rootless模式下测试istio Ambient功能

前置需求

rootless k8s测试环境搭建：https://blog.csdn.net/longtds/article/details/142916697

istio_Ambient_3">istio Ambient

istio_4">istio安装

通过加速下载istio release包，解压并安装为ambient模式

 wget https://mirror.ghproxy.com/https://github.com/istio/istio/releases/download/1.23.2/istio-1.23.2-linux-amd64.tar.gztar xf istio-1.23.2-linux-amd64.tar.gzcd istio-1.23.2bin/istioctl install --set profile=ambient --skip-confirmation

istio__12">istio 插件安装

istio插件提供了多种可观测系统方案，这里仅仅使用最基础核心的部分

prometheus用于收集各种指标和遥测数据
grafana用于将prometheus中数据可视化
kiali用于服务网格可视化

# 部署插件
cd samples/addons/
kubectl apply -f prometheus.yaml -f kiali.yaml -f grafana.yaml# 查看istio-system pod运行情况
longtds@ubuntu:~$ kubectl get po -n istio-system
NAME                          READY   STATUS    RESTARTS   AGE
grafana-f459cd95-hm6cn        1/1     Running   0          36m
istio-cni-node-287rv          1/1     Running   0          49m
istio-cni-node-frwsn          1/1     Running   0          49m
istio-cni-node-mp5wc          1/1     Running   0          49m
istiod-6499566979-9zfcx       1/1     Running   0          49m
kiali-5bc5879b57-sfsk4        1/1     Running   0          36m
prometheus-84676b8788-qlsbr   2/2     Running   0          36m
ztunnel-2g5wn                 1/1     Running   0          48m
ztunnel-lvvm7                 1/1     Running   0          48m
ztunnel-m9jpw                 1/1     Running   0          48m# 验证istio安装
longtds@ubuntu:~$ istioctl verify-install
1 Istio control planes detected, checking --revision "default" only
✔ Deployment: istiod.istio-system checked successfully
✔ DaemonSet: istio-cni-node.istio-system checked successfully
✔ DaemonSet: ztunnel.istio-system checked successfully
✔ Service: istiod.istio-system checked successfully
✔ ConfigMap: istio.istio-system checked successfully
✔ ConfigMap: istio-cni-config.istio-system checked successfully
✔ ConfigMap: istio-sidecar-injector.istio-system checked successfully
✔ Pod: istiod-6499566979-9zfcx.istio-system checked successfully
✔ ServiceAccount: istio-cni.istio-system checked successfully
✔ ServiceAccount: istio-reader-service-account.istio-system checked successfully
✔ ServiceAccount: istiod.istio-system checked successfully
✔ ServiceAccount: ztunnel.istio-system checked successfully
✔ RoleBinding: istiod.istio-system checked successfully
✔ Role: istiod.istio-system checked successfully
✔ PodDisruptionBudget: istiod.istio-system checked successfully
✔ HorizontalPodAutoscaler: istiod.istio-system checked successfully
✔ MutatingWebhookConfiguration: istio-revision-tag-default.istio-system checked successfully
✔ MutatingWebhookConfiguration: istio-sidecar-injector.istio-system checked successfully
✔ ValidatingWebhookConfiguration: istio-validator-istio-system.istio-system checked successfully
✔ ValidatingWebhookConfiguration: istiod-default-validator.istio-system checked successfully
✔ ClusterRole: istio-cni.istio-system checked successfully
✔ ClusterRole: istio-cni-ambient.istio-system checked successfully
✔ ClusterRole: istio-cni-repair-role.istio-system checked successfully
✔ ClusterRole: istio-reader-clusterrole-istio-system.istio-system checked successfully
✔ ClusterRole: istiod-clusterrole-istio-system.istio-system checked successfully
✔ ClusterRole: istiod-gateway-controller-istio-system.istio-system checked successfully
✔ ClusterRoleBinding: istio-cni.istio-system checked successfully
✔ ClusterRoleBinding: istio-cni-ambient.istio-system checked successfully
✔ ClusterRoleBinding: istio-cni-repair-rolebinding.istio-system checked successfully
✔ ClusterRoleBinding: istio-reader-clusterrole-istio-system.istio-system checked successfully
✔ ClusterRoleBinding: istiod-clusterrole-istio-system.istio-system checked successfully
✔ ClusterRoleBinding: istiod-gateway-controller-istio-system.istio-system checked successfully
✔ CustomResourceDefinition: authorizationpolicies.security.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: destinationrules.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: envoyfilters.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: gateways.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: peerauthentications.security.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: proxyconfigs.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: requestauthentications.security.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: serviceentries.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: sidecars.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: telemetries.telemetry.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: virtualservices.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: wasmplugins.extensions.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: workloadentries.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: workloadgroups.networking.istio.io.istio-system checked successfully
Checked 14 custom resource definitions
Checked 1 Istio Deployments
Checked 2 Istio Daemonsets
✔ Istio is installed and verified successfully

Gateway API CRD安装

istio兼容Gateway API标准，我们后面会通过Gateway API进行服务配置

kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/standard-install.yaml

测试应用

bookinfo说明（AI生成）：
Istio 的 Bookinfo 示例应用是一个用于演示 Istio 多种特性的微服务应用。该应用由四个独立的微服务组成，这些微服务共同模拟了一个在线书店的页面，显示书籍的详细信息和用户评论。Bookinfo 应用的微服务包括：

productpage：这个微服务调用 details 和 reviews 微服务来生成页面内容。
details：提供书籍的详细信息。
reviews：提供书籍相关的评论。这个微服务还有三个不同的版本（v1、v2、v3），用于演示服务的多个版本之间的流量路由。
- v1：不调用 ratings 服务。
- v2：调用 ratings 服务，并显示黑色星形评分。
- v3：调用 ratings 服务，并显示红色星形评分。
ratings：提供书籍评分信息。

先标记default命名空间受istio ambient管理

kubectl label namespace default istio.io/dataplane-mode=ambient

安装bookinfo

 cd istio-1.23.2/samples/kubectl apply -f bookinfo/platform/kube/bookinfo.yamlkubectl apply -f bookinfo/platform/kube/bookinfo-versions.yamlkubectl apply -f bookinfo/gateway-api/bookinfo-gateway.yaml

查看book服务

longtds@ubuntu:~$ kubectl get pod
NAME                                      READY   STATUS    RESTARTS   AGE
bookinfo-gateway-istio-799d769db8-txgxn   1/1     Running   0          105m
details-v1-7d775cb4f6-9gsfn               1/1     Running   0          105m
productpage-v1-7c4b6b857-jrflm            1/1     Running   0          105m
ratings-v1-5b896f8544-r2njv               1/1     Running   0          105m
reviews-v1-746f96c9d4-t7746               1/1     Running   0          105m
reviews-v2-97bdf5876-zz5pk                1/1     Running   0          105m
reviews-v3-77d9db6844-zdzvj               1/1     Running   0          105m
longtds@ubuntu:~$ kubectl get svc
NAME                     TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)            AGE
bookinfo-gateway-istio   ClusterIP   10.96.103.133   <none>        15021/TCP,80/TCP   104m
details                  ClusterIP   10.96.253.66    <none>        9080/TCP           104m
details-v1               ClusterIP   10.96.166.107   <none>        9080/TCP           104m
kubernetes               ClusterIP   10.96.0.1       <none>        443/TCP            121m
productpage              ClusterIP   10.96.161.150   <none>        9080/TCP           104m
productpage-v1           ClusterIP   10.96.102.109   <none>        9080/TCP           104m
ratings                  ClusterIP   10.96.237.229   <none>        9080/TCP           104m
ratings-v1               ClusterIP   10.96.110.23    <none>        9080/TCP           104m
reviews                  ClusterIP   10.96.41.171    <none>        9080/TCP           104m
reviews-v1               ClusterIP   10.96.91.54     <none>        9080/TCP           104m
reviews-v2               ClusterIP   10.96.167.90    <none>        9080/TCP           104m
reviews-v3               ClusterIP   10.96.202.181   <none>        9080/TCP           104m

设置bookinfo-gateway服务类型为NodePort

longtds@ubuntu:~$ kubectl annotate gateway bookinfo-gateway networking.istio.io/service-type=NodePort --namespace=default
gateway.gateway.networking.k8s.io/bookinfo-gateway annotated
# 修改nodeport为kind预分配的端口
longtds@ubuntu:~$ kubectl edit svc bookinfo-gateway-istio
service/bookinfo-gateway-istio edited
longtds@ubuntu:~$ kubectl get svc bookinfo-gateway-istio
NAME                     TYPE       CLUSTER-IP     EXTERNAL-IP   PORT(S)                        AGE
bookinfo-gateway-istio   NodePort   10.96.160.96   <none>        15021:30440/TCP,80:30081/TCP   2m49s

访问服务

通过浏览器访问bookinfo，多刷新几次发现可以切换不同的review版本
在这里插入图片描述

查看服务网格

先配置istio-system下kiali服务类型为NodePort，并使用kind预分配端口，然后通过浏览器访问：

longtds@ubuntu:~$ kubectl edit svc -n istio-system kiali
service/kiali edited
longtds@ubuntu:~$ kubectl get svc -n istio-system kiali
NAME    TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)                          AGE
kiali   NodePort   10.96.212.195   <none>        20001:30082/TCP,9090:30204/TCP   119m

在这里插入图片描述
通过脚本模拟请求，并观察kiali中的链路传输情况：

for i in $(seq 1 100); do curl -s http://192.168.121.136:30081/productpage;sleep 1; done

在这里插入图片描述
至此完成基本测试，仅仅算是测试环境的初步搭建。对于istio的各种功能将逐步进行测试。

总结

rootless模式下的kind k8s兼容istio ambient模式应用的链路观测。