服务网格Istio与Envoy实战指南大家好我是欧阳瑞Rich Own。今天想和大家聊聊服务网格这个重要话题。作为一个全栈开发者服务网格正在成为微服务架构的核心基础设施。今天就来分享一下Istio和Envoy的实战经验。服务网格概述什么是服务网格服务网格是一个专门处理服务间通信的基础设施层 提供流量管理、安全、监控等功能 透明地插入到应用中核心组件组件说明Envoy数据平面代理Istio控制平面Pilot流量管理Mixer策略执行Citadel身份认证Istio入门安装Istio# 下载Istio curl -L https://istio.io/downloadIstio | sh - cd istio-* export PATH$PWD/bin:$PATH # 安装Istio到Kubernetes istioctl install --set profiledemo -y # 为命名空间启用自动注入 kubectl label namespace default istio-injectionenabled部署示例应用apiVersion: v1 kind: Service metadata: name: my-service spec: selector: app: my-app ports: - port: 80 targetPort: 3000 --- apiVersion: apps/v1 kind: Deployment metadata: name: my-app spec: replicas: 3 selector: matchLabels: app: my-app template: metadata: labels: app: my-app spec: containers: - name: my-app image: my-app:latest ports: - containerPort: 3000流量管理虚拟服务apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: my-service spec: hosts: - my-service http: - route: - destination: host: my-service subset: v1 weight: 90 - destination: host: my-service subset: v2 weight: 10目标规则apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: my-service spec: host: my-service subsets: - name: v1 labels: version: v1 - name: v2 labels: version: v2故障注入apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: my-service spec: hosts: - my-service http: - route: - destination: host: my-service fault: delay: percentage: value: 50 fixedDelay: 5s安全mTLS配置apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: default spec: mtls: mode: STRICT授权策略apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: my-service spec: selector: matchLabels: app: my-service rules: - from: - source: principals: [cluster.local/ns/default/sa/my-client] to: - operation: methods: [GET]监控Prometheus集成# istio-prometheus配置 apiVersion: v1 kind: Service metadata: name: prometheus labels: app: prometheus spec: ports: - port: 9090 selector: app: prometheusGrafana仪表盘# 访问Grafana kubectl port-forward svc/grafana 3000:3000 # 查看Istio仪表盘 http://localhost:3000/d/istio-mesh/istio-mesh-dashboard实战案例蓝绿部署# 部署v1版本 kubectl apply -f deployment-v1.yaml # 部署v2版本 kubectl apply -f deployment-v2.yaml # 配置虚拟服务全部流量到v1 apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: my-service spec: hosts: - my-service http: - route: - destination: host: my-service subset: v1 # 切换到v2 apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: my-service spec: hosts: - my-service http: - route: - destination: host: my-service subset: v2总结服务网格是微服务架构的重要基础设施。通过Istio和Envoy可以实现复杂的流量管理、安全和监控功能。我的鬃狮蜥Hash对服务网格也有自己的理解——它总是能找到最有效的路径捕捉蟋蟀这也许就是自然界的流量管理吧如果你对服务网格有任何问题欢迎留言交流我是欧阳瑞极客之路永无止境技术栈Istio · Envoy · 服务网格