☸️ K8s 生态全景

主题

Istio 流量管理深度解析

流量管理核心资源 

VirtualService  → 定义路由规则(如何路由)
DestinationRule → 定义目标策略(路由到哪里,如何连接)
Gateway         → 管理入口/出口流量
ServiceEntry    → 注册外部服务

高级流量控制

基于 Header 的路由

yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: my-app
spec:
  hosts:
  - my-app
  http:
  # 内测用户路由到 v2
  - match:
    - headers:
        x-user-group:
          exact: beta-testers
    route:
    - destination:
        host: my-app
        subset: v2

  # 特定 Cookie 路由到 v2
  - match:
    - headers:
        cookie:
          regex: "^(.*?;)?(version=v2)(;.*)?$"
    route:
    - destination:
        host: my-app
        subset: v2

  # 默认路由到 v1
  - route:
    - destination:
        host: my-app
        subset: v1

流量镜像(Shadow Testing)

yaml
http:
- route:
  - destination:
      host: my-app
      subset: v1
  mirror:
    host: my-app
    subset: v2
  mirrorPercentage:
    value: 100  # 100% 流量镜像到 v2(不影响响应)

熔断器

yaml
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: my-app
spec:
  host: my-app
  trafficPolicy:
    outlierDetection:
      consecutive5xxErrors: 5      # 连续 5 次 5xx 错误
      interval: 30s                # 检测间隔
      baseEjectionTime: 30s        # 最小驱逐时间
      maxEjectionPercent: 50       # 最多驱逐 50% 实例
      minHealthPercent: 30         # 最少保留 30% 健康实例

限流(Local Rate Limiting)

yaml
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: filter-local-ratelimit
spec:
  workloadSelector:
    labels:
      app: my-app
  configPatches:
  - applyTo: HTTP_FILTER
    match:
      context: SIDECAR_INBOUND
      listener:
        filterChain:
          filter:
            name: envoy.filters.network.http_connection_manager
    patch:
      operation: INSERT_BEFORE
      value:
        name: envoy.filters.http.local_ratelimit
        typed_config:
          "@type": type.googleapis.com/udpa.type.v1.TypedStruct
          type_url: type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
          value:
            stat_prefix: http_local_rate_limiter
            token_bucket:
              max_tokens: 1000
              tokens_per_fill: 1000
              fill_interval: 1s
            filter_enabled:
              runtime_key: local_rate_limit_enabled
              default_value:
                numerator: 100
                denominator: HUNDRED

Egress 流量控制

yaml
# 注册外部服务
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: external-api
spec:
  hosts:
  - api.external.com
  ports:
  - number: 443
    name: https
    protocol: HTTPS
  location: MESH_EXTERNAL
  resolution: DNS

---
# 控制出口流量
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: external-api
spec:
  hosts:
  - api.external.com
  http:
  - timeout: 10s
    retries:
      attempts: 3
    route:
    - destination:
        host: api.external.com
        port:
          number: 443

本站内容由 褚成志 整理编写,仅供学习参考

Copyright © 2024-present 褚成志 · All Rights Reserved