istio 和 kong

by Chris Cooney

克里斯·库尼(Chris Cooney)

如何启动和运行Istio (How to get Istio up and running)

而一旦完成，您就可以做的疯狂的事情。 (And the crazy stuff you can do once it is.)

The moment you get Istio working on your cluster, it feels like you’ve taken quite a serious leap forward. The level of monitoring, security, and functionality you immediately gain are light years ahead of the competition. A few months ago, we took the plunge and installed Istio onto our Kubernetes cluster and… hot damn. We’ll begin at the beginning, with installation and the pitfalls we found, then an overview of the tools we’ve found most useful.

让Istio在群集上工作的那一刻，感觉您已经迈出了重要的一步。您立即获得的监视，安全性和功能级别比竞争产品轻了几年。几个月前，我们尝试了一下，将Istio安装到我们的Kubernetes集群上，然后……该死。我们将从一开始就开始，从安装和发现的陷阱开始，然后概述我们发现最有用的工具。

使电动机运转。 (Getting the motor running.)

The easiest and most efficient way to install Istio is using the Helm chart. You get a production ready installation out of the box. You have a few options but Istio provides a convenient download command so you can pull down a versioned bundle of the Istio Helm chart. The following will get you version 1.0.6 of the Istio package.

安装Istio的最简单，最有效的方法是使用Helm图表。开箱即用即可进行生产准备安装。您有一些选择，但是Istio提供了方便的下载命令，因此您可以下拉Istio Helm图表的版本捆绑。以下内容将为您提供Istio软件包的1.0.6版本。

curl -L https://git.io/getLatestIstio | ISTIO_VERSION=1.0.6 sh -

Within this downloaded bundle, is a convenient little helm chart. It is located in install/kubernetes/helm/istio. Once you’re in this directory, it’s a simple helm installation. We prefer to use helm upgrade — install rather than a straight up install so that the same command can be automated:

在此下载的软件包中，是一个方便的掌舵图。它位于install/kubernetes/helm/istio 。进入该目录后，便可以轻松安装头盔。我们更喜欢使用helm upgrade — install而不是直接安装，以便可以自动执行同一命令：

helm upgrade istio . -f values.yaml \--namespace istio-system \--install

This will use the default values.yaml file that is provided in the folder. You can alter this file to switch on or off different features.

这将使用该文件夹中提供的默认values.yaml文件。您可以更改此文件以打开或关闭不同的功能。

有关卸载Istio的说明 (A note on uninstalling Istio)

Common sense would dictate that a helm delete --purge istio would remove all of the Istio resources, but it doesn’t remove the CustomResourceDefinition types. We had to dig around and delete the CRDs manually. We ended up scripting this. Just something to keep in mind.

常识表明， helm delete --purge istio会删除所有Istio资源，但不会删除CustomResourceDefinition类型。我们不得不手动挖掘并删除CRD。我们最终编写了脚本。只是要记住一点。

Once it was installed, we configured some endpoints and started reviewing what our new cluster could do. Oh boy, we were not disappointed.

安装完成后，我们配置了一些端点并开始查看新集群可以做什么。哦，男孩，我们没有失望。

配置Istio (Configuring Istio)

The last thing to do is to annotate a namespace to indicate that Istio can perform automatic sidecar injection. This is the simplest way to use Istio. The annotation is simple. An example namespace yaml you could use is the following:

最后要做的是注释一个名称空间，以指示Istio可以执行自动边车注入。这是使用Istio的最简单方法。注释很简单。您可以使用的示例名称空间yaml是：

apiVersion: v1kind: Namespacemetadata:    name: my-namespacelabels:    istio-injection: enabled

Any applications that are deployed into this namespace will get an envoy proxy. This proxy will analyze your network traffic and publish to the Istio Prometheus server, where downstream systems can make use of it.

部署到该名称空间的所有应用程序都将获得特使代理。该代理将分析您的网络流量，并将其发布到Istio Prometheus服务器，下游系统可以在其中使用它。

我怎么知道我是否有特使代理人？ (How do I know if I have an Envoy Proxy?)

Simple, run kubectl get pods within your desired namespace. You’ll see something like this:

在所需的名称空间中运行简单的kubectl get pods 。您会看到以下内容：

my-application-pod   2/2     Running   0          2d

Assuming you’re only deploying one container per pod, a second container will now appear. This second container is your envoy proxy. If it’s there and it’s ready, you’re good to go.

假设每个吊舱仅部署一个容器，现在将显示另一个容器。第二个容器是您的特使代理。如果它已经准备好了，那您就很好了。

凯莉 (Kiali)

I’m coming right out of the gate with my favorite. Kiali provides live network diagramming and HTTP statistics for your applications. It’s a real crowd pleaser and it gives you an excellent “at a glance” dashboard.

我和我的最爱一起出来了。 Kiali为您的应用程序提供实时网络图表和HTTP统计信息。这真是一个令人愉悦的人群，它为您提供了出色的“概览”仪表板。

Look at the right-hand side of that image. On top of the high level of visibility, you get detail. You could stick the network overview on a TV screen. When one of those lines go red, you can dig into the HTTP details under the hood.

查看该图像的右侧。除了高度可见性之外，您还可以获得详细信息。您可以将网络概述粘贴在电视屏幕上。当其中一行变为红色时，您可以深入了解HTTP细节。

凯莉古怪 (Quirks of Kiali)

You might see traffic coming from “unknown” in kiali, like this:

您可能会看到来自Kiali中“未知”的流量，如下所示：

This is actually the Kubernetes health check. It’s nothing to be concerned about. You can hide this by doing one of a few things:

这实际上是Kubernetes的健康检查。不用担心。您可以通过执行以下操作之一来隐藏它：

Adjust your healthcheck to use a local exec on the docker container, rather than an HTTP based check. This is a bit hacky.
调整您的运行状况检查，以在Docker容器上使用本地exec，而不是基于HTTP的检查。这有点hacky。
Use a different port than your main application port for your health check. This is the direction we’ve gone with, which also opens another door for (more on this later)
使用与主应用程序端口不同的端口进行健康检查。这是我们所走的方向，也为它打开了另一扇门(稍后会详细介绍)

Istio is working on this and there is a fix in the brand new v1.1 release.

Istio正在研究此问题，全新的v1.1版本中有一个修复程序。

格拉法纳 (Grafana)

Istio will populate a Grafana instance immediately for you. This Grafana instance is absolutely packed with useful application metrics, driven by the data published out of each application’s envoy proxy.

Istio将立即为您填充Grafana实例。这个Grafana实例绝对包含有用的应用程序指标，这些指标由每个应用程序的特使代理发布的数据驱动。

As soon as you deploy a new application with an envoy proxy, you get metrics that typically takes teams weeks to put together:

一旦使用特使代理部署新应用程序，您就会获得通常需要花费团队数周才能得出的指标：

It’s important to recognize, I didn’t configure any of this. Istio is involved enough in your system to pull all of this out for you. And to top it off, this is one of many dashboards. There are tons of them, more than I think I’ll ever use. In the case of monitoring, more is more. I’d rather have too much detail and tone it down, than no visibility at all.

认识到这一点很重要， 我没有配置任何东西。 Istio已充分参与您的系统，可以为您提供所有这些服务。最重要的是，这是许多仪表板之一。有很多，超过了我的预期。在监视的情况下，更多就是更多。我宁愿有太多的细节并调低色调，也不愿完全看不见。

普罗米修斯 (Prometheus)

This is the engine behind everything that’s going on. Prometheus is scraping and aggregating vast sums of data and presenting it in a convenient way. I haven’t had to spend a huge amount of time playing with it, to tell you the truth. The Istio services provide some incredibly useful, out of the box functionality. Prometheus can be used to write your own graphs or scrape custom metrics from your applications.

这是正在发生的一切背后的引擎。 Prometheus正在抓取和汇总大量数据，并以方便的方式进行呈现。我不需要花很多时间来玩这个，就可以告诉你真相。 Istio服务提供了一些非常有用的即用型功能。 Prometheus可用于编写您自己的图形或从应用程序中刮取自定义指标。

Off of the back of this data, you can trigger alerts using Alert Manager, creating highly sophisticated monitoring and alerting platform for your applications.

在这些数据的支持下，您可以使用Alert Manager触发警报，从而为您的应用程序创建高度复杂的监视和警报平台。

您获得的控制权 (The control you gain)

On top of all of this, Istio has some baked in utilities that really pushes the limit. You’ll be able to trigger faults, cause outages, blackhole traffic and much more. I’ve detailed a few of the cool features that I’ve had a chance to play with, but there are far more.

最重要的是，Istio推出了一些实用程序，这些实用程序确实在推动极限。您将能够触发故障，引起中断，黑洞流量等等。我已经详细介绍了一些我可以使用的很酷的功能，但是还有更多。

故障注入 (Fault Injection)

With Istio, you can inject failures. For example, the following YAML will cause 100% of requests to return an HTTP status code of 500. Useful for when you’re simulating a third party outage.

使用Istio，您可以注入故障。例如，以下YAML将导致100％的请求返回500的HTTP状态代码。在模拟第三方中断时很有用。

apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata:   name: ratings   spec:   hosts:   - ratings   http:   - fault:       abort:         httpStatus: 500         percent: 100     match:     - headers:         end-user:           exact: json     route:     - destination:         host: ratings         subset: v

The documentation is pretty good and you can dive into all sorts of this functionality. What I’m doing here is simply showing you the surface.

该文档非常好，您可以深入了解此功能。我在这里所做的只是向您展示表面。

弹性政策为标准 (Resilience policies as standard)

How often have you written logic to implement retries? Front-loading all of this in a product makes it difficult to focus on the specific business value. Istio makes this simpler. For example, by baking retries in:

您多久编写一次逻辑以实施重试？将所有这些预先加载到产品中，使得很难专注于特定的业务价值。 Istio使此过程更简单。例如，通过以下方式进行重试：

apiVersion: networking.istio.io/v1alpha3kind: VirtualService metadata:     name: ratings spec:     hosts:      — ratings     http:       — route:         — destination:           host: ratings           subset: v1         retries:            attempts: 3           perTryTimeout: 2s

This will ensure that requests made by your service are retried three times, with a timeout of two seconds in each. No more pollution of your application code — load that into the service mesh and keep your services simple.

这将确保重试您的服务发出的请求3次，每次超时2秒。不再污染您的应用程序代码-将其加载到服务网格中并保持服务简单。

相互TLS (Mutual TLS)

Service to service encryption can be tough. Ensuring certificates don’t expire is a serious operation… but not with Istio. Istio uses the certificate manager pod to ensure that your applications have their very own, shiny certificate.

服务到服务的加密可能很困难。确保证书不过期是一项严肃的工作……但Istio却不这样做。 Istio使用证书管理器窗格来确保您的应用程序具有自己的闪亮证书。

Then, with the correct DestinationRule, you can mandate that your applications will only allow TLS encrypted traffic. This ensures that all inter-cluster communication is locked down. The application doesn’t have a clue. It issues the request in HTTP and the Envoy proxy sidecar will transparently upgrade it to Mutual TLS. The following destination rule will ensure that all requests to v1 of the productpage service must be encrypted using mutual TLS.

然后，使用正确的DestinationRule ，您可以强制您的应用程序仅允许TLS加密流量。这样可以确保所有群集间通信都被锁定。该应用程序没有任何线索。它以HTTP发出请求，Envoy代理sidecar将透明地将其升级为Mutual TLS。以下目标规则将确保必须使用双向TLS对对productpage服务v1的所有请求进行加密。

apiVersion: networking.istio.io/v1alpha3kind: DestinationRulemetadata:  name: productpagespec:  host: productpage  trafficPolicy:    tls:      mode: ISTIO_MUTUAL  subsets:  - name: v1    labels:      version: v1

没有免费的午餐 (There’s no such thing as a free lunch)

As with everything, there are some dangers and tradeoffs. Istio is brilliant, I’m thoroughly impressed. It’s easy to go off the rails and find yourself with a service mash, rather than a service mesh.

与所有内容一样，存在一些危险和权衡取舍。 Istio非常出色，给我留下了深刻的印象。脱离服务轨很容易找到服务混搭，而不是服务网格。

凌乱的整合层 (Messy integration layers)

Anyone who has worked in a sufficiently large organization will have seen this. “Integration layers” that are originally designed to link two applications together. Then they get a little extra logic, a few files here and there, some routing rules sprinkled over the top and all of a sudden, they’re a nest of complexity.

在足够大的组织中工作的任何人都会看到这一点。最初设计为将两个应用程序链接在一起的“集成层”。然后，他们获得了一些额外的逻辑，到处都是一些文件，一些路由规则散布在顶部，突然之间，它们变得非常复杂。

Be careful with Istio in this regard. It is tremendously powerful but requires careful thought. Some features are cool but you might not actually need them. And sometimes, dare I say it, a little repetition in microservices is more desirable than a service mesh with more logic in it than your actual applications.

在这方面，请谨慎使用Istio。它功能强大，但需要仔细考虑。有些功能很酷，但您实际上可能不需要它们。有时候，我敢说，微服务中的一些重复比其中包含比实际应用中更多逻辑的服务网格更可取。

复杂 (Complexity)

Kubernetes offers a lot to learn. The learning curve is quite kind, especially when compared to the alternatives, but the domain is broad. When you introduce Istio, you also introduce a series of new, more complex concepts. VirtualService and Gateway types of Custom Resource Definitions that you will need to become comfortable with.

Kubernetes提供了很多知识。学习曲线很亲切，尤其是与其他选择相比时，但领域很广。介绍Istio时，还介绍了一系列新的，更复杂的概念。您需要熟悉的自定义资源定义的VirtualService和Gateway类型。

This is a trade-off. Look at your cluster or your team and decide. Is our monitoring doing the job perfectly? Are our applications resilient? Do the engineers complain about the repetition of logic? Make sure you’re getting something in return for this complexity and this trade is a no-brainer. Just don’t sleepwalk into a nightmare.

这是一个权衡。查看您的集群或团队并做出决定。我们的监控是否完美地完成了工作？我们的应用程序具有弹性吗？工程师是否抱怨逻辑的重复？确保您从这种复杂性中得到了回报，而这笔交易毫无疑问。只是不要梦walk以求。

瞬息万变...快 (It’s changing… fast)

Istio has recently announced that it is production ready and with its 1.1 release, addressed a lot of the existing concerns. That said, this is a new product. If you’re the type of organization that struggles to keep up, the pace that Istio is moving at might be a detriment to you. Falling behind might be catastrophic, especially if security vulnerabilities and bugs turn up.

Istio最近宣布已准备好生产，并且其1.1版本已解决了许多现有问题。也就是说，这是一个新产品。如果您是那种难以跟上的组织，那么Istio的发展步伐可能会对您不利。落后可能会带来灾难性的后果，尤其是在出现安全漏洞和错误的情况下。

Once again, this is a burden you need to reason about. Do you have the capability to keep up? If not, could you? And even if you could, is it worth it? Do you really need this extra operational overhead?

再一次，这是您需要考虑的负担。你有能力跟上吗？如果没有，可以吗？即使可以，这值得吗？您是否真的需要这些额外的运营开销？

那是所有人 (That’s all folks)

I’ve given the highlights of my experience with Istio. I’ve personally used all the functionality in this article and it has been outstanding. We’ve seen the odd quirk or two but nothing that has given us much pause for thought. All in all, provided you have a situation that needs it, Istio takes your cluster to the next level.

我已经介绍了Istio的经历。我已经亲自使用了本文中的所有功能，并且功能非常出色。我们已经看到一两个奇怪的怪癖，但是没有什么让我们停下来思考。总而言之，只要您有需要的情况，Istio便可以将您的集群提升到一个新的水平。

I’m talking about Istio, Kubernetes, and DevOps regularly, on my twitter account.

我经常在我的Twitter帐户上谈论Istio，Kubernetes和DevOps。