ports:
- name: http
port: 8080
targetPort: 8080
protocol: TCP
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: site-svc-vs
spec:
hosts:
- site-svc
# - site-svc.default.svc.cluster.local
http:
- route:
- destination:
host: site1
weight: 80
- destination:
host: site2
weight: 20
apiVersion: v1
kind: Pod
metadata:
name: client
spec:
restartPolicy: Never
containers:
- name: busybox
image: busybox:latest
command:
- sh
- "-c"
- |
sleep 3600
创建资源
$ kubectl apply -f .
root@k8s-master:~# kubectl get pod
NAME READY STATUS RESTARTS AGE
site1-6cf9555564-8clq9 1/1 Running 0 29m
site2-67fb54d5c4-c52d4 1/1 Running 0 29m
root@k8s-master:~# kubectl get all
NAME READY STATUS RESTARTS AGE
pod/site1-6cf9555564-8clq9 1/1 Running 0 29m
pod/site2-67fb54d5c4-c52d4 1/1 Running 0 29m
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 32m
service/site-svc ClusterIP 10.101.55.234 <none> 8080/TCP 28m
service/site1 ClusterIP 10.106.196.9 <none> 8080/TCP 29m
service/site2 ClusterIP 10.106.198.229 <none> 8080/TCP 29m
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/site1 1/1 1 1 29m
deployment.apps/site2 1/1 1 1 29m
NAME DESIRED CURRENT READY AGE
replicaset.apps/site1-6cf9555564 1 1 1 29m
replicaset.apps/site2-67fb54d5c4 1 1 1 29m
root@k8s-master:~# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 33m
site-svc ClusterIP 10.101.55.234 <none> 8080/TCP 29m
site1 ClusterIP 10.106.196.9 <none> 8080/TCP 30m
site2 ClusterIP 10.106.198.229 <none> 8080/TCP 30m
root@k8s-master:~#kubectl get virtualservices.networking.istio.io
NAME GATEWAYS HOSTS AGE
site-svc-vs ["site-svc"] 23m
示例
示例一:原生svc负载
参考kube-dns/CoreDNS 实现介绍配置master host
root@k8s-master:~# curl site-svc:8080
welcome to site1
root@k8s-master:~# curl site-svc:8080
welcome to site2
root@k8s-master:~# curl site-svc:8080
welcome to site1
root@k8s-master:~# curl site-svc:8080
welcome to site2
root@k8s-master:~# kubectl exec -it client -- sh
/ # wget -q -O - http://site-svc:8080
welcome to site1
/ # wget -q -O - http://site-svc:8080
welcome to site2
/ # wget -q -O - http://site-svc:8080
welcome to site1
/ # wget -q -O - http://site-svc:8080
welcome to site2
示例二:istio注入
root@k8s-master:~# istioctl kube-inject -f site1-demo.yaml | kubectl apply -f -
deployment.apps/site1 configured
service/site1 unchanged
root@k8s-master:~# istioctl kube-inject -f site2-demo.yaml | kubectl apply -f -
deployment.apps/site2 configured
service/site2 unchanged
# 注入后,容器变为2
root@k8s-master:~# kubectl get all
NAME READY STATUS RESTARTS AGE
pod/site1-5b7488d74f-2h5k7 2/2 Running 0 118s
pod/site2-855557f957-xb5kn 2/2 Running 0 111s
- master 节点访问,在未注入istio的容器内访问,流量比为1:1
- 对 client 注入 istio,然后在容器内访问,流量均为 4:1
- 必须是在注入 istio 的容器内通过(dns or ip)访问virtual services,流量都是 80:20
root@k8s-master:~# kubectl delete -f site-client-demo.yaml
pod "client" deleted
root@k8s-master:~# istioctl kube-inject -f site-client-demo.yaml | kubectl apply -f -
pod/client created
# 流量负载均衡 site1 : site2 = 4:1
root@k8s-master:~# kubectl exec -it client -c busybox -- sh
/ # wget -q -O - http://site-svc:8080
welcome to site1
/ # wget -q -O - http://site-svc:8080
welcome to site2
/ # wget -q -O - http://site-svc:8080
welcome to site1
/ # wget -q -O - http://site-svc:8080
welcome to site1
/ # wget -q -O - http://site-svc:8080
welcome to site1
/ # wget -q -O - http://site-svc:8080
istioctl 问题排查命令
查看 envoy 代理配置查看命令:
$ istioctl proxy-config -h
...
Available Commands:
all Retrieves all configuration for the Envoy in the specified pod
bootstrap Retrieves bootstrap configuration for the Envoy in the specified pod
cluster Retrieves cluster configuration for the Envoy in the specified pod
endpoint Retrieves endpoint configuration for the Envoy in the specified pod
listener Retrieves listener configuration for the Envoy in the specified pod
log (experimental) Retrieves logging levels of the Envoy in the specified pod
rootca-compare Compare ROOTCA values for the two given pods
route Retrieves route configuration for the Envoy in the specified pod
secret Retrieves secret configuration for the Envoy in the specified pod
...
查看代理 all 情况
root@k8s-master:~# istioctl proxy-config all site1-5b7488d74f-2h5k7
SERVICE FQDN PORT SUBSET DIRECTION TYPE DESTINATION RULE
8080 - inbound ORIGINAL_DST
BlackHoleCluster - - - STATIC
InboundPassthroughClusterIpv4 - - - ORIGINAL_DST
PassthroughCluster - - - ORIGINAL_DST
agent - - - STATIC
istio-egressgateway.istio-system.svc.cluster.local 80 - outbound EDS
istio-egressgateway.istio-system.svc.cluster.local 443 - outbound EDS
istio-ingressgateway.istio-system.svc.cluster.local 80 - outbound EDS
istio-ingressgateway.istio-system.svc.cluster.local 443 - outbound EDS
istio-ingressgateway.istio-system.svc.cluster.local 15021 - outbound EDS
istio-ingressgateway.istio-system.svc.cluster.local 15443 - outbound EDS
istio-ingressgateway.istio-system.svc.cluster.local 31400 - outbound EDS
istiod.istio-system.svc.cluster.local 443 - outbound EDS
istiod.istio-system.svc.cluster.local 15010 - outbound EDS
istiod.istio-system.svc.cluster.local 15012 - outbound EDS
istiod.istio-system.svc.cluster.local 15014 - outbound EDS
kube-dns.kube-system.svc.cluster.local 53 - outbound EDS
kube-dns.kube-system.svc.cluster.local 9153 - outbound EDS
kubernetes.default.svc.cluster.local 443 - outbound EDS
prometheus_stats - - - STATIC
sds-grpc - - - STATIC
site-svc.default.svc.cluster.local 8080 - outbound EDS
site1.default.svc.cluster.local 8080 - outbound EDS
site2.default.svc.cluster.local 8080 - outbound EDS
xds-grpc - - - STATIC
zipkin - - - STRICT_DNS
ADDRESS PORT MATCH DESTINATION
10.96.0.10 53 ALL Cluster: outbound|53||kube-dns.kube-system.svc.cluster.local
0.0.0.0 80 Trans: raw_buffer; App: http/1.1,h2c Route: 80
0.0.0.0 80 ALL PassthroughCluster
10.100.182.135 443 ALL Cluster: outbound|443||istio-egressgateway.istio-system.svc.cluster.local
10.102.235.99 443 ALL Cluster: outbound|443||istiod.istio-system.svc.cluster.local
10.96.0.1 443 ALL Cluster: outbound|443||kubernetes.default.svc.cluster.local
10.96.242.187 443 ALL Cluster: outbound|443||istio-ingressgateway.istio-system.svc.cluster.local
0.0.0.0 8080 Trans: raw_buffer; App: http/1.1,h2c Route: 8080
0.0.0.0 8080 ALL PassthroughCluster
10.96.0.10 9153 Trans: raw_buffer; App: http/1.1,h2c Route: kube-dns.kube-system.svc.cluster.local:9153
10.96.0.10 9153 ALL Cluster: outbound|9153||kube-dns.kube-system.svc.cluster.local
0.0.0.0 15001 ALL PassthroughCluster
0.0.0.0 15001 Addr: *:15001 Non-HTTP/Non-TCP
0.0.0.0 15006 Addr: *:15006 Non-HTTP/Non-TCP
0.0.0.0 15006 Trans: tls; App: istio-http/1.0,istio-http/1.1,istio-h2; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4
0.0.0.0 15006 Trans: raw_buffer; App: http/1.1,h2c; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4
0.0.0.0 15006 Trans: tls; App: TCP TLS; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4
0.0.0.0 15006 Trans: raw_buffer; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4
0.0.0.0 15006 Trans: tls; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4
0.0.0.0 15006 Trans: tls; App: istio,istio-peer-exchange,istio-http/1.0,istio-http/1.1,istio-h2; Addr: *:8080 Cluster: inbound|8080||
0.0.0.0 15006 Trans: raw_buffer; Addr: *:8080 Cluster: inbound|8080||
0.0.0.0 15010 Trans: raw_buffer; App: http/1.1,h2c Route: 15010
0.0.0.0 15010 ALL PassthroughCluster
10.102.235.99 15012 ALL Cluster: outbound|15012||istiod.istio-system.svc.cluster.local
0.0.0.0 15014 Trans: raw_buffer; App: http/1.1,h2c Route: 15014
0.0.0.0 15014 ALL PassthroughCluster
0.0.0.0 15021 ALL Inline Route: /healthz/ready*
10.96.242.187 15021 Trans: raw_buffer; App: http/1.1,h2c Route: istio-ingressgateway.istio-system.svc.cluster.local:15021
10.96.242.187 15021 ALL Cluster: outbound|15021||istio-ingressgateway.istio-system.svc.cluster.local
0.0.0.0 15090 ALL Inline Route: /stats/prometheus*
10.96.242.187 15443 ALL Cluster: outbound|15443||istio-ingressgateway.istio-system.svc.cluster.local
10.96.242.187 31400 ALL Cluster: outbound|31400||istio-ingressgateway.istio-system.svc.cluster.local
NAME DOMAINS MATCH VIRTUAL SERVICE
istio-ingressgateway.istio-system.svc.cluster.local:15021 * /*
kube-dns.kube-system.svc.cluster.local:9153 * /*
80 istio-egressgateway.istio-system, 10.100.182.135 /*
80 istio-ingressgateway.istio-system, 10.96.242.187 /*
80 site-svc.default.svc.cluster.local /* site-svc-vs.default
80 site-svc.default.svc.cluster.local /* site-svc-vs.default
8080 site-svc, site-svc.default + 1 more... /* site-svc-vs.default
8080 site-svc, site-svc.default + 1 more... /* site-svc-vs.default
8080 site1, site1.default + 1 more... /*
8080 site2, site2.default + 1 more... /*
15010 istiod.istio-system, 10.102.235.99 /*
15014 istiod.istio-system, 10.102.235.99 /*
* /healthz/ready*
* /stats/prometheus*
inbound|8080|| * /*
InboundPassthroughClusterIpv4 * /*
InboundPassthroughClusterIpv4 * /*
inbound|8080|| * /*
RESOURCE NAME TYPE STATUS VALID CERT SERIAL NUMBER NOT AFTER NOT BEFORE
default Cert Chain ACTIVE true 119661736294589550220989303307172196074 2022-08-31T12:06:36Z 2022-08-30T12:04:36Z
ROOTCA CA ACTIVE true 47445528768940905709323606554333382647 2032-08-27T11:28:06Z 2022-08-30T11:28:06Z
查看 endpoint 情况
istioctl proxy-config endpoint <pod-name>
root@k8s-master:~# istioctl proxy-config endpoint site1-5b7488d74f-2h5k7
ENDPOINT STATUS OUTLIER CHECK CLUSTER
10.244.0.4:53 HEALTHY OK outbound|53||kube-dns.kube-system.svc.cluster.local
10.244.0.4:9153 HEALTHY OK outbound|9153||kube-dns.kube-system.svc.cluster.local
10.244.0.5:53 HEALTHY OK outbound|53||kube-dns.kube-system.svc.cluster.local
10.244.0.5:9153 HEALTHY OK outbound|9153||kube-dns.kube-system.svc.cluster.local
10.244.1.12:8080 HEALTHY OK outbound|80||istio-egressgateway.istio-system.svc.cluster.local
10.244.1.12:8443 HEALTHY OK outbound|443||istio-egressgateway.istio-system.svc.cluster.local
10.244.1.13:8080 HEALTHY OK outbound|80||istio-ingressgateway.istio-system.svc.cluster.local
10.244.1.13:8443 HEALTHY OK outbound|443||istio-ingressgateway.istio-system.svc.cluster.local
10.244.1.13:15021 HEALTHY OK outbound|15021||istio-ingressgateway.istio-system.svc.cluster.local
10.244.1.13:15443 HEALTHY OK outbound|15443||istio-ingressgateway.istio-system.svc.cluster.local
10.244.1.13:31400 HEALTHY OK outbound|31400||istio-ingressgateway.istio-system.svc.cluster.local
10.244.1.15:8080 HEALTHY OK outbound|8080||site-svc.default.svc.cluster.local
10.244.1.15:8080 HEALTHY OK outbound|8080||site1.default.svc.cluster.local
10.244.2.13:15010 HEALTHY OK outbound|15010||istiod.istio-system.svc.cluster.local
10.244.2.13:15012 HEALTHY OK outbound|15012||istiod.istio-system.svc.cluster.local
10.244.2.13:15014 HEALTHY OK outbound|15014||istiod.istio-system.svc.cluster.local
10.244.2.13:15017 HEALTHY OK outbound|443||istiod.istio-system.svc.cluster.local
10.244.2.15:8080 HEALTHY OK outbound|8080||site-svc.default.svc.cluster.local
10.244.2.15:8080 HEALTHY OK outbound|8080||site2.default.svc.cluster.local
127.0.0.1:15000 HEALTHY OK prometheus_stats
127.0.0.1:15020 HEALTHY OK agent
172.20.0.241:6443 HEALTHY OK outbound|443||kubernetes.default.svc.cluster.local
unix://./etc/istio/proxy/XDS HEALTHY OK xds-grpc
unix://./var/run/secrets/workload-spiffe-uds/socket HEALTHY OK sds-grpc
查看 cluster 情况
istioctl proxy-config cluster <pod-name>
root@k8s-master:~# istioctl proxy-config cluster site1-5b7488d74f-2h5k7
SERVICE FQDN PORT SUBSET DIRECTION TYPE DESTINATION RULE
8080 - inbound ORIGINAL_DST
BlackHoleCluster - - - STATIC
InboundPassthroughClusterIpv4 - - - ORIGINAL_DST
PassthroughCluster - - - ORIGINAL_DST
agent - - - STATIC
istio-egressgateway.istio-system.svc.cluster.local 80 - outbound EDS
istio-egressgateway.istio-system.svc.cluster.local 443 - outbound EDS
istio-ingressgateway.istio-system.svc.cluster.local 80 - outbound EDS
istio-ingressgateway.istio-system.svc.cluster.local 443 - outbound EDS
istio-ingressgateway.istio-system.svc.cluster.local 15021 - outbound EDS
istio-ingressgateway.istio-system.svc.cluster.local 15443 - outbound EDS
istio-ingressgateway.istio-system.svc.cluster.local 31400 - outbound EDS
istiod.istio-system.svc.cluster.local 443 - outbound EDS
istiod.istio-system.svc.cluster.local 15010 - outbound EDS
istiod.istio-system.svc.cluster.local 15012 - outbound EDS
istiod.istio-system.svc.cluster.local 15014 - outbound EDS
kube-dns.kube-system.svc.cluster.local 53 - outbound EDS
kube-dns.kube-system.svc.cluster.local 9153 - outbound EDS
kubernetes.default.svc.cluster.local 443 - outbound EDS
prometheus_stats - - - STATIC
sds-grpc - - - STATIC
site-svc.default.svc.cluster.local 8080 - outbound EDS
site1.default.svc.cluster.local 8080 - outbound EDS
site2.default.svc.cluster.local 8080 - outbound EDS
xds-grpc - - - STATIC
zipkin - - - STRICT_DNS
查看 route 情况
root@k8s-master:~# istioctl proxy-config route site1-5b7488d74f-2h5k7
NAME DOMAINS MATCH VIRTUAL SERVICE
istio-ingressgateway.istio-system.svc.cluster.local:15021 * /*
kube-dns.kube-system.svc.cluster.local:9153 * /*
80 istio-egressgateway.istio-system, 10.100.182.135 /*
80 istio-ingressgateway.istio-system, 10.96.242.187 /*
80 site-svc.default.svc.cluster.local /* site-svc-vs.default
80 site-svc.default.svc.cluster.local /* site-svc-vs.default
8080 site-svc, site-svc.default + 1 more... /* site-svc-vs.default
8080 site-svc, site-svc.default + 1 more... /* site-svc-vs.default
8080 site1, site1.default + 1 more... /*
8080 site2, site2.default + 1 more... /*
15010 istiod.istio-system, 10.102.235.99 /*
15014 istiod.istio-system, 10.102.235.99 /*
* /healthz/ready*
* /stats/prometheus*
inbound|8080|| * /*
InboundPassthroughClusterIpv4 * /*
InboundPassthroughClusterIpv4 * /*
inbound|8080|| * /*