okd 3.11平臺istio的進階實踐

使用的yaml配置文件可從https://gitee.com/tanwubo/okd-istio-bookinfo獲取

1.部署bookinfo

1.1 部署bookinfo

oc apply -n myproject -f 01-bookinfo.yaml 
service/details created
serviceaccount/bookinfo-details created
deployment.apps/details-v1 created
service/ratings created
serviceaccount/bookinfo-ratings created
deployment.apps/ratings-v1 created
service/reviews created
serviceaccount/bookinfo-reviews created
deployment.apps/reviews-v1 created
service/productpage created
serviceaccount/bookinfo-productpage created
deployment.apps/productpage-v1 created

驗證

oc get pod -n myproject
NAME                              READY     STATUS    RESTARTS   AGE
details-v1-5766b9c448-jw7jc       2/2       Running   0          8m
productpage-v1-76c6bfddf4-xvcbr   2/2       Running   0          8m
ratings-v1-69f8d6ff48-rv8bq       2/2       Running   0          8m
reviews-v1-774cdc5cf7-m8zlx       2/2       Running   0          8m

1.2 創建訪問入口

oc apply -f 02-bookinfo-gateway.yaml 
route.route.openshift.io/bookinfo-route created
gateway.networking.istio.io/bookinfo-gateway created
virtualservice.networking.istio.io/bookinfo created
destinationrule.networking.istio.io/productpage created
destinationrule.networking.istio.io/reviews created
destinationrule.networking.istio.io/ratings created
destinationrule.networking.istio.io/details created
virtualservice.networking.istio.io/reviews created

驗證

oc get route -n istio-system 
NAME                   HOST/PORT                                                       PATH      SERVICES               PORT      TERMINATION   WILDCARD
bookinfo-route         bookinfo.example.com                                                      istio-ingressgateway   http2                   None

訪問首頁
先在訪問的主機上添加hosts

192.168.84.138 bookinfo.example.com

訪問http://bookinfo.example.com/productpage
bookinfo首頁

2.A/B發佈

2.1 發佈reviews v2

oc apply -n myproject -f 03-reviews-v2.yaml 
deployment.apps/reviews-v2 created

驗證

oc get pod -n myproject 
NAME                              READY     STATUS    RESTARTS   AGE
details-v1-5766b9c448-jw7jc       2/2       Running   0          16m
productpage-v1-76c6bfddf4-xvcbr   2/2       Running   0          16m
ratings-v1-69f8d6ff48-rv8bq       2/2       Running   0          16m
reviews-v1-774cdc5cf7-m8zlx       2/2       Running   0          16m
reviews-v2-687666b449-sl2hn       2/2       Running   0          35s

訪問驗證
多訪問幾次後,在kiali查看流量走向
在這裏插入圖片描述

2.2 切換流量到reviews v2

oc apply -n myproject -f 04-virtual-service-all-reviews-v2.yaml 
destinationrule.networking.istio.io/reviews configured
virtualservice.networking.istio.io/reviews configured

訪問驗證
同樣在訪問幾次後,在kiali查看流量走向
在這裏插入圖片描述
當然,在頁面上也能看到右部的reviews板塊與之前有了改變
在這裏插入圖片描述

3.流量治理

可以看到主頁右上角有登錄按鈕,輸入任意用戶名都可以成功,但是登錄後會在訪問reviews時帶上end-user:username的請求頭,所以後續實驗使用請求頭中的用戶名來做流量治理
發佈配置

oc apply -n myproject -f 05-virtual-service-user01-to-v2.yaml 
virtualservice.networking.istio.io/reviews configured

驗證:分別在未登錄、user01用戶登錄的情況下訪問
未登錄訪問reviews v1
user01登錄訪問reviews v2

4.黑名單

4.1 檢查並開啓policy

檢查policy機制是否開啓

oc -n istio-system get ConfigMap istio -o jsonpath="{@.data.mesh}" | grep disablePolicyChecks
disablePolicyChecks: true

默認如上是被disable了的,現在來啓用policy機制,也就是把disablePolicyChecks字段false掉

4.2 開啓details訪問黑名單

oc apply -n myproject -f 07-product-to-details-denier.yaml 
denier.config.istio.io/denycustomerhandler created
checknothing.config.istio.io/denycustomerrequests created
rule.config.istio.io/denycustomer created

再次刷新首頁會看到左部的details板塊無法顯示
在這裏插入圖片描述
清理

oc delete -n myproject -f 06-product-to-details-denier.yaml 
denier.config.istio.io "denycustomerhandler" deleted
checknothing.config.istio.io "denycustomerrequests" deleted
rule.config.istio.io "denycustomer" deleted

5.基於RBAC的權限控制

5.1 開啓RBAC

oc apply -f 08-rbac-config-ON.yaml 
servicemeshpolicy.authentication.maistra.io/default created
destinationrule.networking.istio.io/default created
servicemeshrbacconfig.rbac.maistra.io/default created

5.2 開啓bookinfo的mTLS

oc apply -n myproject -f 08-destination-rule-all-mtls.yaml 
destinationrule.networking.istio.io/productpage configured
destinationrule.networking.istio.io/reviews configured
destinationrule.networking.istio.io/ratings configured
destinationrule.networking.istio.io/details configured

驗證:此時訪問首頁如下
開啓RBAC後拒接訪問

5.3 開啓productpage訪問權限

oc apply -n myproject -f 09-product-policy.yaml 
servicerole.rbac.istio.io/productpage-viewer created
servicerolebinding.rbac.istio.io/bind-productpage-viewer created

驗證:再次訪問首頁可顯示,但details和reviews板塊無內容
開啓productpage訪問權限

5.2 開啓details和reviews訪問權限

oc apply -n myproject -f 10-details-reviews-policy.yaml 
servicerole.rbac.istio.io/details-reviews-viewer created
servicerolebinding.rbac.istio.io/bind-details-reviews created

驗證:再次訪問首頁,details和reviews可正常顯示
開啓details和reviews訪問權限

發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章