Shulou(Shulou.com)05/31 Report--

This article mainly introduces what Istio is, has a certain reference value, interested friends can refer to, I hope you can learn a lot after reading this article, the following let the editor take you to understand it.

Istio is a micro-service Service Mesh framework jointly opened by Google, IBM and Lyft, which aims to solve the problems of discovery, connection, management, monitoring and security of a large number of micro-services.

The main features of Istio include:

Automatic load balancing of HTTP, gRPC and TCP network traffic

Rich routing rules and fine-grained network traffic behavior control

Traffic encryption, inter-service authentication, and strong identity declaration

Full scope (Fleet-wide) policy enforcement

Depth telemetry and reporting

Principle

Istio can be logically divided into data plane and control plane:

The data plane is mainly composed of a series of intelligent agents (Envoy) to manage the network communication between micro-services.

The control plane is responsible for managing and configuring these intelligent agents and dynamically enforcing policies.

The Istio architecture can be shown in the following figure

It is mainly composed of the following components

Envoy:Lyft 's open source high-performance proxy bus supports dynamic service discovery, load balancing, TLS termination, HTTP/2 and gPRC proxies, health check, performance measurement and other functions. Envoy is deployed as sidecar in the Pod of the associated service.

Mixer: responsible for access control, policy enforcement, and collection of telemetry data from the Envoy agent. Mixer supports a flexible plug-in model for easy extension

Pilot: the interface between the user and Istio, verifies the configuration and routing policy provided by the user, and sends it to the Istio component to manage the life cycle of the Envoy sample.

Istio-Auth: provides authentication mechanism between services and end users

Installation environment

CentOS 7.2

Docker 17.04.0-ce

Kubernetes 1.6.2

Istio 0.1.6

Installation

1. Download the installation package

Download address: https://github.com/istio/istio/releases

Download the latest installation package for the Linux version

Wget https://github.com/istio/istio/releases/download/0.1.6/istio-0.1.6-linux.tar.gz

two。 Decompression

After decompression, the directory structure is as follows:

[root@cz_fbsdb500_06 istio] # tree istio-0.1.6istio-0.1.6 ├── bin │ └── istioctl ├── CONTRIBUTING.md ├── install │ ├── kubernetes │ │ ├── addons │ ├── grafana.yaml │ ├── prometheus.yaml │ ├── servicegraph.yaml │ └── Zipkin.yaml │ │ ├── istio-auth-with-cluster-ca.yaml │ │ ├── istio-auth.yaml │ │ ├── istio-rbac-alpha.yaml │ │ ├── istio-rbac-beta.yaml │ │ ├── istio.yaml │ │ ├── README.md │ templates istio-auth │ │ ├── istio-cluster-ca.yaml │ ├── istio-egress-auth.yaml │ ├── istio-ingress-auth.yaml │ └── istio-namespace-ca.yaml │ │ ├── istio-egress.yaml │ istio-ingress.yaml ├── istio-mixer.yaml │ │ └── istio-pilot.yaml │ └── README.md ├── istio.VERSION ├── LICENSE ├── README.md └── samples ├── apps │ ├── bookinfo │ │ ├── bookinfo-ingress.yaml │ │ ├── bookinfo-v1.yaml bookinfo.yaml │ ├── cleanup.sh │ │ ├── destination-ratings-test-delay.yaml │ │ ├── loadbalancing-policy-reviews.yaml │ │ ├── mixer-rule-additional-telemetry.yaml │ │ ├── mixer-rule-empty-rule.yaml │ │ ├── mixer-rule-ratings-denial.yaml │ │ mixer- Rule-ratings-ratelimit.yaml │ │ ├── README.md │ │ ├── route-rule-all-v1.yaml │ │ ├── route-rule-delay.yaml │ │ ├── route-rule-reviews-50-v3.yaml │ │ ├── route-rule-reviews-test-v2.yaml │ │ ├── route-rule-reviews- V2-v3.yaml │ │ └── route-rule-reviews-v3.yaml │ ├── httpbin │ │ ├── httpbin.yaml │ │ └── README.md │ └── sleep │ ├── README.md │ └── sleep.yaml └── README.md11 directories 46 files

3. Install istioctl

Copy. / bin/istioctl to your $PATH directory.

4. Check RBAC

Because the version of kuberentes we installed is 1.6.2 that supports RBAC by default, this step can be skipped. If you are using other versions of kubernetes, please refer to the official documentation.

Execute the following command, and the correct output looks like this:

$kubectl api-versions | grep rbacrbac.authorization.k8s.io/v1alpha1rbac.authorization.k8s.io/v1beta1

5. Create a role binding

Kubectl create-f install/kubernetes/istio-rbac-beta.yamlclusterrole "istio-manager" createdclusterrole "istio-ca" createdclusterrole "istio-sidecar" createdclusterrolebinding "istio-manager-admin-role-binding" createdclusterrolebinding "istio-ca-role-binding" createdclusterrolebinding "istio-ingress-admin-role-binding" createdclusterrolebinding "istio-sidecar-role-binding" created

Note: there is a RoleBinding error in this file in the installation package of the official website, which should be a cluster-level clusterrolebinding, while the code in release is just a normal rolebinding. Check out the Issue Istio manager cannot list of create k8s TPR when RBAC enabled # 327.

6. Install istio core components

The images used are:

Docker.io/istio/mixer:0.1.6docker.io/istio/pilot:0.1.6docker.io/istio/proxy_debug:0.1.6

We do not enable Istio Auth for the time being.

Note: remove the type: LoadBalancer from all the yaml files used in this article, use the default ClusterIP, and then configure Traefik ingress to access it outside the cluster. Please refer to installing Traefik ingress.

Bashkubectl apply-f install/kubernetes/istio.yaml

7. Install the monitoring plug-in

The images used are:

Docker.io/istio/grafana:0.1.6quay.io/coreos/prometheus:v1.1.1gcr.io/istio-testing/servicegraph:latestdocker.io/openzipkin/zipkin:latest

Install the plug-in

Bashkubectl apply-f install/kubernetes/addons/prometheus.yamlkubectl apply-f install/kubernetes/addons/grafana.yamlkubectl apply-f install/kubernetes/addons/servicegraph.yamlkubectl apply-f install/kubernetes/addons/zipkin.yaml

Add the configuration of the above services in traefik ingress, as well as the configuration of istio-ingress.

Yaml- host: grafana.istio.io http: paths:-path: / backend: serviceName: grafana servicePort: 3000-host: servicegraph.istio.io http: paths:-path: / backend: serviceName: servicegraph servicePort: 8088-host: prometheus.istio.io http: paths:-path: / backend: serviceName: prometheus servicePort: 9090-host : zipkin.istio.io http: paths:-path: / backend: serviceName: zipkin servicePort: 9411-host: ingress.istio.io http: paths:-path: / backend: serviceName: istio-ingress servicePort: 80 Test

We use the test application bookinfoMicro service provided by Istio for testing. The application architecture is as follows:

Deploy the application

Kubectl create-f

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.