istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.20/zh/blog/2022/get-started-ambient/index.html

222 lines
36 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!doctype html><html lang=zh itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=X-UA-Compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="Istio Ambient Mesh 入门"><meta name=description content="Istio Ambient Mesh 入门分步指南。"><meta name=author content="Lin Sun (Solo.io), John Howard (Google)"><meta name=keywords content="microservices,services,mesh,ambient,demo,guide"><meta property="og:title" content="Istio Ambient Mesh 入门"><meta property="og:type" content="website"><meta property="og:description" content="Istio Ambient Mesh 入门分步指南。"><meta property="og:url" content="/v1.20/zh/blog/2022/get-started-ambient/"><meta property="og:image" content="https://raw.githubusercontent.com/istio/istio.io/master/static/img/istio-social.png"><meta property="og:image:alt" content="The Istio sailboat logo"><meta property="og:image:width" content="4096"><meta property="og:image:height" content="2048"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary_large_image"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.20 / Istio Ambient Mesh 入门</title>
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments)}gtag("js",new Date),gtag("config","UA-98480406-2")</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.20/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.20/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.20/feed.xml><link rel="shortcut icon" href=/v1.20/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.20/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.20/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.20/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.20/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.20/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.20/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.20/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.20/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.20/favicons/android-192x192.png sizes=192x192><link rel=icon type=image/svg+xml href=/v1.20/favicons/favicon.svg><link rel=icon type=image/png href=/v1.20/favicons/favicon.png><link rel=mask-icon href=/v1.20/favicons/safari-pinned-tab.svg color=#466BB0><link rel=manifest href=/v1.20/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><meta name=msapplication-config content="/browserconfig.xml"><meta name=msapplication-TileColor content="#466BB0"><meta name=theme-color content="#466BB0"><link rel=stylesheet href=/v1.20/css/all.css><link rel=preconnect href=https://fonts.googleapis.com><link rel=preconnect href=https://fonts.gstatic.com crossorigin><link rel=stylesheet href="https://fonts.googleapis.com/css2?family=Barlow:ital,wght@0,400;0,500;0,600;0,700;1,400;1,600&display=swap"><script src=/v1.20/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.20",docTitle="Istio Ambient Mesh 入门",iconFile="/v1.20//img/icons.svg",buttonCopy="复制到剪切板",buttonPrint="打印",buttonDownload="下载"</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.20/js/all.min.js data-manual defer></script><header class=main-navigation><nav class="main-navigation-wrapper container-l"><div class=main-navigation-header><a id=brand href=/v1.20/zh/ aria-label=logotype><span class=logo><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></span>
</a><button id=hamburger class=main-navigation-toggle aria-label="Open navigation">
<svg class="icon menu-hamburger"><use xlink:href="/v1.20/img/icons.svg#menu-hamburger"/></svg>
</button>
<button id=menu-close class=main-navigation-toggle aria-label="Close navigation"><svg class="icon menu-close"><use xlink:href="/v1.20/img/icons.svg#menu-close"/></svg></button></div><div id=header-links class=main-navigation-links-wrapper><ul class=main-navigation-links><li class=main-navigation-links-item><a class="main-navigation-links-link has-dropdown"><span>关于</span><svg class="icon dropdown-arrow"><use xlink:href="/v1.20/img/icons.svg#dropdown-arrow"/></svg></a><ul class=main-navigation-links-dropdown><li class=main-navigation-links-dropdown-item><a href=/v1.20/zh/about/service-mesh class=main-navigation-links-link>服务网格</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.20/zh/about/solutions class=main-navigation-links-link>解决方案</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.20/zh/about/case-studies class=main-navigation-links-link>案例学习</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.20/zh/about/ecosystem class=main-navigation-links-link>生态系统</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.20/zh/about/deployment class=main-navigation-links-link>部署</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.20/zh/about/faq class=main-navigation-links-link>FAQ</a></li></ul></li><li class=main-navigation-links-item><a href=/v1.20/zh/blog/ class=main-navigation-links-link><span>博客</span></a></li><li class=main-navigation-links-item><a href=/v1.20/zh/news/ class=main-navigation-links-link><span>新闻</span></a></li><li class=main-navigation-links-item><a href=/v1.20/zh/get-involved/ class=main-navigation-links-link><span>加入我们</span></a></li><li class=main-navigation-links-item><a href=/v1.20/zh/docs/ class=main-navigation-links-link><span>文档</span></a></li></ul><div class=main-navigation-footer><button id=search-show class=search-show title='搜索 istio.io' aria-label=搜索><svg class="icon magnifier"><use xlink:href="/v1.20/img/icons.svg#magnifier"/></svg></button>
<a href=/v1.20/zh/docs/setup/getting-started class="btn btn--primary" id=try-istio>试用 Istio</a></div></div><form id=search-form class=search name=cse role=search><input type=hidden name=cx value=002184991200833970123:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=zh>
<input type=hidden id=search-page-url value=/zh/search>
<input id=search-textbox class="search-textbox form-control" name=q type=search aria-label='搜索 istio.io' placeholder=搜索>
<button id=search-close title=取消搜索 type=reset aria-label=取消搜索><svg class="icon menu-close"><use xlink:href="/v1.20/img/icons.svg#menu-close"/></svg></button></form></nav></header><div class=banner-container></div><article class=post itemscope itemtype=http://schema.org/BlogPosting><div class=header-content><h1>Istio Ambient Mesh 入门</h1><p>Istio Ambient Mesh 入门分步指南。</p></div><p class=post-author>Sep 7, 2022 <span>| </span>By Lin Sun - Solo.io, John Howard - Google</p><div><p>Ambient Mesh 是 <a href=/v1.20/zh/blog/2022/introducing-ambient-mesh/>Istio 如今引入的全新数据平面模式</a>
跟随本入门指南,您可以体验 Ambient Mesh 如何简化您的应用上线,如何助力当前业务运营,如何减少服务网格基础设施的资源用量。</p><h2 id=install-istio-with-ambient-mode>以 Ambient 模式安装 Istio</h2><ol><li><a href=https://gcsweb.istio.io/gcs/istio-build/dev/0.0.0-ambient.191fe680b52c1754ee72a06b3e0d3f9d116f2e82>下载支持 Ambient Mesh 的 Istio 预览版</a></li><li>检查<a href=https://github.com/istio/istio/tree/experimental-ambient#supported-environments>支持的环境</a>
我们推荐使用不低于 1.21 版本的 Kubernetes 集群,至少要有 2 个节点。
如果您还没有 Kubernetes 集群,您可以在本地安装(例如参照以下命令用 kind 安装)或在 Google 或 AWS 的云上部署一个 Kubernetes 集群:</li></ol><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kind create cluster --config=- &lt;&lt;EOF
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
name: ambient
nodes:
- role: control-plane
- role: worker
- role: worker
EOF
</code></pre><p><code>ambient</code> 配置文件设计用于帮助开始使用 Ambient Mesh。
使用上述下载的 <code>istioctl</code>,用 <code>ambient</code> 配置文件将 Istio 安装到您的 Kubernetes 集群上:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ istioctl install --set profile=ambient
</code></pre><p>运行以上命令后,您将获得以下输出,表示这四个组件已成功安装!</p><pre><code class=language-plain data-expandlinks=true data-repo=istio>✔ Istio core installed
✔ Istiod installed
✔ Ingress gateways installed
✔ CNI installed
✔ Installation complete
</code></pre><p>默认情况下ambient 配置文件已启用了 Istio 核心功能、Istiod、Ingress Gateway、零信任隧道代理 (ztunnel) 和 CNI 插件。
Istio CNI 插件负责检测哪些应用 Pod 属于 Ambient Mesh 并配置 ztunnel 之间的流量重定向。
您将看到以下 Pod 用默认的 ambient 配置文件安装到了 istio-system 命名空间中:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl get pod -n istio-system
NAME READY STATUS RESTARTS AGE
istio-cni-node-97p9l 1/1 Running 0 29s
istio-cni-node-rtnvr 1/1 Running 0 29s
istio-cni-node-vkqzv 1/1 Running 0 29s
istio-ingressgateway-5dc9759c74-xlp2j 1/1 Running 0 29s
istiod-64f6d7db7c-dq8lt 1/1 Running 0 47s
ztunnel-bq6w2 1/1 Running 0 47s
ztunnel-tcn4m 1/1 Running 0 47s
ztunnel-tm9zl 1/1 Running 0 47s
</code></pre><p>istio-cni 和 ztunnel 组件被部署为 <a href=https://kubernetes.io/zh-cn/docs/concepts/workloads/controllers/daemonset/>Kubernetes <code>DaemonSet</code></a> 运行在每个节点上。
每个 Istio CNI Pod 都会检查相同节点上并置的所有 Pod以查看这些 Pod 是否属于 Ambient Mesh。
对于这些 PodCNI 插件将配置流量重定向,使得所有传入和传出 Pod 的流量均先重定向到并置的 ztunnel。
当新的 Pod 部署到此节点上或被移除时CNI 插件会监控并更新重定向逻辑。</p><h2 id=deploy-your-applications>部署您的应用</h2><p>您将使用 <a href=/v1.20/zh/docs/examples/bookinfo/>bookinfo 应用</a>样例,此样例位于前面几步中下载的 Istio 包内。
在 ambient 模式中,将应用部署到 Kubernetes 集群的方式与没有 Istio 时的部署方式完全相同。
这意味着您可以在启用 Ambient Mesh 之前先让应用运行在 Kubernetes 中,然后将这些应用接入网格,不需要重启或重新配置这些应用。</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml
$ kubectl apply -f https://raw.githubusercontent.com/linsun/sample-apps/main/sleep/sleep.yaml
$ kubectl apply -f https://raw.githubusercontent.com/linsun/sample-apps/main/sleep/notsleep.yaml
</code></pre><figure style=width:75%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:28.22429906542056%><a data-skipendnotes=true href=/v1.20/zh/blog/2022/get-started-ambient/app-not-in-ambient.png title="采用纯文本流量未处于 Ambient Mesh 的应用"><img class=element-to-stretch src=/v1.20/zh/blog/2022/get-started-ambient/app-not-in-ambient.png alt="采用纯文本流量未处于 Ambient Mesh 的应用"></a></div><figcaption>采用纯文本流量未处于 Ambient Mesh 的应用</figcaption></figure><p>注:<code>sleep</code><code>notsleep</code> 是两个简单的应用,可用作 curl 客户端。</p><p><code>productpage</code> 连接到 Istio Ingress Gateway因此您可以从集群外部访问 bookinfo 应用:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml
</code></pre><p>测试您的 bookinfo 应用,不管有没有网关该应用都必须能够工作。
注:您可以将以下 <code>istio-ingressgateway.istio-system</code> 替换为其负载均衡器 IP或 hostname</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl exec deploy/sleep -- curl -s http://istio-ingressgateway.istio-system/productpage | head -n1
$ kubectl exec deploy/sleep -- curl -s http://productpage:9080/ | head -n1
$ kubectl exec deploy/notsleep -- curl -s http://productpage:9080/ | head -n1
</code></pre><h2 id=adding-your-application-to-the-ambient-mesh>添加您的应用到 Ambient Mesh</h2><p>您只需为命名空间添加标签就能让给定命名空间内的所有 Pod 成为 Ambient Mesh 的一部分:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl label namespace default istio.io/dataplane-mode=ambient
</code></pre><p>恭喜!您已成功将 default 命名空间中的所有 Pod 添加到 Ambient Mesh。
此处最大的优势是不需要重启,也不需要部署任何东西!</p><p>发送一些测试流量:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl exec deploy/sleep -- curl -s http://istio-ingressgateway.istio-system/productpage | head -n1
$ kubectl exec deploy/sleep -- curl -s http://productpage:9080/ | head -n1
$ kubectl exec deploy/notsleep -- curl -s http://productpage:9080/ | head -n1
</code></pre><p>您在 Ambient Mesh 中的应用之间会使用 mTLS 通信。</p><figure style=width:75%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:46.748681898066785%><a data-skipendnotes=true href=/v1.20/zh/blog/2022/get-started-ambient/app-in-ambient-secure-overlay.png title="采用安全覆盖层从 sleep 到 `productpage` 以及从 `productpage` 到 reviews 的入站请求"><img class=element-to-stretch src=/v1.20/zh/blog/2022/get-started-ambient/app-in-ambient-secure-overlay.png alt="采用安全覆盖层从 sleep 到 `productpage` 以及从 `productpage` 到 reviews 的入站请求"></a></div><figcaption>采用安全覆盖层从 sleep 到 `productpage` 以及从 `productpage` 到 reviews 的入站请求</figcaption></figure><p>如果您对每个身份的 X.509 证书有所好奇,您可以运行以下命令了解该证书相关的更多信息:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ istioctl pc secret ds/ztunnel -n istio-system -o json | jq -r &#39;.dynamicActiveSecrets[0].secret.tlsCertificate.certificateChain.inlineBytes&#39; | base64 --decode | openssl x509 -noout -text -in /dev/stdin
</code></pre><p>例如,该输出表明本地 Kubernetes 集群签发的证书的 sleep 有效时间原则上为 24 小时。</p><pre><code class=language-plain data-expandlinks=true data-repo=istio>Certificate:
Data:
Version: 3 (0x2)
Serial Number: 307564724378612391645160879542592778778 (0xe762cfae32a3b8e3e50cb9abad32b21a)
Signature Algorithm: SHA256-RSA
Issuer: O=cluster.local
Validity
Not Before: Aug 29 21:00:14 2022 UTC
Not After : Aug 30 21:02:14 2022 UTC
Subject:
Subject Public Key Info:
Public Key Algorithm: RSA
Public-Key: (2048 bit)
Modulus:
ac:db:1a:77:72:8a:99:28:4a:0c:7e:43:fa:ff:35:
75:aa:88:4b:80:4f:86:ca:69:59:1c:b5:16:7b:71:
dd:74:57:e2:bc:cf:ed:29:7d:7b:fa:a2:c9:06:e6:
d6:41:43:2a:3c:2c:18:8e:e8:17:f6:82:7a:64:5f:
c4:8a:a4:cd:f1:4a:9c:3f:e0:cc:c5:d5:79:49:37:
30:10:1b:97:94:2c:b7:1b:ed:a2:62:d9:3b:cd:3b:
12:c9:b2:6c:3c:2c:ac:54:5b:a7:79:97:fb:55:89:
ca:08:0e:2e:2a:b8:d2:e0:3b:df:b2:21:99:06:1b:
60:0d:e8:9d:91:dc:93:2f:7c:27:af:3e:fc:42:99:
69:03:9c:05:0b:c2:11:25:1f:71:f0:8a:b1:da:4a:
da:11:7c:b4:14:df:6e:75:38:55:29:53:63:f5:56:
15:d9:6f:e6:eb:be:61:e4:ce:4b:2a:f9:cb:a6:7f:
84:b7:4c:e4:39:c1:4b:1b:d4:4c:70:ac:98:95:fe:
3e:ea:5a:2c:6c:12:7d:4e:24:ab:dc:0e:8f:bc:88:
02:f2:66:c9:12:f0:f7:9e:23:c9:e2:4d:87:75:b8:
17:97:3c:96:83:84:3f:d1:02:6d:1c:17:1a:43:ce:
68:e2:f3:d7:dd:9e:a6:7d:d3:12:aa:f5:62:91:d9:
8d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
Server Authentication, Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
keyid:93:49:C1:B8:AB:BF:0F:7D:44:69:5A:C3:2A:7A:3C:79:19:BE:6A:B7
X509v3 Subject Alternative Name: critical
URI:spiffe://cluster.local/ns/default/sa/sleep
</code></pre><p>注:如果您没有得到任何输出,这可能意味着 <code>ds/ztunnel</code> 已选择了一个未管理任何证书的节点。
您可以指定一个特定的 ztunnel Pod例如 <code>istioctl pc secret ztunnel-tcn4m -n istio-system</code>)来管理其中一个样例应用 Pod。</p><h2 id=secure-application-access>加固应用访问安全</h2><p>当您将应用添加到 Ambient Mesh 后,就可以使用 L4 鉴权策略加固应用访问的安全。
这允许您根据客户端工作负载身份来控制对某个服务的访问流量,但这不是 <code>GET</code><code>POST</code> 等 HTTP 方法的 L7 级别的控制。</p><h3 id=l4-authorization-policies>L4 鉴权策略</h3><p>显式允许 <code>sleep</code> 服务账户和 <code>istio-ingressgateway</code> 服务账户来调用 <code>productpage</code> 服务:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f - &lt;&lt;EOF
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: productpage-viewer
namespace: default
spec:
selector:
matchLabels:
app: productpage
action: ALLOW
rules:
- from:
- source:
principals: [&#34;cluster.local/ns/default/sa/sleep&#34;, &#34;cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account&#34;]
EOF
</code></pre><p>确认上述鉴权策略正在发挥作用:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ # this should succeed
$ kubectl exec deploy/sleep -- curl -s http://istio-ingressgateway.istio-system/productpage | head -n1
$ # this should succeed
$ kubectl exec deploy/sleep -- curl -s http://productpage:9080/ | head -n1
$ # this should fail with an empty reply
$ kubectl exec deploy/notsleep -- curl -s http://productpage:9080/ | head -n1
</code></pre><h3 id=l7-authorization-policies>7 层鉴权策略</h3><p>使用 Kubernetes Gateway API您可以为使用 <code>bookinfo-productpage</code> 服务账户的 <code>productpage</code> 服务部署一个 waypoint proxy。
任何流向 <code>productpage</code> 服务的流量都将由 7 层 (L7) 代理进行调解、实施和观测。</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f - &lt;&lt;EOF
apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
name: productpage
annotations:
istio.io/service-account: bookinfo-productpage
spec:
gatewayClassName: istio-mesh
EOF
</code></pre><p>请注意对于 waypoint proxy<code>gatewayClassName</code> 必须是 <code>istio-mesh</code></p><p>查看 <code>productpage</code> waypoint proxy 状态;您应看到网关资源的详情以及状态为 <code>Ready</code></p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl get gateway productpage -o yaml
...
status:
conditions:
- lastTransitionTime: &#34;2022-09-06T20:24:41Z&#34;
message: Deployed waypoint proxy to &#34;default&#34; namespace for &#34;bookinfo-productpage&#34;
service account
observedGeneration: 1
reason: Ready
status: &#34;True&#34;
type: Ready
</code></pre><p>更新 <code>AuthorizationPolicy</code> 以显式允许 <code>sleep</code> 服务账户和 <code>istio-ingressgateway</code> 服务账户 <code>GET</code> 对应的 <code>productpage</code> 服务,但不执行其他操作:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f - &lt;&lt;EOF
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: productpage-viewer
namespace: default
spec:
selector:
matchLabels:
app: productpage
action: ALLOW
rules:
- from:
- source:
principals: [&#34;cluster.local/ns/default/sa/sleep&#34;, &#34;cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account&#34;]
to:
- operation:
methods: [&#34;GET&#34;]
EOF
</code></pre><p>确认上述鉴权策略正在发挥作用:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ # this should fail with an RBAC error because it is not a GET operation
$ kubectl exec deploy/sleep -- curl -s http://productpage:9080/ -X DELETE | head -n1
$ # this should fail with an RBAC error because the identity is not allowed
$ kubectl exec deploy/notsleep -- curl -s http://productpage:9080/ | head -n1
$ # this should continue to work
$ kubectl exec deploy/sleep -- curl -s http://productpage:9080/ | head -n1
</code></pre><figure style=width:75%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:57.01298701298702%><a data-skipendnotes=true href=/v1.20/zh/blog/2022/get-started-ambient/app-in-ambient-l7.png title="Inbound requests from sleep to `productpage` and from `productpage` to reviews with secure overlay and L7 processing layers"><img class=element-to-stretch src=/v1.20/zh/blog/2022/get-started-ambient/app-in-ambient-l7.png alt="Inbound requests from sleep to `productpage` and from `productpage` to reviews with secure overlay and L7 processing layers"></a></div><figcaption>Inbound requests from sleep to `productpage` and from `productpage` to reviews with secure overlay and L7 processing layers</figcaption></figure><p>随着 <code>productpage</code> waypoint proxy 被部署,对于到 <code>productpage</code> 服务的所有请求,您也将自动获取 L7 指标:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl exec deploy/bookinfo-productpage-waypoint-proxy -- curl -s http://localhost:15020/stats/prometheus | grep istio_requests_total
</code></pre><p>您将看到该指标 <code>response_code=403</code> 以及一些指标 <code>response_code=200</code>,具体如下:</p><pre><code class=language-plain data-expandlinks=true data-repo=istio>istio_requests_total{
response_code=&#34;403&#34;,
source_workload=&#34;notsleep&#34;,
source_workload_namespace=&#34;default&#34;,
source_principal=&#34;spiffe://cluster.local/ns/default/sa/notsleep&#34;,
destination_workload=&#34;productpage-v1&#34;,
destination_principal=&#34;spiffe://cluster.local/ns/default/sa/bookinfo-productpage&#34;,
connection_security_policy=&#34;mutual_tls&#34;,
...
}
</code></pre><p>当源工作负载(<code>notsleep</code>)通过双向 TLS 连接调用目标工作负载(<code>productpage-v1</code>)以及源和目标主体时,该指标显示两个 <code>403</code> 响应。</p><h2 id=control-traffic>控制流量</h2><p>使用 <code>bookinfo-review</code> 服务账户为 <code>review</code> 服务部署 waypoint proxy因此流向 <code>review</code> 服务的所有流量都将由 waypoint proxy 进行调解。</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f - &lt;&lt;EOF
apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
name: reviews
annotations:
istio.io/service-account: bookinfo-reviews
spec:
gatewayClassName: istio-mesh
EOF
</code></pre><p>应用 <code>reviews</code> 虚拟服务以控制 90% 流量到 reviews v1而 10% 流量到 reviews v2。</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f samples/bookinfo/networking/virtual-service-reviews-90-10.yaml
$ kubectl apply -f samples/bookinfo/networking/destination-rule-reviews.yaml
</code></pre><p>确认 100 个请求中大致有 10% 流量流向 <code>reviews-v2</code></p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl exec -it deploy/sleep -- sh -c &#39;for i in $(seq 1 100); do curl -s http://istio-ingressgateway.istio-system/productpage | grep reviews-v.-; done&#39;
</code></pre><h2 id=wrapping-up>结尾语</h2><p>现有的 Istio 资源继续工作,与您是选择使用 Sidecar 还是 Ambient 数据平面模式无关。</p><p>观看一个短视频,看看 Lin Sun 如何在 5 分钟内完成 Istio Ambient Mesh 演示:</p><iframe width=560 height=315 src=https://www.youtube.com/embed/wTGF4S4ZmJ0 title="YouTube video player" frameborder=0 allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe><h2 id=what-is-next>下一步</h2><p>我们很高兴看到全新的 Istio Ambient 数据平面及其简单的 &ldquo;ambient&rdquo; 架构。
现在将您的应用接入具有 Ambient 模式的服务网格就像标记命名空间一样简单。
您的应用立即就能享受到 mTLS 与网格流量的身份加密和 L4 可观测性等好处。
如果需要在 Ambient Mesh 中的应用之间控制访问、路由、增强弹性或获得 L7 指标,可以根据需要将 waypoint proxy 应用到您的应用。
我们推崇按需消费,因为这不但能节省资源,还可以通过不断更新许多代理来节省运营成本!
诚挚邀请您试用全新的 Istio Ambient 数据平面架构,体验极简操作。
期待您在 Istio 社区<a href=http://slack.istio.io>提出反馈</a></p></div><nav class=pagenav><div class=left><a title="深入研究最近发布的 Istio 无边车数据平面 Ambient Mesh 的安全隐患。" href=/v1.20/zh/blog/2022/ambient-security/ class=next-link><svg class="icon left-arrow"><use xlink:href="/v1.20/img/icons.svg#left-arrow"/></svg>Ambient Mesh 安全深入探讨</a></div><div class=right><a title="Istio 无 Sidecar 的全新数据平面模式。" href=/v1.20/zh/blog/2022/introducing-ambient-mesh/ class=next-link>Ambient Mesh 简介<svg class="icon right-arrow"><use xlink:href="/v1.20/img/icons.svg#right-arrow"/></svg></a></div></nav></article><footer class=footer><div class="footer-wrapper container-l"><div class="user-links footer-links"><a class=channel title='Istio 的代码在 GitHub 上开发' href=https://github.com/istio/community aria-label=GitHub><svg class="icon github"><use xlink:href="/v1.20/img/icons.svg#github"/></svg>
</a><a class=channel title='如果您想深入了解 Istio 的技术细节,请查看我们日益完善的设计文档' href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><svg class="icon drive"><use xlink:href="/v1.20/img/icons.svg#drive"/></svg>
</a><a class=channel title='在 Slack 上与 Istio 社区交互讨论开发问题(仅限邀请)' href=https://slack.istio.io aria-label=slack><svg class="icon slack"><use xlink:href="/v1.20/img/icons.svg#slack"/></svg>
</a><a class=channel title='Stack Overflow 中列举了针对实际问题以及部署、配置和使用 Istio 的各项回答' href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><svg class="icon stackoverflow"><use xlink:href="/v1.20/img/icons.svg#stackoverflow"/></svg>
</a><a class=channel title='关注我们的 Twitter 来获取最新信息' href=https://twitter.com/IstioMesh aria-label=Twitter><svg class="icon twitter"><use xlink:href="/v1.20/img/icons.svg#twitter"/></svg></a></div><hr class=footer-separator role=separator><div class="info footer-info"><a class=logo href=/v1.20/zh/ aria-label=logotype><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></a><div class=footer-languages><a tabindex=-1 lang=en id=switch-lang-en class=footer-languages-item>English
</a><a tabindex=-1 lang=zh id=switch-lang-zh class="footer-languages-item active"><svg class="icon tick"><use xlink:href="/v1.20/img/icons.svg#tick"/></svg>
中文</a></div></div><ul class=footer-policies><li class=footer-policies-item><a class=footer-policies-link href=https://www.linuxfoundation.org/legal/terms>条款
</a>|
<a class=footer-policies-link href=https://www.linuxfoundation.org/legal/privacy-policy>隐私政策
</a>|
<a class=footer-policies-link href=https://www.linuxfoundation.org/legal/trademark-usage>商标
</a>|
<a class=footer-policies-link href=https://github.com/istio/istio.io/edit/release-1.20/content/zh/index>在 GitHub 上编辑此页</a></li></ul><div class=footer-base><span class=footer-base-copyright>&copy; 2024 the Istio Authors.</span>
<span class=footer-base-version>部分内容可能滞后于英文版本,同步工作正在进行中<br>版本
Istio 归档
1.20.3</span><ul class=footer-base-releases><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://istio.io/blog/2022/get-started-ambient/"),!1'>当前版本</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://preliminary.istio.io/blog/2022/get-started-ambient/"),!1'>下个版本</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link href=https://istio.io/archive>旧版本</a></li></ul></div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title=回到顶部 tabindex=-1><svg class="icon top"><use xlink:href="/v1.20/img/icons.svg#top"/></svg></button></div></body></html>
Reference in New Issue View Git Blame Copy Permalink