What istio that?
istio是一个用来连接、管理和保护微服务的开源的服务网格,服务网格是用于描述构成应用程序的微服务网络以及应用之间的交互,随着规模和复杂性的增长,服务网格越来越难以理解和管理,它的功能包括服务发现、负载均衡、故障恢复、指标和监控以及更加复杂的运维工作,例如 A/B 测试、金丝雀发布、限流、访问控制和端到端身份验证等,istio解决了开发和运维人员从部署单个应用程序向分布式微服务架构过渡时所面临的挑战,Istio作为微服务网格中的佼佼者,它提供了洞察和操作控制微服务网格的能力,提供完整的解决方案以满足微服务应用程序的各种要求,从较高的层面来说,Istio 有助于降低这些部署的复杂性,并减轻开发团队的压力,它是一个完全开源的服务网格,作为透明的一层接入到现有的分布式应用程序里,它也是一个平台,拥有可以集成任何日志、遥测和策略系统的 API 接口,Istio 多样化的特性使大家能够成功且高效地运行分布式微服务架构,并提供保护、连接和监控微服务的统一方法。istio目前仅支持在Kubernetes上的服务部署,但未来版本中将支持其他环境。
A, istio1.5 major update compared to the previous version
istiod Introduction
By "embrace monomer" upgrade istio, the control plane integrated into a new binary file --istiod, greatly simplifies the process of installing, running and upgrading istio, and fewer components make commissioning and operation and maintenance personnel also understand easier for grid users, istiod will not change any of their experience, all API and runtime features are consistent with previous component.
The new extensibility model
Istio has been the most scalable service grid, Mixer plug-in that allows you to customize policies and telemetry, and data plane Envoy extension allows custom. In Istio1.5, we released a new model that use WebAssembly (Wasm) will Istio scalability model and Envoy unity. Wasm will enable developers to securely distribute and execute code Envoy agents in order, the policy system, routing control and telemetry systems and even the message body conversion (transformthe body of a message) integrate it more flexible and efficient, not then you need to run a separate Mixer assembly (which also simplifies the deployment).
simpler
Istioctl Istio use of command-line installation is a test version of the installation, which is suitable for most users, through the installation of Istio Operator management is still in Alpha state, on istioctl, it has dozens of improvements, new items can be analyzed, better validation rules, better integration with CI system, now, it is understood that the state is running Istio system, ensure the necessary tools to configure security changes. We Istio security made many enhancements, making it easier to use by automatically mTLS the beat version launch, is now configured mTLS very simple, authorization policy by Istio 1.4 in beta version launch, we removed the indirect access, and which is incorporated into a single CRD, so that access control is also simplified.
Better observability
Telemetry v2 will now report the native TCP connection (except HTTP) metrics, and by adding the response status code to log in telemetry and enhanced support for gRPC workloads, now Telemetry v2 default. The new telemetry system will wait time in half, to 90% of the waiting time is reduced from 3.3 msec to 7 msec. Moreover, further removal Mixer total CPU consumption reduced by 50% (0.55 vCPU, 1000 requests / second).
Two, istio control plane core component
1.Pilot
Pilot to provide service discovery Envoy sidecar for intelligent routing of traffic management functions (for example, A / B testing, Canary publishing) and resilient and elastic function (Timeout, Retry, fuses, etc.), Pilot will control the flow behavior the advanced routing rules to convert specific configuration environment and runtime disseminate them to the sidecar, Pilot abstract out specific service discovery mechanism to platforms, and synthesize them to conform to any EnvoyAPI the sidecar can use the standard format .
2.Galley
Galley is Istio configuration verification, extraction, processing and distribution components, for better decoupling responsibilities, it is configured verified by a responsible only after lstio 1.1 escalated into control plane configuration management center can dock different registries for input capability to provide service grid configuration, which is responsible for the remaining details of the user acquired Istio assembly disposed from the bottom platform (e.g. Kubernetes) isolate.
3.Injector
Responsible for data plane in K8s system initialization related work in which one of the core features of Sidecar lstio automatically injected precisely dependent on the component;
4.Mixer
There is ilstio responsible for providing policy control and telemetry components collected, interior consists of two sub-components - Telemetry and Policy, Telemetry data which is responsible for monitoring information related to the acquisition of various polymerization monitor the back-end for docking, while the Policy is responsible for the service call each other during the request policy checks, such as authentication, etc.
5.Citadel
Service Grid in charge of security-related functions, provide authentication and authorization, and RBAC administrative credentials and other related services and capabilities for the user; the various components of the service grid control surface is defined more clearly understood, and the beginning of design has taken into account various responsibilities decoupling components, scalability, security, etc., the architecture looks very clear and elegant.
Three, istio Chart
Four, istio monomer Why return?
Operation and maintenance costs and simplify maintenance developers, before Istio functionally organized into the following table
After the reunification monomer functionally organized into the following table
For comparison you can see, Istiod is the original of all other components of the pilot squeezed, and the new pilot after the structure adjustment, namely Istiod shoulder more responsibilities compared to pilot, becoming a single binary file on deployment easier.
Fifth, build istio prerequisite
Before the formal installation istio, see the following prerequisites
1. Before installing istio, clusters need to have a kubernetes
istio1.5 has been 1.14, 1.15, 1.16 tested in Kubernetes version.
Without kubernetes cluster, a link can be installed as follows:
2. Check the pod and service requirements
The official a prerequisite here understand, you do not need to do anything, as part of Istio service grid, Kubernetes cluster Pod and Service must meet the following requirements:
Naming service port:
Service 的端口必须命名。端口名键值对必须按以下格式:name: <protocol>[-<suffix>]。
Service related:
每个 Pod 必须至少属于一个Kubernetes Service,不管这个Pod是否对外暴露端口。如果一个Pod同时属于多个Kubernetes Service,那么这些Service不能同时在一个端口号上使用不同的协议(比如:HTTP 和 TCP)。带有app和version标签(label)的Deployment:建议给Deployment加上app和version标签,给使用 Kubernetes Deployment部署的Pod部署配置中增加这些标签,可以给 Istio 收集的指标和遥测信息中增加上下文信息。
app tags: each deployment configuration app should have a different label and the value of the tag should be of some significance. app label for adding contextual information in a distributed trail.
version label: This label is used to represent a particular version of the application deployment system.
Application UID:
Make sure you are not in a Pod user ID (UID) for the user running the application in 1337.
NET_ADMIN features:
If your cluster to perform Pod security policy must be configured to function NET_ADMIN Pod. If you use Istio CNI plug-ins can not be configured.
Sixth, download Istio1.5- master node in the cluster operations k8s
1. Download Istio
Download content will include: installation files, examples, and istioctl command-line tool, visit Istio release page to download the installation files for your operating system, or Linux systems in macOS, or you can download the latest version of Istio the following command:
curl -L https://istio.io/downloadIstio | sh -
2. Switch to the directory where the package Istio
1.5.1-cd istio
3. The installation directory contains the following:
Under install / kubernetes directory, there are YAML related to the installation files Kubernetes
The samples / directory, a sample application
The bin / directory containing istioctl client files, istioctl tools for manual injection Envoy sidecar agent.
4. The path of increased path istioctl client environment variable, increasing or Linux systems macOS manner as follows:
export PATH=$PWD/bin:$PATH
Seven istio- installed in the master node cluster operation k8s
If not visit docker hub, the mirror can be manually uploaded to the respective nodes kubernetes machine, or transmitted to the mirror image private harbor warehouse, and
docker load-i istio_pilot_1_5_1.tar.gz
docker load-i istio_pilot_1_5_1.tar.gz
docker load-i istio_proxyv2_1_5_1.tar.gz
Mirroring can unzip
Baidu network disk mirroring where the link is as follows:
链接:https://pan.baidu.com/s/1U9osuypeUx6ILjYs3K-04g
提取码:a3sm1. istioctl installation istio, officially recommended using this method, this method can be used to install the production
cd /root/istio-1.5.1
Use the default configuration file installed istio, easiest way to install is to use the default configuration file istio
istioctl manifest apply
To see if the installation was successful
kubectl get pods -n istio-system
Shown below, indicating successful installation istio
For more istio case of more production, acquisition k8s, devops free video, proceed as follows into the technical exchange group acquired ha ~ ~
