使用的yaml配置文件可從https://gitee.com/tanwubo/okd-istio-bookinfo獲取
1.部署bookinfo
1.1 部署bookinfo
oc apply -n myproject -f 01-bookinfo.yaml
service/details created
serviceaccount/bookinfo-details created
deployment.apps/details-v1 created
service/ratings created
serviceaccount/bookinfo-ratings created
deployment.apps/ratings-v1 created
service/reviews created
serviceaccount/bookinfo-reviews created
deployment.apps/reviews-v1 created
service/productpage created
serviceaccount/bookinfo-productpage created
deployment.apps/productpage-v1 created
驗證
oc get pod -n myproject
NAME READY STATUS RESTARTS AGE
details-v1-5766b9c448-jw7jc 2/2 Running 0 8m
productpage-v1-76c6bfddf4-xvcbr 2/2 Running 0 8m
ratings-v1-69f8d6ff48-rv8bq 2/2 Running 0 8m
reviews-v1-774cdc5cf7-m8zlx 2/2 Running 0 8m
1.2 創建訪問入口
oc apply -f 02-bookinfo-gateway.yaml
route.route.openshift.io/bookinfo-route created
gateway.networking.istio.io/bookinfo-gateway created
virtualservice.networking.istio.io/bookinfo created
destinationrule.networking.istio.io/productpage created
destinationrule.networking.istio.io/reviews created
destinationrule.networking.istio.io/ratings created
destinationrule.networking.istio.io/details created
virtualservice.networking.istio.io/reviews created
驗證
oc get route -n istio-system
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
bookinfo-route bookinfo.example.com istio-ingressgateway http2 None
訪問首頁
先在訪問的主機上添加hosts
192.168.84.138 bookinfo.example.com
訪問http://bookinfo.example.com/productpage
2.A/B發佈
2.1 發佈reviews v2
oc apply -n myproject -f 03-reviews-v2.yaml
deployment.apps/reviews-v2 created
驗證
oc get pod -n myproject
NAME READY STATUS RESTARTS AGE
details-v1-5766b9c448-jw7jc 2/2 Running 0 16m
productpage-v1-76c6bfddf4-xvcbr 2/2 Running 0 16m
ratings-v1-69f8d6ff48-rv8bq 2/2 Running 0 16m
reviews-v1-774cdc5cf7-m8zlx 2/2 Running 0 16m
reviews-v2-687666b449-sl2hn 2/2 Running 0 35s
訪問驗證
多訪問幾次後,在kiali查看流量走向
2.2 切換流量到reviews v2
oc apply -n myproject -f 04-virtual-service-all-reviews-v2.yaml
destinationrule.networking.istio.io/reviews configured
virtualservice.networking.istio.io/reviews configured
訪問驗證
同樣在訪問幾次後,在kiali查看流量走向
當然,在頁面上也能看到右部的reviews板塊與之前有了改變
3.流量治理
可以看到主頁右上角有登錄按鈕,輸入任意用戶名都可以成功,但是登錄後會在訪問reviews時帶上end-user:username
的請求頭,所以後續實驗使用請求頭中的用戶名來做流量治理
發佈配置
oc apply -n myproject -f 05-virtual-service-user01-to-v2.yaml
virtualservice.networking.istio.io/reviews configured
驗證:分別在未登錄、user01用戶登錄的情況下訪問
4.黑名單
4.1 檢查並開啓policy
檢查policy機制是否開啓
oc -n istio-system get ConfigMap istio -o jsonpath="{@.data.mesh}" | grep disablePolicyChecks
disablePolicyChecks: true
默認如上是被disable了的,現在來啓用policy機制,也就是把disablePolicyChecks字段false掉
4.2 開啓details訪問黑名單
oc apply -n myproject -f 07-product-to-details-denier.yaml
denier.config.istio.io/denycustomerhandler created
checknothing.config.istio.io/denycustomerrequests created
rule.config.istio.io/denycustomer created
再次刷新首頁會看到左部的details板塊無法顯示
清理
oc delete -n myproject -f 06-product-to-details-denier.yaml
denier.config.istio.io "denycustomerhandler" deleted
checknothing.config.istio.io "denycustomerrequests" deleted
rule.config.istio.io "denycustomer" deleted
5.基於RBAC的權限控制
5.1 開啓RBAC
oc apply -f 08-rbac-config-ON.yaml
servicemeshpolicy.authentication.maistra.io/default created
destinationrule.networking.istio.io/default created
servicemeshrbacconfig.rbac.maistra.io/default created
5.2 開啓bookinfo的mTLS
oc apply -n myproject -f 08-destination-rule-all-mtls.yaml
destinationrule.networking.istio.io/productpage configured
destinationrule.networking.istio.io/reviews configured
destinationrule.networking.istio.io/ratings configured
destinationrule.networking.istio.io/details configured
驗證:此時訪問首頁如下
5.3 開啓productpage訪問權限
oc apply -n myproject -f 09-product-policy.yaml
servicerole.rbac.istio.io/productpage-viewer created
servicerolebinding.rbac.istio.io/bind-productpage-viewer created
驗證:再次訪問首頁可顯示,但details和reviews板塊無內容
5.2 開啓details和reviews訪問權限
oc apply -n myproject -f 10-details-reviews-policy.yaml
servicerole.rbac.istio.io/details-reviews-viewer created
servicerolebinding.rbac.istio.io/bind-details-reviews created
驗證:再次訪問首頁,details和reviews可正常顯示