今天来学习Istio关于流量管理的另一个CRD——DestinationRule，根据字面意思即目标规则，我们可以理解VirtualService为流量的路由，那么DestinationRule则为流量路由之后的去处。介绍首先献上官方文档： https://istio.io/latest/zh/docs/reference/config/networking/destination-rule/ 样例 apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: bookinfo-ratings spec: # 含义同VirtualService中destination的host字段一致。 host: ratings.prod.svc.cluster.local # 流量策略，包括负载均衡、连接池策略、异常点检查等 trafficPolicy: # 负载均衡策略，支持随机负载均衡 /按权重负载均衡 /最少请求负载均衡 / hash轮训等 loadBalancer: simple: LEAST_CONN # 连接池策略 connectionPool: # tcp连接池设置 tcp: maxConnections: 100 connectTimeout: 30ms tcpKeepalive: time: 7200s interval: 75s http: http2MaxRequests: 1000 maxRequestsPerConnection: 10 # 异常点检查 outlierDetection: consecutiveErrors: 7 interval: 5m baseEjectionTime: 15m # tls设置 tls: mode: MUTUAL clientCertificate: /etc/certs/myclientcert.pem privateKey: /etc/certs/client_private_key.pem caCertificates: /etc/certs/rootcacerts.pem # 服务端点集合 subsets: # subset名称可以用于路由规则中的流量拆分，与virtualService的subset的引用 - name: testversion # 使用标签对服务注册表中的服务端点进行筛选 labels: version: v3 trafficPolicy: loadBalancer: simple: ROUND_ROBIN if(window.hljsLoader && !document.currentScript.parentNode.hasAttribute('data-s9e-livepreview-onupdate')) { window.hljsLoader.highlightBlocks(document.currentScript.parentNode); } 作用：我们可以通过结合virtualService，使用 Destination Rule 对流量划分不同的子集，根据不同的条件比如用户不同的身份、地址位置等条件的识别后的进行不同的流量路由，或者在版本更新的时候，使用灰度发布。 VirtualService对象和DestinationRule对象既可以单独使用、也可以结合使用。功能上VirtualService的功能之一是在后端不同Service中选择一个转发请求，而Service是在后端不同Pod中选择一个转发请求。DestinationRule是对不同后端的同一个Service上进行划分不同的subset。VirtualService和DestinationRule是通过subnet关联起来的。演示还是以上次VirtualService的httpd和tomcat例子为演示，首先创建对应的Deployment httpd apiVersion: apps/v1 kind: Deployment metadata: name: httpd labels: server: httpd app: web spec: replicas: 1 selector: matchLabels: server: httpd app: web template: metadata: labels: server: httpd app: web spec: containers: - name: busybox image: busybox imagePullPolicy: IfNotPresent command: ["/bin/sh", "-c", "echo 'this is httpd' > /var/www/index.html; httpd -f -p 8080 -h /var/www"] if(window.hljsLoader && !document.currentScript.parentNode.hasAttribute('data-s9e-livepreview-onupdate')) { window.hljsLoader.highlightBlocks(document.currentScript.parentNode); } tomcat apiVersion: apps/v1 kind: Deployment metadata: name: tomcat labels: server: tomcat app: web spec: replicas: 1 selector: matchLabels: server: tomcat app: web template: metadata: labels: server: tomcat app: web spec: containers: - name: tomcat image: docker.io/kubeguide/tomcat-app:v1 imagePullPolicy: IfNotPresent if(window.hljsLoader && !document.currentScript.parentNode.hasAttribute('data-s9e-livepreview-onupdate')) { window.hljsLoader.highlightBlocks(document.currentScript.parentNode); } 创建对应的service apiVersion: v1 kind: Service metadata: name: web-svc spec: selector: app: web ports: - name: http port: 8080 targetPort: 8080 protocol: TCP if(window.hljsLoader && !document.currentScript.parentNode.hasAttribute('data-s9e-livepreview-onupdate')) { window.hljsLoader.highlightBlocks(document.currentScript.parentNode); } 使用DestinationRule根据label将我们的流量划分为不同的版本，假设把httpd为我们服务的v1版本，tomcat为v2版本，使用VirtualService进行不同的路由 apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: demo-des spec: host: web-svc subsets: - name: v1 labels: server: httpd - name: v2 labels: server: tomcat --- apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: web-svc-vs3 spec: hosts: - web-svc http: - route: - destination: host: web-svc subset: v2 if(window.hljsLoader && !document.currentScript.parentNode.hasAttribute('data-s9e-livepreview-onupdate')) { window.hljsLoader.highlightBlocks(document.currentScript.parentNode); } 创建busybox进入测试 apiVersion: apps/v1 kind: Deployment metadata: name: hexiaohong-client spec: replicas: 1 selector: matchLabels: app: hexiaohong-client template: metadata: labels: app: hexiaohong-client spec: containers: - name: busybox image: busybox imagePullPolicy: IfNotPresent command: ["/bin/sh", "-c", "sleep 3600"] --- apiVersion: v1 kind: Service metadata: name: hexiaohong-client-svc spec: selector: app: hexiaohong-client ports: - name: http port: 8080 targetPort: 8080 protocol: TCP if(window.hljsLoader && !document.currentScript.parentNode.hasAttribute('data-s9e-livepreview-onupdate')) { window.hljsLoader.highlightBlocks(document.currentScript.parentNode); } 查看virtualService与DestinationRule <img src="https://static-img.0xffff.one/GgGB7SmtNx_vu4CVex-tL_fGewOiJXDjh7RyvYabXEw/q:90/w:800/rt:fit/aHR0cHM6Ly9pbWct/YmxvZy5jc2RuaW1n/LmNuLzIwMjEwMzI4/MjMzOTMyNzIyLnBu/Zz94LW9zcy1wcm9j/ZXNzPWltYWdlL3dh/dGVybWFyayx0eXBl/X1ptRnVaM3BvWlc1/bmFHVnBkR2ssc2hh/ZG93XzEwLHRleHRf/YUhSMGNITTZMeTlp/Ykc5bkxtTnpaRzR1/Ym1WMEwzTm9kWGh1/YUhNPSxzaXplXzE2/LGNvbG9yX0ZGRkZG/Rix0XzcwI3BpY19j/ZW50ZXI.jpg?.jpg" data-orig-src="https://img-blog.csdnimg.cn/20210328233932722.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3NodXhuaHM=,size_16,color_FFFFFF,t_70#pic_center" title="" alt="在这里插入图片描述"> 进入busybox 请求使用kubectl edit virtualservices XXX，修改subset的版本为v2，进入busybox请求，流量则导入到v2/tomcat去了 <img src="https://static-img.0xffff.one/Qe1grOFZx_Ym3iX93cgx3gEo3EebdEoWbH7gSBRtvnk/q:90/w:800/rt:fit/aHR0cHM6Ly9pbWct/YmxvZy5jc2RuaW1n/LmNuLzIwMjEwMzI4/MjMzOTQ0MzM5LnBu/Zz94LW9zcy1wcm9j/ZXNzPWltYWdlL3dh/dGVybWFyayx0eXBl/X1ptRnVaM3BvWlc1/bmFHVnBkR2ssc2hh/ZG93XzEwLHRleHRf/YUhSMGNITTZMeTlp/Ykc5bkxtTnpaRzR1/Ym1WMEwzTm9kWGh1/YUhNPSxzaXplXzE2/LGNvbG9yX0ZGRkZG/Rix0XzcwI3BpY19j/ZW50ZXI.jpg?.jpg" data-orig-src="https://img-blog.csdnimg.cn/20210328233944339.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3NodXhuaHM=,size_16,color_FFFFFF,t_70#pic_center" title="" alt="在这里插入图片描述">

Istio学习之CRD2：DestinationRule

sHuXnHs

今天来学习Istio关于流量管理的另一个CRD——DestinationRule，根据字面意思即目标规则，我们可以理解VirtualService为流量的路由，那么DestinationRule则为流量路由之后的去处。

介绍

首先献上官方文档：https://istio.io/latest/zh/docs/reference/config/networking/destination-rule/

样例

   apiVersion: networking.istio.io/v1alpha3
   kind: DestinationRule
   metadata:
     name: bookinfo-ratings
   spec:
   	# 含义同VirtualService中destination的host字段一致。
     host: ratings.prod.svc.cluster.local
     # 流量策略，包括负载均衡、连接池策略、异常点检查等
     trafficPolicy:
     	# 负载均衡策略，支持随机负载均衡 /按权重负载均衡 /最少请求负载均衡 / hash轮训等
       loadBalancer:
         simple: LEAST_CONN
       # 连接池策略
       connectionPool:
       	# tcp连接池设置
         tcp:
           maxConnections: 100
           connectTimeout: 30ms
           tcpKeepalive:
             time: 7200s
             interval: 75s
         http:
           http2MaxRequests: 1000
           maxRequestsPerConnection: 10
       # 异常点检查
       outlierDetection:
         consecutiveErrors: 7
         interval: 5m
         baseEjectionTime: 15m
       # tls设置
       tls:
         mode: MUTUAL
         clientCertificate: /etc/certs/myclientcert.pem
         privateKey: /etc/certs/client_private_key.pem
         caCertificates: /etc/certs/rootcacerts.pem
     # 服务端点集合
     subsets:
     # subset名称可以用于路由规则中的流量拆分，与virtualService的subset的引用
     - name: testversion
     	# 使用标签对服务注册表中的服务端点进行筛选
       labels:
         version: v3
       trafficPolicy:
         loadBalancer:
           simple: ROUND_ROBIN

作用：我们可以通过结合virtualService，使用 Destination Rule 对流量划分不同的子集，根据不同的条件比如用户不同的身份、地址位置等条件的识别后的进行不同的流量路由，或者在版本更新的时候，使用灰度发布。
VirtualService对象和DestinationRule对象既可以单独使用、也可以结合使用。功能上VirtualService的功能之一是在后端不同Service中选择一个转发请求，而Service是在后端不同Pod中选择一个转发请求。DestinationRule是对不同后端的同一个Service上进行划分不同的subset。VirtualService和DestinationRule是通过subnet关联起来的。

演示

还是以上次VirtualService的httpd和tomcat例子为演示，首先创建对应的Deployment

httpd

  apiVersion: apps/v1
  kind: Deployment
  metadata:
    name: httpd
    labels:
      server: httpd
      app: web
  spec:
    replicas: 1
    selector:
      matchLabels:
        server: httpd
        app: web
    template:
      metadata:
        labels:
          server: httpd
          app: web
      spec:
        containers:
        - name: busybox
          image: busybox
          imagePullPolicy: IfNotPresent
          command: ["/bin/sh", "-c", "echo 'this is httpd' > /var/www/index.html; httpd -f -p 8080 -h /var/www"]

tomcat

  apiVersion: apps/v1
  kind: Deployment
  metadata:
    name: tomcat
    labels:
      server: tomcat
      app: web
  spec:
    replicas: 1
    selector:
      matchLabels:
        server: tomcat
        app: web
    template:
      metadata:
        labels:
          server: tomcat
          app: web
      spec:
        containers:
        - name: tomcat
          image: docker.io/kubeguide/tomcat-app:v1
          imagePullPolicy: IfNotPresent

创建对应的service

  apiVersion: v1
  kind: Service
  metadata:
    name: web-svc
  spec:
    selector:
      app: web
    ports:
    - name: http
      port: 8080
      targetPort: 8080
      protocol: TCP

使用DestinationRule根据label将我们的流量划分为不同的版本，假设把httpd为我们服务的v1版本，tomcat为v2版本，使用VirtualService进行不同的路由

  apiVersion: networking.istio.io/v1alpha3
  kind: DestinationRule
  metadata:
    name: demo-des
  spec:
    host: web-svc
    subsets:
    - name: v1
      labels:
        server: httpd
    - name: v2
      labels:
        server: tomcat
    
    
  ---
  apiVersion: networking.istio.io/v1alpha3
  kind: VirtualService
  metadata:
    name: web-svc-vs3
  spec:
    hosts:
    - web-svc
    http:
    - route:
      - destination:
          host: web-svc
          subset: v2

创建busybox进入测试

  apiVersion: apps/v1
  kind: Deployment
  metadata:
    name: hexiaohong-client
  spec:
    replicas: 1
    selector:
      matchLabels:
        app: hexiaohong-client
    template:
      metadata:
        labels:
          app: hexiaohong-client
      spec:
        containers:
        - name: busybox
          image: busybox
          imagePullPolicy: IfNotPresent
          command: ["/bin/sh", "-c", "sleep 3600"]
  
  ---
  apiVersion: v1
  kind: Service
  metadata:
    name: hexiaohong-client-svc
  spec:
    selector:
      app: hexiaohong-client
    ports:
    - name: http
      port: 8080
      targetPort: 8080
      protocol: TCP

查看virtualService与DestinationRule
进入busybox 请求
使用kubectl edit virtualservices XXX，修改subset的版本为v2，进入busybox请求，流量则导入到v2/tomcat去了