rootless模式下测试istio Ambient功能
前置需求
rootless k8s测试环境搭建:https://blog.csdn.net/longtds/article/details/142916697
istio Ambient
istio安装
通过加速下载istio release包,解压并安装为ambient模式
wget https://mirror.ghproxy.com/https://github.com/istio/istio/releases/download/1.23.2/istio-1.23.2-linux-amd64.tar.gz
tar xf istio-1.23.2-linux-amd64.tar.gz
cd istio-1.23.2
bin/istioctl install --set profile=ambient --skip-confirmation
istio 插件安装
istio插件提供了多种可观测系统方案,这里仅仅使用最基础核心的部分
- prometheus用于收集各种指标和遥测数据
- grafana用于将prometheus中数据可视化
- kiali用于服务网格可视化
# 部署插件
cd samples/addons/
kubectl apply -f prometheus.yaml -f kiali.yaml -f grafana.yaml
# 查看istio-system pod运行情况
longtds@ubuntu:~$ kubectl get po -n istio-system
NAME READY STATUS RESTARTS AGE
grafana-f459cd95-hm6cn 1/1 Running 0 36m
istio-cni-node-287rv 1/1 Running 0 49m
istio-cni-node-frwsn 1/1 Running 0 49m
istio-cni-node-mp5wc 1/1 Running 0 49m
istiod-6499566979-9zfcx 1/1 Running 0 49m
kiali-5bc5879b57-sfsk4 1/1 Running 0 36m
prometheus-84676b8788-qlsbr 2/2 Running 0 36m
ztunnel-2g5wn 1/1 Running 0 48m
ztunnel-lvvm7 1/1 Running 0 48m
ztunnel-m9jpw 1/1 Running 0 48m
# 验证istio安装
longtds@ubuntu:~$ istioctl verify-install
1 Istio control planes detected, checking --revision "default" only
✔ Deployment: istiod.istio-system checked successfully
✔ DaemonSet: istio-cni-node.istio-system checked successfully
✔ DaemonSet: ztunnel.istio-system checked successfully
✔ Service: istiod.istio-system checked successfully
✔ ConfigMap: istio.istio-system checked successfully
✔ ConfigMap: istio-cni-config.istio-system checked successfully
✔ ConfigMap: istio-sidecar-injector.istio-system checked successfully
✔ Pod: istiod-6499566979-9zfcx.istio-system checked successfully
✔ ServiceAccount: istio-cni.istio-system checked successfully
✔ ServiceAccount: istio-reader-service-account.istio-system checked successfully
✔ ServiceAccount: istiod.istio-system checked successfully
✔ ServiceAccount: ztunnel.istio-system checked successfully
✔ RoleBinding: istiod.istio-system checked successfully
✔ Role: istiod.istio-system checked successfully
✔ PodDisruptionBudget: istiod.istio-system checked successfully
✔ HorizontalPodAutoscaler: istiod.istio-system checked successfully
✔ MutatingWebhookConfiguration: istio-revision-tag-default.istio-system checked successfully
✔ MutatingWebhookConfiguration: istio-sidecar-injector.istio-system checked successfully
✔ ValidatingWebhookConfiguration: istio-validator-istio-system.istio-system checked successfully
✔ ValidatingWebhookConfiguration: istiod-default-validator.istio-system checked successfully
✔ ClusterRole: istio-cni.istio-system checked successfully
✔ ClusterRole: istio-cni-ambient.istio-system checked successfully
✔ ClusterRole: istio-cni-repair-role.istio-system checked successfully
✔ ClusterRole: istio-reader-clusterrole-istio-system.istio-system checked successfully
✔ ClusterRole: istiod-clusterrole-istio-system.istio-system checked successfully
✔ ClusterRole: istiod-gateway-controller-istio-system.istio-system checked successfully
✔ ClusterRoleBinding: istio-cni.istio-system checked successfully
✔ ClusterRoleBinding: istio-cni-ambient.istio-system checked successfully
✔ ClusterRoleBinding: istio-cni-repair-rolebinding.istio-system checked successfully
✔ ClusterRoleBinding: istio-reader-clusterrole-istio-system.istio-system checked successfully
✔ ClusterRoleBinding: istiod-clusterrole-istio-system.istio-system checked successfully
✔ ClusterRoleBinding: istiod-gateway-controller-istio-system.istio-system checked successfully
✔ CustomResourceDefinition: authorizationpolicies.security.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: destinationrules.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: envoyfilters.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: gateways.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: peerauthentications.security.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: proxyconfigs.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: requestauthentications.security.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: serviceentries.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: sidecars.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: telemetries.telemetry.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: virtualservices.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: wasmplugins.extensions.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: workloadentries.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: workloadgroups.networking.istio.io.istio-system checked successfully
Checked 14 custom resource definitions
Checked 1 Istio Deployments
Checked 2 Istio Daemonsets
✔ Istio is installed and verified successfully
Gateway API CRD安装
istio兼容Gateway API标准,我们后面会通过Gateway API进行服务配置
kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/standard-install.yaml
测试应用
bookinfo说明(AI生成):
Istio 的 Bookinfo 示例应用是一个用于演示 Istio 多种特性的微服务应用。该应用由四个独立的微服务组成,这些微服务共同模拟了一个在线书店的页面,显示书籍的详细信息和用户评论。Bookinfo 应用的微服务包括:
- productpage:这个微服务调用 details 和 reviews 微服务来生成页面内容。
- details:提供书籍的详细信息。
- reviews:提供书籍相关的评论。这个微服务还有三个不同的版本(v1、v2、v3),用于演示服务的多个版本之间的流量路由。
- v1:不调用 ratings 服务。
- v2:调用 ratings 服务,并显示黑色星形评分。
- v3:调用 ratings 服务,并显示红色星形评分。
- ratings:提供书籍评分信息。
先标记default命名空间受istio ambient管理
kubectl label namespace default istio.io/dataplane-mode=ambient
安装bookinfo
cd istio-1.23.2/samples/
kubectl apply -f bookinfo/platform/kube/bookinfo.yaml
kubectl apply -f bookinfo/platform/kube/bookinfo-versions.yaml
kubectl apply -f bookinfo/gateway-api/bookinfo-gateway.yaml
查看book服务
longtds@ubuntu:~$ kubectl get pod
NAME READY STATUS RESTARTS AGE
bookinfo-gateway-istio-799d769db8-txgxn 1/1 Running 0 105m
details-v1-7d775cb4f6-9gsfn 1/1 Running 0 105m
productpage-v1-7c4b6b857-jrflm 1/1 Running 0 105m
ratings-v1-5b896f8544-r2njv 1/1 Running 0 105m
reviews-v1-746f96c9d4-t7746 1/1 Running 0 105m
reviews-v2-97bdf5876-zz5pk 1/1 Running 0 105m
reviews-v3-77d9db6844-zdzvj 1/1 Running 0 105m
longtds@ubuntu:~$ kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
bookinfo-gateway-istio ClusterIP 10.96.103.133 <none> 15021/TCP,80/TCP 104m
details ClusterIP 10.96.253.66 <none> 9080/TCP 104m
details-v1 ClusterIP 10.96.166.107 <none> 9080/TCP 104m
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 121m
productpage ClusterIP 10.96.161.150 <none> 9080/TCP 104m
productpage-v1 ClusterIP 10.96.102.109 <none> 9080/TCP 104m
ratings ClusterIP 10.96.237.229 <none> 9080/TCP 104m
ratings-v1 ClusterIP 10.96.110.23 <none> 9080/TCP 104m
reviews ClusterIP 10.96.41.171 <none> 9080/TCP 104m
reviews-v1 ClusterIP 10.96.91.54 <none> 9080/TCP 104m
reviews-v2 ClusterIP 10.96.167.90 <none> 9080/TCP 104m
reviews-v3 ClusterIP 10.96.202.181 <none> 9080/TCP 104m
设置bookinfo-gateway服务类型为NodePort
longtds@ubuntu:~$ kubectl annotate gateway bookinfo-gateway networking.istio.io/service-type=NodePort --namespace=default
gateway.gateway.networking.k8s.io/bookinfo-gateway annotated
# 修改nodeport为kind预分配的端口
longtds@ubuntu:~$ kubectl edit svc bookinfo-gateway-istio
service/bookinfo-gateway-istio edited
longtds@ubuntu:~$ kubectl get svc bookinfo-gateway-istio
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
bookinfo-gateway-istio NodePort 10.96.160.96 <none> 15021:30440/TCP,80:30081/TCP 2m49s
访问服务
通过浏览器访问bookinfo,多刷新几次发现可以切换不同的review版本
查看服务网格
先配置istio-system下kiali服务类型为NodePort,并使用kind预分配端口,然后通过浏览器访问:
longtds@ubuntu:~$ kubectl edit svc -n istio-system kiali
service/kiali edited
longtds@ubuntu:~$ kubectl get svc -n istio-system kiali
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kiali NodePort 10.96.212.195 <none> 20001:30082/TCP,9090:30204/TCP 119m
通过脚本模拟请求,并观察kiali中的链路传输情况:
for i in $(seq 1 100); do curl -s http://192.168.121.136:30081/productpage;sleep 1; done
至此完成基本测试,仅仅算是测试环境的初步搭建。对于istio的各种功能将逐步进行测试。
总结
rootless模式下的kind k8s兼容istio ambient模式应用的链路观测。