引言
Service Mesh(服务网格)是处理微服务间通信的基础设施层,通过Sidecar代理实现流量管理、安全通信、可观测性等功能,将网络通信逻辑从业务代码中解耦。
本文将深入讲解Service Mesh的核心概念,并提供Istio和Envoy的实战配置。
Service Mesh架构原理
Sidecar模式
每个服务实例旁边部署一个代理(Sidecar),所有进出流量都经过Sidecar。
┌─────────────────────────────────────┐
│ Pod │
│ ┌──────────────┐ ┌──────────────┐│
│ │ Application │ │ Sidecar ││
│ │ Container │ │ Proxy ││
│ │ │ │ (Envoy) ││
│ │ 业务逻辑 │ │ 流量管理 ││
│ │ │ │ 安全策略 ││
│ │ │ │ 可观测性 ││
│ └──────────────┘ └──────────────┘│
│ ↕ ↕ │
│ ┌──────────────────────────────┐ │
│ │ Localhost Network │ │
│ └──────────────────────────────┘ │
└─────────────────────────────────────┘
数据平面与控制平面
- 数据平面:由Envoy Sidecar组成,负责实际的流量转发
- 控制平面:Istiod负责配置下发、服务发现、证书管理
Istio核心功能
流量管理
VirtualService:定义路由规则
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: order-service
spec:
hosts:
- order-service
http:
# 基于Header的路由
- match:
- headers:
x-canary:
exact: "true"
route:
- destination:
host: order-service
subset: canary
weight: 100
# 默认路由
- route:
- destination:
host: order-service
subset: stable
weight: 90
- destination:
host: order-service
subset: canary
weight: 10
DestinationRule:定义流量策略
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: order-service
spec:
host: order-service
trafficPolicy:
# 连接池配置
connectionPool:
tcp:
maxConnections: 1000
http:
h2UpgradePolicy: DEFAULT
http1MaxPendingRequests: 1000
http2MaxRequests: 1000
# 熔断配置
outlierDetection:
consecutiveErrors: 5
interval: 30s
baseEjectionTime: 30s
maxEjectionPercent: 50
# 负载均衡
loadBalancer:
simple: ROUND_ROBIN
# 子集定义(用于灰度发布)
subsets:
- name: stable
labels:
version: v1
- name: canary
labels:
version: v2
灰度发布示例
# 金丝雀发布:逐步切换流量
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: payment-service
spec:
hosts:
- payment-service
http:
- route:
# 阶段1:10%流量到新版本
- destination:
host: payment-service
subset: v1
weight: 90
- destination:
host: payment-service
subset: v2
weight: 10
# 阶段2:观察指标,逐步增加
# weight: 70 / 30
# weight: 50 / 50
# weight: 0 / 100
安全策略
mTLS(双向TLS)
# 启用严格mTLS
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: production
spec:
mtls:
mode: STRICT
# 特定服务禁用mTLS(兼容遗留系统)
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: legacy-service
spec:
selector:
matchLabels:
app: legacy-service
mtls:
mode: DISABLE
授权策略
# 只允许特定服务访问
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: order-service-policy
spec:
selector:
matchLabels:
app: order-service
action: ALLOW
rules:
- from:
- source:
principals:
- cluster.local/ns/production/sa/user-service
- cluster.local/ns/production/sa/product-service
to:
- operation:
methods: ["GET", "POST"]
paths: ["/api/v1/orders/*"]
# 允许管理员访问所有接口
- from:
- source:
requestPrincipals: ["*"]
when:
- key: request.headers[x-user-role]
values: ["admin"]
可观测性
分布式追踪
Istio自动注入追踪Header,配合Jaeger实现全链路追踪。
# Istio追踪配置
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
meshConfig:
enableTracing: true
defaultConfig:
tracing:
sampling: 100.0 # 生产环境建议1%-10%
zipkin:
address: jaeger-collector.observability:9411
指标采集
# Prometheus指标采集配置
apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
name: mesh-default
spec:
metrics:
- providers:
- name: prometheus
overrides:
- match:
metric: ALL_METRICS
tagOverrides:
# 添加自定义标签
user_id:
value: request.headers["x-user-id"]
tenant_id:
value: request.headers["x-tenant-id"]
访问日志
# 启用访问日志
apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
name: access-logging
spec:
accessLogging:
- providers:
- name: envoy
disabled: false
Envoy高级配置
自定义过滤器
# Envoy Lua过滤器示例
http_filters:
- name: envoy.filters.http.lua
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
inline_code: |
function envoy_on_request(request_handle)
-- 添加请求ID
local request_id = request_handle:headers():get("x-request-id")
if not request_id then
request_id = os.time() .. "-" .. math.random(1000000)
request_handle:headers():add("x-request-id", request_id)
end
-- 记录请求开始
request_handle:logInfo("Request started: " .. request_id)
end
function envoy_on_response(response_handle)
-- 添加响应头
response_handle:headers():add("x-powered-by", "envoy")
-- 记录响应状态
local status = response_handle:headers():get(":status")
response_handle:logInfo("Response status: " .. status)
end
重试策略
# 细粒度重试配置
route:
retry_policy:
num_retries: 3
retry_on: 5xx,reset,connect-failure,retriable-4xx
per_try_timeout: 2s
retry_back_off:
base_interval: 0.1s
max_interval: 1s
retriable_request_headers:
- name: ":method"
exact_match: "GET"
生产环境最佳实践
渐进式上线
# 阶段1:仅启用Sidecar注入,不改变流量
kubectl label namespace production istio-injection=enabled
# 阶段2:启用mTLS(宽松模式)
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
spec:
mtls:
mode: PERMISSIVE
# 阶段3:逐步切换到严格模式
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
spec:
mtls:
mode: STRICT
性能优化
# Sidecar资源限制
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: default
spec:
outboundTrafficPolicy:
mode: ALLOW_ANY
egress:
- hosts:
- "./*"
---
# Pod资源配额
apiVersion: v1
kind: Pod
spec:
containers:
- name: istio-proxy
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 512Mi
总结
Service Mesh通过Sidecar模式将网络通信逻辑从业务代码中解耦,提供了强大的流量管理、安全策略、可观测性能力:
- 流量管理:VirtualService和DestinationRule实现灰度发布、熔断、限流
- 安全策略:mTLS保障通信安全,AuthorizationPolicy实现细粒度访问控制
- 可观测性:自动集成分布式追踪、指标采集、访问日志
Service Mesh适合中大型微服务系统,对于小型系统可能过于复杂。
延伸阅读
继续阅读
探索更多技术文章
浏览归档,发现更多关于系统设计、工具链和工程实践的内容。