From 0be58e79c8e73c628e3ca1a874df7f84a63c6ca5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=90=A4=E7=81=AB=E8=99=AB?= Date: Tue, 15 Feb 2022 16:59:50 +0800 Subject: [PATCH 1/2] update sidecar.MD --- module12/istio/4.sidecar/sidecar.MD | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/module12/istio/4.sidecar/sidecar.MD b/module12/istio/4.sidecar/sidecar.MD index 4c1e033..1a06ee0 100644 --- a/module12/istio/4.sidecar/sidecar.MD +++ b/module12/istio/4.sidecar/sidecar.MD @@ -5,6 +5,15 @@ kubectl create ns sidecar kubectl label ns sidecar istio-injection=enabled kubectl apply -f nginx.yaml -n sidecar kubectl apply -f toolbox.yaml -n sidecar + +# 查看webhook +[root@master1 sidecar]# k get mutatingwebhookconfigurations +NAME WEBHOOKS AGE +istio-revision-tag-default 4 90m +istio-sidecar-injector 4 92m +[root@master1 sidecar]# +[root@master1 sidecar]# k get mutatingwebhookconfigurations istio-sidecar-injector -oyaml + ``` ### Check clusters From 896e619268d0d80d60d9581589bcecc1b0470c56 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=90=A4=E7=81=AB=E8=99=AB?= Date: Sun, 20 Feb 2022 16:42:56 +0800 Subject: [PATCH 2/2] update v1 --- .../local-gitlab/gitlab-pipeline-new.yaml | 0 module12/istio/1.http-gw/httpserver.MD | 62 ++++++++++++++ module12/istio/2.l7/readme.MD | 2 +- module12/istio/4.sidecar/sidecar.MD | 82 +++++++++++++++++++ module12/istio/4.sidecar/toolbox.yaml | 2 +- module12/istio/5.canary/canary-svc.yaml | 12 +++ .../5.canary/{canary.yaml => canary-v1.yaml} | 13 --- module12/istio/5.canary/canary-v2.yaml | 2 +- module12/istio/5.canary/destination.yaml | 19 +++++ module12/istio/5.canary/istio-specs-v2.yaml | 27 ++++++ module12/istio/5.canary/istio-specs.yaml | 26 +----- module12/istio/5.canary/readme.MD | 5 +- module12/istio/5.canary/toolbox.yaml | 2 +- module12/istio/installation/istio-install.MD | 34 ++++++++ 14 files changed, 247 insertions(+), 41 deletions(-) create mode 100644 module10/tekton/local-gitlab/gitlab-pipeline-new.yaml create mode 100644 module12/istio/5.canary/canary-svc.yaml rename module12/istio/5.canary/{canary.yaml => canary-v1.yaml} (73%) create mode 100644 module12/istio/5.canary/destination.yaml create mode 100644 module12/istio/5.canary/istio-specs-v2.yaml diff --git a/module10/tekton/local-gitlab/gitlab-pipeline-new.yaml b/module10/tekton/local-gitlab/gitlab-pipeline-new.yaml new file mode 100644 index 0000000..e69de29 diff --git a/module12/istio/1.http-gw/httpserver.MD b/module12/istio/1.http-gw/httpserver.MD index a977e6b..02e9390 100644 --- a/module12/istio/1.http-gw/httpserver.MD +++ b/module12/istio/1.http-gw/httpserver.MD @@ -1,3 +1,65 @@ + + +### 描述 + +> 本模块的实例是将服务暴露到ingess-gateway 网关服务,对外提供服务 + +### **核心对象:Gateway** + +> 类型是Gateway (作用对象是:istio-ingressgateway,本质还是envoy) +> 作用的对象的标签是 selector: istio: ingressgateway ; +> 监听80端口(svc port) ,协议是http/tcp ,匹配的域名是simple.cncamp.io (访问时需要加头信息: -H"Host: simple.cncamp.io") + +```yaml +apiVersion: networking.istio.io/v1beta1 +kind: Gateway +metadata: + name: simple +spec: + selector: + istio: ingressgateway + servers: + - hosts: + - simple.cncamp.io + port: + name: http-simple + number: 80 + protocol: HTTP +``` + +> gateway 与svc 关联 +> svc 定义gateway 相关信息: gateways: - simple +```yaml +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: simple +spec: + gateways: + - simple + hosts: + - simple.cncamp.io + http: + - match: + - port: 80 + route: + - destination: + host: simple.simple.svc.cluster.local + port: + number: 80 +``` + + + + + +### **核心对象:VirtualService** + +> 高级的svc ,再svc 至上定义各种规则和策略 +> +> 是istio 各种功能实现的最核心的对象 + + ### Deploy simple ```sh diff --git a/module12/istio/2.l7/readme.MD b/module12/istio/2.l7/readme.MD index 6d7828b..a55cacb 100644 --- a/module12/istio/2.l7/readme.MD +++ b/module12/istio/2.l7/readme.MD @@ -3,4 +3,4 @@ kubectl apply -f nginx.yaml -n simple kubectl apply -f istio-specs.yaml -n simple curl -H "Host: simple.cncamp.io" $INGRESS_IP/simple/hello curl -H "Host: simple.cncamp.io" $INGRESS_IP/nginx -``` +``` \ No newline at end of file diff --git a/module12/istio/4.sidecar/sidecar.MD b/module12/istio/4.sidecar/sidecar.MD index 1a06ee0..0aec8a5 100644 --- a/module12/istio/4.sidecar/sidecar.MD +++ b/module12/istio/4.sidecar/sidecar.MD @@ -5,7 +5,18 @@ kubectl create ns sidecar kubectl label ns sidecar istio-injection=enabled kubectl apply -f nginx.yaml -n sidecar kubectl apply -f toolbox.yaml -n sidecar +``` + +### 排查命令 +```sh +istioctl pc listener -n sidecar toolbox-666487ff7f-qc2gb --port 15006 +istioctl pc route -n sidecar toolbox-666487ff7f-qc2gb --name="inbound|80||" -ojson +istioctl pc cluster -n sidecar toolbox-666487ff7f-qc2gb +istioctl pc endpoint -n sidecar toolbox-666487ff7f-qc2gb +``` +#### 验证 +```sh # 查看webhook [root@master1 sidecar]# k get mutatingwebhookconfigurations NAME WEBHOOKS AGE @@ -14,6 +25,77 @@ istio-sidecar-injector 4 92m [root@master1 sidecar]# [root@master1 sidecar]# k get mutatingwebhookconfigurations istio-sidecar-injector -oyaml + +# 检查服务访问是否正常:从toolbox 访问nginx +kubectl exec -ti -n sidecar toolbox-666487ff7f-qc2gb bash +[root@toolbox-666487ff7f-qc2gb /]# curl nginx + + +# 从客户端toolbox梳理流量出去到nginx +[root@master1 sidecar]# docker ps |grep tool +cc659edfb835 5bd54fe7908d "/usr/local/bin/pilo…" 6 minutes ago Up 6 minutes k8s_istio-proxy_toolbox-666487ff7f-qc2gb_sidecar_260c9f68-2971-4cb1-b2ab-18ae373bf9a0_0 +8e7b639357c5 centos "tail -f /dev/null" 6 minutes ago Up 6 minutes k8s_toolbox_toolbox-666487ff7f-qc2gb_sidecar_260c9f68-2971-4cb1-b2ab-18ae373bf9a0_0 +4b624eeaa894 k8s.gcr.io/pause:3.2 "/pause" 7 minutes ago Up 7 minutes k8s_POD_toolbox-666487ff7f-qc2gb_sidecar_260c9f68-2971-4cb1-b2ab-18ae373bf9a0_0 + +[root@master1 sidecar]# docker inspect 8e7b639357c5 |grep -i pid + "Pid": 15697, + "PidMode": "", + "PidsLimit": null, +[root@master1 sidecar]# nsenter -t 15697 -n iptables-save +# Generated by iptables-save v1.4.21 on Tue Feb 15 17:32:16 2022 +*raw +:PREROUTING ACCEPT [2199:411868] +:OUTPUT ACCEPT [1771:218842] +COMMIT +# Completed on Tue Feb 15 17:32:16 2022 +# Generated by iptables-save v1.4.21 on Tue Feb 15 17:32:16 2022 +*mangle +:PREROUTING ACCEPT [2199:411868] +:INPUT ACCEPT [2199:411868] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [1771:218842] +:POSTROUTING ACCEPT [1771:218842] +COMMIT +# Completed on Tue Feb 15 17:32:16 2022 +# Generated by iptables-save v1.4.21 on Tue Feb 15 17:32:16 2022 +*filter +:INPUT ACCEPT [2199:411868] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [1771:218842] +COMMIT +# Completed on Tue Feb 15 17:32:16 2022 +# Generated by iptables-save v1.4.21 on Tue Feb 15 17:32:16 2022 +*nat +:PREROUTING ACCEPT [206:12360] +:INPUT ACCEPT [206:12360] +:OUTPUT ACCEPT [42:3545] +:POSTROUTING ACCEPT [43:3605] +:ISTIO_INBOUND - [0:0] +:ISTIO_IN_REDIRECT - [0:0] +:ISTIO_OUTPUT - [0:0] +:ISTIO_REDIRECT - [0:0] +-A PREROUTING -p tcp -j ISTIO_INBOUND +# -A OUTPUT -p tcp -j ISTIO_OUTPUT +-A ISTIO_INBOUND -p tcp -m tcp --dport 15008 -j RETURN +-A ISTIO_INBOUND -p tcp -m tcp --dport 22 -j RETURN +-A ISTIO_INBOUND -p tcp -m tcp --dport 15090 -j RETURN +-A ISTIO_INBOUND -p tcp -m tcp --dport 15021 -j RETURN +-A ISTIO_INBOUND -p tcp -m tcp --dport 15020 -j RETURN +-A ISTIO_INBOUND -p tcp -j ISTIO_IN_REDIRECT +-A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-ports 15006 +-A ISTIO_OUTPUT -s 127.0.0.6/32 -o lo -j RETURN +-A ISTIO_OUTPUT ! -d 127.0.0.1/32 -o lo -m owner --uid-owner 1337 -j ISTIO_IN_REDIRECT +-A ISTIO_OUTPUT -o lo -m owner ! --uid-owner 1337 -j RETURN +-A ISTIO_OUTPUT -m owner --uid-owner 1337 -j RETURN +-A ISTIO_OUTPUT ! -d 127.0.0.1/32 -o lo -m owner --gid-owner 1337 -j ISTIO_IN_REDIRECT +-A ISTIO_OUTPUT -o lo -m owner ! --gid-owner 1337 -j RETURN +-A ISTIO_OUTPUT -m owner --gid-owner 1337 -j RETURN +-A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN +-A ISTIO_OUTPUT -j ISTIO_REDIRECT +# -A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15001 +COMMIT +# Completed on Tue Feb 15 17:32:16 2022 + ``` ### Check clusters diff --git a/module12/istio/4.sidecar/toolbox.yaml b/module12/istio/4.sidecar/toolbox.yaml index 9381c6a..0eae821 100644 --- a/module12/istio/4.sidecar/toolbox.yaml +++ b/module12/istio/4.sidecar/toolbox.yaml @@ -19,4 +19,4 @@ spec: command: - tail - -f - - /dev/null \ No newline at end of file + - /dev/null diff --git a/module12/istio/5.canary/canary-svc.yaml b/module12/istio/5.canary/canary-svc.yaml new file mode 100644 index 0000000..e8febd5 --- /dev/null +++ b/module12/istio/5.canary/canary-svc.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: canary +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + selector: + app: canary diff --git a/module12/istio/5.canary/canary.yaml b/module12/istio/5.canary/canary-v1.yaml similarity index 73% rename from module12/istio/5.canary/canary.yaml rename to module12/istio/5.canary/canary-v1.yaml index aa0150f..c78ab9c 100644 --- a/module12/istio/5.canary/canary.yaml +++ b/module12/istio/5.canary/canary-v1.yaml @@ -22,16 +22,3 @@ spec: image: cncamp/httpserver:v1.0-metrics ports: - containerPort: 80 ---- -apiVersion: v1 -kind: Service -metadata: - name: canary -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: 80 - selector: - app: canary \ No newline at end of file diff --git a/module12/istio/5.canary/canary-v2.yaml b/module12/istio/5.canary/canary-v2.yaml index 443fd9d..32179b1 100644 --- a/module12/istio/5.canary/canary-v2.yaml +++ b/module12/istio/5.canary/canary-v2.yaml @@ -21,4 +21,4 @@ spec: imagePullPolicy: Always image: cncamp/httpserver:v2.0-metrics ports: - - containerPort: 80 \ No newline at end of file + - containerPort: 80 diff --git a/module12/istio/5.canary/destination.yaml b/module12/istio/5.canary/destination.yaml new file mode 100644 index 0000000..0240718 --- /dev/null +++ b/module12/istio/5.canary/destination.yaml @@ -0,0 +1,19 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: canary +spec: + host: canary + trafficPolicy: + loadBalancer: + simple: RANDOM + subsets: + - name: v1 + labels: + version: v1 + - name: v2 + labels: + version: v2 + trafficPolicy: + loadBalancer: + simple: ROUND_ROBIN diff --git a/module12/istio/5.canary/istio-specs-v2.yaml b/module12/istio/5.canary/istio-specs-v2.yaml new file mode 100644 index 0000000..ce41074 --- /dev/null +++ b/module12/istio/5.canary/istio-specs-v2.yaml @@ -0,0 +1,27 @@ +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: canary +spec: + hosts: + - canary + http: + - match: + - uri: + exact: "/etc" + rewrite: + uri: "/" + route: + - destination: + host: canary + subset: v2 + + - match: + - uri: + exact: "*" + rewrite: + uri: "/" + route: + - destination: + host: canary + subset: v1 diff --git a/module12/istio/5.canary/istio-specs.yaml b/module12/istio/5.canary/istio-specs.yaml index 23edefa..3d2bac0 100644 --- a/module12/istio/5.canary/istio-specs.yaml +++ b/module12/istio/5.canary/istio-specs.yaml @@ -15,26 +15,6 @@ spec: host: canary subset: v2 - route: - - destination: - host: canary - subset: v1 ---- -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: canary -spec: - host: canary - trafficPolicy: - loadBalancer: - simple: RANDOM - subsets: - - name: v1 - labels: - version: v1 - - name: v2 - labels: - version: v2 - trafficPolicy: - loadBalancer: - simple: ROUND_ROBIN \ No newline at end of file + - destination: + host: canary + subset: v1 diff --git a/module12/istio/5.canary/readme.MD b/module12/istio/5.canary/readme.MD index 215e4c9..ae4c517 100644 --- a/module12/istio/5.canary/readme.MD +++ b/module12/istio/5.canary/readme.MD @@ -3,8 +3,9 @@ ```sh kubectl create ns canary kubectl label ns canary istio-injection=enabled -kubectl apply -f canary.yaml -n canary +kubectl apply -f canary-v1.yaml -n canary kubectl apply -f toolbox.yaml -n canary +kubectl apply -f canary-svc.yaml ``` ### Access canary in toolbox @@ -22,6 +23,7 @@ kubectl apply -f canary-v2.yaml -n canary ### Update istio specs ```sh +kubectl apply -f destination.yaml k apply -f istio-specs.yaml -n canary ``` @@ -31,4 +33,5 @@ k apply -f istio-specs.yaml -n canary ```sh curl canary/hello -H "user: jesse" +curl canary/hello -H "user: jesse1" ``` diff --git a/module12/istio/5.canary/toolbox.yaml b/module12/istio/5.canary/toolbox.yaml index 9381c6a..0eae821 100644 --- a/module12/istio/5.canary/toolbox.yaml +++ b/module12/istio/5.canary/toolbox.yaml @@ -19,4 +19,4 @@ spec: command: - tail - -f - - /dev/null \ No newline at end of file + - /dev/null diff --git a/module12/istio/installation/istio-install.MD b/module12/istio/installation/istio-install.MD index 74ef946..dbe8392 100644 --- a/module12/istio/installation/istio-install.MD +++ b/module12/istio/installation/istio-install.MD @@ -1,5 +1,31 @@ ### Install istio + +## istio 安装 + +### Istio 主要提供了以下三种安装方式,用户可以根据自己的实际需要进行选择。 + +- 1.使用 Istioctl 安装:istioctl 是支持多种自定义选项的的命令行工具,用户可以灵活配置,实现 Istio 组件的定制化安装。Istio 官方推荐使用该方式进行安装部署,可用于生产环境。 +- 2.使用 Helm 自定义安装:这种安装方式使用 Helm charts 定义 Istio 的安装选项,目前该安装方式已被弃用。 +- 3.安装独立的 Operator:该方式使用独立的 Istio operator 来安装 istio,以声明式的方式管理安装配置,目前仍处于实验阶段,不推荐在生产环境使用 + + + +#### stioctl 安装 + +1、使用 demo 配置文件进行安装 +Istio 官方提供了针对不同场景的配置文件,这些内置的配置文件提供了对 Istio 控制平面和数据平面的定制内容。 用户可以根据实际场景选择特定的配置文件,然后结合自定义选项完成定制化安装。当前提供以下几种内置配置文件包括: + +- default: 根据默认的安装选项启用组件,建议用于生产环境的部署。 +- demo: 用于展示 Istio 的基本功能,支持运行 Bookinfo 应用程序和相关任务。 +- minimal:使用 Istio 的流量管理功能所需的最少组件。 +- remote:用于配置多集群服务网格场景下的远程集群。 +- empty:不部署任何组件,可用于自定义配置的基础文件。 +- preview:包含实验性功能,用于探索 Istio 新功能,但无法保证稳定性。 + +在选定上述配置文件之后,可以在安装 Istio 时在命令行添加一个或多个 --set = 选项,完成 Istio 安装插件的其他选项配置。 + + ```sh curl -L https://istio.io/downloadIstio | sh - cd istio-1.12.0 @@ -7,6 +33,14 @@ cp bin/istioctl /usr/local/bin istioctl install --set profile=demo -y ``` + + +### 查看自动创建sidecar 的webhook 以及启用ns 的自动注入功能 +``` +k get mutatingwebhookconfigurations istio-sidecar-injector -oyaml + +kubectl label ns securesvc istio-injection=enabled +``` ### Istio monitoring - Grafana dashboard `7639`