前文提到Istio的两个调优手段:
1.使用Istio命名空间隔离
2.在单独命名空间创建ingressgeteway
本篇我们看一下如何实施。
一、使用Istio命名空间隔离(istio1.1的新功能)
环境中有三个项目:istio-system 运行Istio的相关容器,如下图所示。myproject 和tutorial 分别运行两套微服务。
[root@master ~]# oc get project
NAME DISPLAY NAME STATUS
myproject Active
istio-system Active
tutorial Active
myproject运行的微服务是三层微服务。
[root@master ~]# oc get pods -n myproject
NAME READY STATUS RESTARTS AGE
productpage-v1-68f9bc6f97-lzrlk 2/2 Running 18 52d
ratings-v1-78cbc4df5-tfvtq 2/2 Running 16 52d
reviews-v1-778cf955bb-6l4ss 2/2 Running 20 52d
reviews-v2-d4c99fdc8-pwnrz 2/2 Running 22 52d
reviews-v3-78cbff4cfd-rm9mm 2/2 Running 18 52d
通过OCP路由访问效果如下:
tutorial项目运行bookinfo三层微服务
[root@master ~]# oc get pods -n tutorial
NAME READY STATUS RESTARTS AGE
customer-775cf66774-6zdvt 2/2 Running 76 27d
preference-v1-667895c986-g7lng 2/2 Running 45 27d
recommendation-v1-58fcd486f6-zfljg 2/2 Running 19 27d
通过路由访问如下:
默认情况下,tutorial和myproject之间的sidecar是可以互相通讯的。
[root@master ~]# oc project
Using project "tutorial" on server "https://master.example.com:8443".
[root@master ~]# oc get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
customer ClusterIP 172.30.27.184 <none> 8080/TCP 51d
preference ClusterIP 172.30.98.89 <none> 8080/TCP 51d
recommendation ClusterIP 172.30.113.197 <none> 8080/TCP 51d
在myproject的一个pod的sidecar中对tutorial微服务发curl请求,可以成功:
启用两个sidecar命名空间隔离配置(只能与istio-system通讯)
[root@master ~]# cat sidecar-myproject.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: default-sidecar-scope
namespace: myproject
spec:
egress:
- hosts:
- "./*"
- "istio-system/istio-telemetry.istio-system.svc.cluster.local"
- "istio-system/istio-policy.istio-system.svc.cluster.local"
---
[root@master ~]# cat sidecar-tutorial.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: default
namespace: tutorial
spec:
egress:
- hosts:
- "./*"
- "istio-system/istio-telemetry.istio-system.svc.cluster.local"
- "istio-system/istio-policy.istio-system.svc.cluster.local"
---
[root@master ~]# oc apply -f sidecar-myproject.yaml
sidecar.networking.istio.io/default-sidecar-scope created
[root@master ~]# oc apply -f sidecar-tutorial.yaml
sidecar.networking.istio.io/default created
再次发起curl请求,失败。sidecar隔离成功。
与istio-system sidecar之间的通讯是正常的:
[root@master ~]# oc get svc |grep -i istio-telemetry
istio-telemetry ClusterIP 172.30.233.126 <none> 9091/TCP,15004/TCP,15014/TCP,42422/TCP 65d
二、实现ingressgateway隔离
默认情况下,myprojct使用的ingressgateway是istio-system中的全局ingressgateway,使用的是ingressgateway在router上的路由。接下来,我们在myproject中定义一个客户化的ingressgateway
[root@master ~]# cat 2.yaml
---
# Source: istio/charts/gateways/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: customgateway-service-account
namespace: myproject
labels:
app: customgateway
---
---
# Source: istio/charts/gateways/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
app: gateways
name: customgateway-myproject # myproject should replaced by actual namespace
rules:
- apiGroups: ["extensions"]
resources: ["thirdpartyresources", "virtualservices", "destinationrules", "gateways"]
verbs: ["get", "watch", "list", "update"]
---
---
# Source: istio/charts/gateways/templates/clusterrolebindings.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: customgateway-myproject # myproject should replaced by actual namespace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: customgateway-myproject # myproject should replaced by actual namespace
subjects:
- kind: ServiceAccount
name: customgateway-service-account
namespace: myproject
---
---
# Source: istio/charts/gateways/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: customgateway
namespace: myproject
annotations:
labels:
istio: customgateway
spec:
type: LoadBalancer
selector:
istio: customgateway
ports:
-
name: http
port: 80
targetPort: 80
-
name: https
port: 443
targetPort: 443
---
---
# Source: istio/charts/gateways/templates/deployment.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: customgateway
namespace: myproject
labels:
istio: customgateway
spec:
replicas: 1
template:
metadata:
labels:
istio: customgateway
annotations:
sidecar.istio.io/inject: "false"
scheduler.alpha.kubernetes.io/critical-pod: ""
spec:
serviceAccountName: customgateway-service-account
containers:
- name: istio-proxy
image: "registry.cn-beijing.aliyuncs.com/aliacs-app-catalog/proxyv2:1.0.3"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
- containerPort: 443
args:
- proxy
- router
- -v
- "2"
- --discoveryRefreshDelay
- '1s' #discoveryRefreshDelay
- --drainDuration
- '45s' #drainDuration
- --parentShutdownDuration
- '1m0s' #parentShutdownDuration
- --connectTimeout
- '10s' #connectTimeout
- --serviceCluster
- customgateway
- --zipkinAddress
- zipkin.istio-system:9411
- --proxyAdminPort
- "15000"
- --controlPlaneAuthPolicy
- NONE
- --discoveryAddress
- istio-pilot.istio-system:8080
resources:
requests:
cpu: 10m
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: ISTIO_META_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
volumeMounts:
- name: istio-certs
mountPath: /etc/certs
readOnly: true
- name: customgateway-certs
mountPath: "/etc/istio/customgateway-certs"
readOnly: true
- name: customgateway-ca-certs
mountPath: "/etc/istio/customgateway-ca-certs"
readOnly: true
volumes:
- name: istio-certs
secret:
secretName: istio.customgateway-service-account
optional: true
- name: customgateway-certs
secret:
secretName: "istio-customgateway-certs"
optional: true
- name: customgateway-ca-certs
secret:
secretName: "istio-customgateway-ca-certs"
optional: true
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- ppc64le
- s390x
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- ppc64le
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- s390x
---
---
# Source: istio/charts/gateways/templates/autoscale.yaml
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: customgateway
namespace: myproject
spec:
maxReplicas: 5
minReplicas: 1
scaleTargetRef:
apiVersion: apps/v1beta1
kind: Deployment
name: customgateway
metrics:
- type: Resource
resource:
name: cpu
targetAverageUtilization: 80
---
[root@master ~]# cat 3.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: bookinfo-gateway
spec:
selector:
istio: customgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: bookinfo
spec:
hosts:
- "*"
gateways:
- bookinfo-gateway
http:
- match:
- uri:
exact: /productpage
- uri:
exact: /login
- uri:
exact: /logout
- uri:
prefix: /api/v1/products
route:
- destination:
host: productpage
port:
number: 9080
oc create -f 应用配置,生成新的ingressgateway。
[root@master ~]# oc apply -f 2.yaml
[root@master ~]# oc apply -f 3.yaml
手工在router上创建路由:
通过浏览器访问新创建的路由,成功。实现ingessgateway的隔离。