采用 Istio 对 Kubernetes 托管的应用程序进行零检测应用程序监视 - 已弃用Zero instrumentation application monitoring for Kubernetes hosted applications with Istio - DEPRECATED

重要

此功能当前正被弃用,在 2020 年 8 月 1 日之后将不再受支持。This functionality is currently being deprecated and will no longer be supported after August 1st, 2020. 目前只能通过独立代理为 Java 启用无代码监视。Currently the codeless monitoring can only be enabled for Java through standalone agent. 对于其他语言,请使用 SDK 监视 AKS 上的应用:ASP.Net CoreASP.NetNode.jsJavaScriptPythonFor other languages, use the SDKs to monitor your apps on AKS: ASP.Net Core, ASP.Net, Node.js, JavaScript, and Python.

Azure Monitor 现在利用 Kubernetes 群集上的服务网格技术为任何由 Kubernetes 托管的应用提供现成的应用程序监视功能。Azure Monitor now leverages service mesh tech on your Kubernetes cluster to provide out of the box application monitoring for any Kubernetes hosted app. 使用默认的 Application Insight 功能,例如使用应用程序映射对依赖关系建模,使用实时指标流进行实时监视,使用默认仪表板指标资源管理器工作簿进行强大的可视化操作。With default Application Insight features like Application Map to model your dependencies, Live Metrics Stream for real-time monitoring, powerful visualizations with the default dashboard, Metric Explorer, and Workbooks. 此功能可帮助用户查明所选 Kubernetes 命名空间中所有 Kubernetes 工作负荷的性能瓶颈和故障热点。This feature will help users spot performance bottlenecks and failure hotspots across all of their Kubernetes workloads within a selected Kubernetes namespace. 利用包含 Istio 之类技术的现有服务网格投资,Azure Monitor 可以在不修改应用程序代码的情况下实现自动检测的应用监视。By capitalizing on your existing service mesh investments with technologies like Istio, Azure Monitor enables auto-instrumented app monitoring without any modification to your application's code.

备注

这是在 Kubernetes 上执行应用程序监视的多种方式之一。This is one of many ways to perform application monitoring on Kubernetes. 还可以使用 Application Insights SDK 来检测托管在 Kubernetes 中的任何应用,不需要使用服务网格。 You can also instrument any app hosted in Kubernetes by using the Application Insights SDK without the need for a service mesh. 若要在不使用 SDK 来检测应用程序的情况下监视 Kubernetes,可以使用以下方法。To monitor Kubernetes without instrumenting the application with an SDK you can use the below method.

先决条件Prerequisites

功能Capabilities

通过对 Kubernetes 托管的应用使用零检测应用程序监视,你将能够使用:By using zero instrumentation application monitoring for Kubernetes hosted apps, you will be able to use:

安装步骤Installation steps

若要启用此解决方案,请执行以下步骤:To enable the solution, we'll be performing the following steps:

  • 部署应用程序(如果尚未部署)。Deploy the application (if not already deployed).
  • 确保该应用程序是服务网格的一部分。Ensure the application is part of the service mesh.
  • 观察所收集的遥测数据。Observe collected telemetry.

配置你的应用以使用服务网格Configure your app to work with a service mesh

Istio 支持两种检测 Pod 的方法。Istio supports two ways of instrumenting a pod. 在大多数情况下,最简单的方法是使用 istio-injection 标签来标记包含你的应用程序的 Kubernetes 命名空间:In most cases, it's easiest to mark the Kubernetes namespace containing your application with the istio-injection label:

kubectl label namespace <my-app-namespace> istio-injection=enabled

备注

由于服务网格将数据从线路上剥离,因此我们无法拦截加密的流量。Since service mesh lifts data off the wire, we cannot intercept the encrypted traffic. 对于不离开群集的流量,请使用未加密的协议(例如 HTTP)。For traffic that doesn't leave the cluster, use an unencrypted protocol (for example, HTTP). 对于必须加密的外部流量,请考虑在入口控制器处设置 TLS 终止For external traffic that must be encrypted, consider setting up TLS termination at the ingress controller.

在服务网格外运行的应用程序不受影响。Applications running outside of the service mesh are not affected.

部署应用程序Deploy your application

  • 将应用程序部署到 my-app-namespace 命名空间。Deploy your application to my-app-namespace namespace. 如果应用程序已部署,并且你已经遵循了上面描述的自动跨斗注入方法,则需重新创建 Pod 以确保 Istio 注入其跨斗;或者启动滚动更新或删除各个 Pod 并等待它们重新创建。If the application is already deployed, and you have followed the automatic sidecar injection method described above, you need to recreate pods to ensure Istio injects its sidecar; either initiate a rolling update or delete individual pods and wait for them to be recreated.
  • 请确保应用程序符合 Istio 要求Ensure your application complies with Istio requirements.

为 Kubernetes 托管的应用部署零检测应用程序监视Deploy zero instrumentation application monitoring for Kubernetes hosted apps

  1. 下载并提取某个 Application Insights 适配器版本Download and extract an Application Insights adapter release.

  2. 导航到 release 文件夹中的 /src/kubernetes/。Navigate to /src/kubernetes/ inside the release folder.

  3. 编辑 application-insights-istio-mixer-adapter-deployment.yamlEdit application-insights-istio-mixer-adapter-deployment.yaml

    • 编辑 ISTIO_MIXER_PLUGIN_AI_INSTRUMENTATIONKEY 环境变量的值,使之包含 Azure 门户中 Application Insights 资源的检测密钥,这样就可以包含遥测数据。edit the value of ISTIO_MIXER_PLUGIN_AI_INSTRUMENTATIONKEY environment variable to contain the instrumentation key of the Application Insights resource in Azure portal to contain the telemetry.
    • 如果需要,请编辑 ISTIO_MIXER_PLUGIN_WATCHLIST_NAMESPACES 环境变量的值,使之包含你要为其启用监视功能的命名空间的逗号分隔列表。If necessary, edit the value of ISTIO_MIXER_PLUGIN_WATCHLIST_NAMESPACES environment variable to contain a comma-separated list of namespaces for which you would like to enable monitoring. 将其留空即可监视所有命名空间。Leave it blank to monitor all namespaces.
  4. 通过运行以下命令应用在 src/kubernetes/ 中找到的每个 YAML 文件(必须仍然在 /src/kubernetes/ 中 ):Apply every YAML file found under src/kubernetes/ by running the following (you must still be inside /src/kubernetes/):

    kubectl apply -f .
    

验证部署Verify deployment

  • 确保已部署 Application Insights 适配器:Ensure Application Insights adapter has been deployed:

    kubectl get pods -n istio-system -l "app=application-insights-istio-mixer-adapter"
    

备注

在某些情况下,需要进行微调优化。In some cases, fine-tuning tuning is required. 若要在收集中包括或排除对单个 Pod 的遥测,请在该 Pod 上使用 appinsights/monitoring.enabled 标签。To include or exclude telemetry for an individual pod from being collected, use appinsights/monitoring.enabled label on that pod. 这将优先于所有基于命名空间的配置。This will have priority over all namespace-based configuration. 将 appinsights/monitoring.enabled 设置为 true 即可包括该 Pod,设置为 false 即可排除它。Set appinsights/monitoring.enabled to true to include the pod, and to false to exclude it.

查看 Application Insights 遥测View Application Insights telemetry

  • 生成针对你的应用程序的示例请求,以确认监视功能是否正常运行。Generate a sample request against your application to confirm that monitoring is functioning properly.
  • 在 3-5 分钟内,你应该会开始看到遥测数据出现在 Azure 门户中。Within 3-5 minutes, you should start seeing telemetry appear in the Azure portal. 请确保在门户中查看 Application Insights 资源的“应用程序映射”部分。Be sure to check out the Application Map section of your Application Insights resource in the Portal.

疑难解答Troubleshooting

下面是遥测数据未按预期出现在 Azure 门户中时要使用的故障排除流。Below is the troubleshooting flow to use when telemetry doesn't appear in the Azure portal as expected.

  1. 确保应用程序有负荷,并以明文 HTTP 形式发送/接收请求。Ensure the application is under load and is sending/receiving requests in plain HTTP. 由于遥测数据会从线路剥离,因此不支持加密的流量。Since telemetry is lifted off the wire, encrypted traffic is not supported. 如果没有传入或传出请求,则不会有任何遥测数据。If there are no incoming or outgoing requests, there will be no telemetry either.

  2. 确保在 application-insights-istio-mixer-adapter-deployment.yaml 的环境变量 ISTIO_MIXER_PLUGIN_AI_INSTRUMENTATIONKEY 中提供正确的检测密钥。Ensure the correct instrumentation key is provided in the ISTIO_MIXER_PLUGIN_AI_INSTRUMENTATIONKEY environment variable in application-insights-istio-mixer-adapter-deployment.yaml. 检测密钥是在 Azure 门户中 Application Insights 资源的“概览”选项卡上找到的。The instrumentation key is found on the Overview tab of the Application Insights resource in the Azure portal.

  3. 确保在 application-insights-istio-mixer-adapter-deployment.yaml 的环境变量 ISTIO_MIXER_PLUGIN_WATCHLIST_NAMESPACES 中提供正确的 Kubernetes 命名空间。Ensure the correct Kubernetes namespace is provided in the ISTIO_MIXER_PLUGIN_WATCHLIST_NAMESPACES environment variable in application-insights-istio-mixer-adapter-deployment.yaml. 将其留空即可监视所有命名空间。Leave it blank to monitor all namespaces.

  4. 确保应用程序的 Pod 已由 Istio 通过跨斗注入。Ensure your application's pods have been sidecar-injected by Istio. 验证每个 Pod 上是否存在 Istio 的跨斗。Verify that Istio's sidecar exists on each pod.

    kubectl describe pod -n <my-app-namespace> <my-app-pod-name>
    

    验证是否有一个名为 istio-proxy 的容器正在 Pod 上运行。Verify that there is a container named istio-proxy running on the pod.

  5. 查看 Application Insights 适配器的跟踪。View the Application Insights adapter's traces.

    kubectl get pods -n istio-system -l "app=application-insights-istio-mixer-adapter"
    kubectl logs -n istio-system application-insights-istio-mixer-adapter-<fill in from previous command output>
    

    收到的遥测项的计数每分钟更新一次。The count of received telemetry items is updated once a minute. 如果此数目没有逐分钟变大,则表示 Istio 没有向适配器发送遥测数据。If it doesn't grow minute over minute - no telemetry is being sent to the adapter by Istio. 查看日志中是否存在任何错误。Look for any errors in the log.

  6. 如果已经确定没有为 Application Insight for Kubernetes 适配器提供遥测数据,请检查 Istio 的 Mixer 日志,了解它为何没有向适配器发送数据:If it has been established that Application Insight for Kubernetes adapter is not being fed telemetry, check Istio's Mixer logs to figure out why it's not sending data to the adapter:

    kubectl get pods -n istio-system -l "istio=mixer,app=telemetry"
    kubectl logs -n istio-system istio-telemetry-<fill in from previous command output> -c mixer
    

    查看是否存在任何错误,尤其是与 applicationinsightsadapter 适配器的通信有关的错误。Look for any errors, especially pertaining to communications with applicationinsightsadapter adapter.

常见问题解答FAQ

有关此项目的进度的最新信息,请访问 Istio Mixer 项目的 GitHub 的 Application Insights 适配器For the latest info for the progress on this project, visit the Application Insights adapter for Istio Mixer project's GitHub.

卸载Uninstall

若要卸载该产品,请针对 src/kubernetes/ 下的每个 YAML 文件运行以下命令:To uninstall the product, for every YAML file found under src/kubernetes/ run:

kubectl delete -f <filename.yaml>

后续步骤Next steps

若要详细了解 Azure Monitor 和容器如何一起工作,请访问用于容器的 Azure Monitor 概述To learn more about how Azure Monitor and containers work together visit Azure Monitor for containers overview