准备工作
安装istio
1 2 3 4 5 6 7
|
安装istio基础组件
验证是否成功
BASH
|
对istio这个namespace自动注入
内部访问
1.创建两个deploy 分别让他们指向 c1 和 c2
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51
| apiVersion: apps/v1 kind: Deployment metadata: name: apps-v1 namespace: istio spec: replicas: 1 selector: matchLabels: app: istio version: v1 template: metadata: labels: app: istio version: v1 spec: containers: - name: c1 ports: - containerPort: 80 image: 192.168.85.128/nb/nginx:latest command: ["/bin/sh", "-c", "echo 'c1' > /usr/share/nginx/html/index.html && nginx -g 'daemon off;'"]
---
apiVersion: apps/v1 kind: Deployment metadata: name: apps-v2 namespace: istio spec: replicas: 1 selector: matchLabels: app: istio version: v2 template: metadata: labels: app: istio version: v2 spec: containers: - name: c2 ports: - containerPort: 80 image: 192.168.85.128/nb/nginx:latest command: ["/bin/sh", "-c", "echo 'c2' > /usr/share/nginx/html/index.html && nginx -g 'daemon off;'"]
BASH
|
2. 定义一个svc让能负载到这两个deploy
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
| apiVersion: v1 kind: Service metadata: name: apps-svc-all namespace: istio spec: selector: app: istio ports: - protocol: TCP port: 80 targetPort: 80 name: http
BASH
|
3.定义一个组
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
| apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: rule namespace: istio spec: host: apps-svc-all subsets: - name: v1 labels: version: v1 - name: v2 labels: version: v2
BASH
|
4.给两个实例分权重
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
| apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: vs namespace: istio spec: hosts: - apps-svc-all http: - route: - destination: host: apps-svc-all subset: v1 weight: 90 - destination: host: apps-svc-all subset: v2 weight: 10
BASH
|
5.测试
6.请求头划分权限 带istio的都请求v1
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27
| apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: vs2 namespace: istio spec: hosts: - apps-svc-all http: - match: - headers: username: exact: istio route: - destination: host: apps-svc-all subset: v1 - route: - destination: host: apps-svc-all subset: v2
BASH
|
外部访问
通过访问网关
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
| kubectl -n istio-system get svc --show-labels|grep ingress istio-ingressgateway NodePort 10.107.199.69 <none> 15021:31838/TCP,80:32590/TCP,443:32047/TCP,31400:30896/TCP,15443:31643/TCP 12d istio=ingressgateway ------------------------------------------------------------- apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: my-gateway namespace: istio spec: selector: istio: ingressgateway servers: - port: number: 80 name: http protocol: HTTP hosts: - "tian.com"
BASH
|
vs
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
| apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: vs namespace: istio spec: hosts: - "tian.com" gateways: - my-gateway http: - route: - destination: host: apps-svc-all subset: v1 weight: 90 - destination: host: apps-svc-all subset: v2 weight: 10
BASH
|
在 Istio 中,VirtualService.spec.hosts
指的是接收到的 HTTP 请求中的 Host 头(即域名)。
- 如果你写了
"*"
,理论上是匹配所有 Host,但在 Ingress Gateway 上,它通常不会匹配任意 Host,因为 Envoy 比较严格
dr
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
| apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: rule namespace: istio spec: host: apps-svc-all trafficPolicy: tls: mode: DISABLE subsets: - name: v1 labels: version: v1 - name: v2 labels: version: v2
BASH
|
测试
1 2 3 4 5 6 7
| istio-ingressgateway NodePort 10.107.199.69 <none> 15021:31838/TCP,80:32590/TCP,443:32047/TCP,31400:30896/TCP,15443:31643/TCP 12d
c1 - v1
c1 - v2
BASH
|
配置Kiali控制面板对外访问
查看kiali服务,发现其类型为ClusterIP,没有对外暴露端口,无法从外部访问:将类型改NodePort
1 2
| kiali NodePort 10.99.64.99 <none> 20001:30021/TCP,9090:30830/TCP
BASH
|
访问ip:30021即可