IstioIstio

概述Overview

Istio 是一种功能全面、可自定义且可扩展的服务网格。Istio is a full featured, customisable, and extensible service mesh.

体系结构Architecture

Istio 提供了由基于 Envoy 的挎斗组成的数据平面。Istio provides a data plane that is composed of Envoy-based sidecars. 这些智能代理控制进出网格应用和工作负荷的所有网络流量。These intelligent proxies control all network traffic in and out of your meshed apps and workloads.

控制平面通过以下组件管理配置、策略和遥测:The control plane manages the configuration, policy, and telemetry via the following components:

  • Mixer - 强制实施访问控制和使用策略。Mixer - Enforces access control and usage policies. 从代理收集推送到 Prometheus 中的遥测。Collects telemetry from the proxies that is pushed into Prometheus.

  • Pilot - 为代理提供服务发现和流量管理策略/配置。Pilot - Provides service discovery and traffic management policy/configuration for the proxies.

  • Citadel - 提供允许在服务之间使用 mTLS 的标识和安全功能。Citadel - Provides identity and security capabilities that allow for mTLS between services.

  • Galley - 抽取配置并将其提供给组件。Galley - Abstracts and provides configuration to components.

下面的体系结构关系图演示了数据平面和控制平面内的各种组件如何交互。The following architecture diagram demonstrates how the various components within the data plane and control plane interact.

Istio 组件和体系结构概述。

选择条件Selection criteria

在为工作负荷评估 Istio 时,请务必了解并考虑以下方面:It's important to understand and consider the following areas when evaluating Istio for your workloads:

设计目标Design goals

以下设计目标指导 Istio 项目:The following design goals guide the Istio project:

  • 将透明度最大化 - 允许通过最小量的工作完成采用操作,从系统获取真正的价值。Maximize Transparency - Allow adoption with the minimum amount of work to get real value from the system.

  • 扩展性 - 必须能够扩展并根据不断变化的需求进行调整。Extensibility - Must be able to grow and adapt with changing needs.

  • 可移植性 - 在不同类型的环境中(不管是在云中还是在本地)轻松地运行。Portability - Run easily in different kinds of environments - cloud, on-premises.

  • 策略一致性 - 跨各种资源在策略定义方面保持一致性。Policy Uniformity - Consistency in policy definition across variety of resources.

功能Capabilities

Istio 提供下述功能集:Istio provides the following set of capabilities:

  • 网格 - 网关(多群集)、虚拟机(网格扩展)Mesh - gateways (multi-cluster), virtual machines (mesh expansion)

  • 流量管理 - 路由、拆分、超时、断路器、重试、流入量、流出量Traffic Management - routing, splitting, timeouts, circuit breakers, retries, ingress, egress

  • 策略 - 访问控制、速率限制、配额、自定义策略适配器Policy - access control, rate limit, quota, custom policy adapters

  • 安全性 - 身份验证 (jwt)、授权、加密 (mTLS)、外部 CA(HashiCorp 保管库)Security - authentication (jwt), authorisation, encryption (mTLS), external CA (HashiCorp Vault)

  • 可观测性 - 黄金指标、镜像、跟踪、自定义适配器、prometheus、grafanaObservability - golden metrics, mirror, tracing, custom adapters, prometheus, grafana

方案Scenarios

Istio 非常适合以下方案,建议采用:Istio is well suited to and suggested for the following scenarios:

  • 需要扩展性和丰富的功能集Require extensibility and rich set of capabilities

  • 进行网格扩展,使之包含基于 VM 的工作负荷Mesh expansion to include VM based workloads

  • 多群集服务网格Multi-cluster service mesh

后续步骤Next steps

以下文档介绍如何在 Azure Kubernetes 服务 (AKS) 上安装 Istio:The following documentation describes how you can install Istio on Azure Kubernetes Service (AKS):

还可以进一步探索 Istio 概念和其他部署模型:You can also further explore Istio concepts and additional deployment models: