使用的yaml配置文件可从https://gitee.com/tanwubo/okd-istio-bookinfo获取
1.部署bookinfo
1.1 部署bookinfo
oc apply -n myproject -f 01-bookinfo.yaml
service/details created
serviceaccount/bookinfo-details created
deployment.apps/details-v1 created
service/ratings created
serviceaccount/bookinfo-ratings created
deployment.apps/ratings-v1 created
service/reviews created
serviceaccount/bookinfo-reviews created
deployment.apps/reviews-v1 created
service/productpage created
serviceaccount/bookinfo-productpage created
deployment.apps/productpage-v1 created
验证
oc get pod -n myproject
NAME READY STATUS RESTARTS AGE
details-v1-5766b9c448-jw7jc 2/2 Running 0 8m
productpage-v1-76c6bfddf4-xvcbr 2/2 Running 0 8m
ratings-v1-69f8d6ff48-rv8bq 2/2 Running 0 8m
reviews-v1-774cdc5cf7-m8zlx 2/2 Running 0 8m
1.2 创建访问入口
oc apply -f 02-bookinfo-gateway.yaml
route.route.openshift.io/bookinfo-route created
gateway.networking.istio.io/bookinfo-gateway created
virtualservice.networking.istio.io/bookinfo created
destinationrule.networking.istio.io/productpage created
destinationrule.networking.istio.io/reviews created
destinationrule.networking.istio.io/ratings created
destinationrule.networking.istio.io/details created
virtualservice.networking.istio.io/reviews created
验证
oc get route -n istio-system
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
bookinfo-route bookinfo.example.com istio-ingressgateway http2 None
访问首页
先在访问的主机上添加hosts
192.168.84.138 bookinfo.example.com
访问http://bookinfo.example.com/productpage
2.A/B发布
2.1 发布reviews v2
oc apply -n myproject -f 03-reviews-v2.yaml
deployment.apps/reviews-v2 created
验证
oc get pod -n myproject
NAME READY STATUS RESTARTS AGE
details-v1-5766b9c448-jw7jc 2/2 Running 0 16m
productpage-v1-76c6bfddf4-xvcbr 2/2 Running 0 16m
ratings-v1-69f8d6ff48-rv8bq 2/2 Running 0 16m
reviews-v1-774cdc5cf7-m8zlx 2/2 Running 0 16m
reviews-v2-687666b449-sl2hn 2/2 Running 0 35s
访问验证
多访问几次后,在kiali查看流量走向
2.2 切换流量到reviews v2
oc apply -n myproject -f 04-virtual-service-all-reviews-v2.yaml
destinationrule.networking.istio.io/reviews configured
virtualservice.networking.istio.io/reviews configured
访问验证
同样在访问几次后,在kiali查看流量走向
当然,在页面上也能看到右部的reviews板块与之前有了改变
3.流量治理
可以看到主页右上角有登录按钮,输入任意用户名都可以成功,但是登录后会在访问reviews时带上end-user:username
的请求头,所以后续实验使用请求头中的用户名来做流量治理
发布配置
oc apply -n myproject -f 05-virtual-service-user01-to-v2.yaml
virtualservice.networking.istio.io/reviews configured
验证:分别在未登录、user01用户登录的情况下访问
4.黑名单
4.1 检查并开启policy
检查policy机制是否开启
oc -n istio-system get ConfigMap istio -o jsonpath="{@.data.mesh}" | grep disablePolicyChecks
disablePolicyChecks: true
默认如上是被disable了的,现在来启用policy机制,也就是把disablePolicyChecks字段false掉
4.2 开启details访问黑名单
oc apply -n myproject -f 07-product-to-details-denier.yaml
denier.config.istio.io/denycustomerhandler created
checknothing.config.istio.io/denycustomerrequests created
rule.config.istio.io/denycustomer created
再次刷新首页会看到左部的details板块无法显示
清理
oc delete -n myproject -f 06-product-to-details-denier.yaml
denier.config.istio.io "denycustomerhandler" deleted
checknothing.config.istio.io "denycustomerrequests" deleted
rule.config.istio.io "denycustomer" deleted
5.基于RBAC的权限控制
5.1 开启RBAC
oc apply -f 08-rbac-config-ON.yaml
servicemeshpolicy.authentication.maistra.io/default created
destinationrule.networking.istio.io/default created
servicemeshrbacconfig.rbac.maistra.io/default created
5.2 开启bookinfo的mTLS
oc apply -n myproject -f 08-destination-rule-all-mtls.yaml
destinationrule.networking.istio.io/productpage configured
destinationrule.networking.istio.io/reviews configured
destinationrule.networking.istio.io/ratings configured
destinationrule.networking.istio.io/details configured
验证:此时访问首页如下
5.3 开启productpage访问权限
oc apply -n myproject -f 09-product-policy.yaml
servicerole.rbac.istio.io/productpage-viewer created
servicerolebinding.rbac.istio.io/bind-productpage-viewer created
验证:再次访问首页可显示,但details和reviews板块无内容
5.2 开启details和reviews访问权限
oc apply -n myproject -f 10-details-reviews-policy.yaml
servicerole.rbac.istio.io/details-reviews-viewer created
servicerolebinding.rbac.istio.io/bind-details-reviews created
验证:再次访问首页,details和reviews可正常显示