Istio 策略管理

Mixer 为应用程序和基础架构后端之间提供了一个通用的策略控制层,负责先决条件检查(如认证授权)、配额管理并从 Envoy 代理中收集遥测数据等。

Mixer 支持灵活的插件模型(即 Adapters),支持 GCP、AWS、Prometheus、Heapster 等各种丰富功能的后端。

实现原理

本质上,Mixer 是一个 属性 处理机,进入 Mixer 的请求带有一系列的属性,Mixer 按照不同的处理阶段处理:

  • 通过全局 Adapters 为请求引入新的属性
  • 通过解析(Resolution)识别要用于处理请求的配置资源
  • 处理属性,生成 Adapter 参数
  • 分发请求到各个 Adapters 后端处理

Adapters 后端以 Mixer 配置 的方式注册到 Istio 中,参考 这里 查看示例配置。

流量限制示例

apiVersion: "config.istio.io/v1alpha2"
kind: memquota
metadata:
  name: handler
  namespace: istio-system
spec:
  quotas:
  - name: requestcount.quota.istio-system
    maxAmount: 5000
    validDuration: 1s
    # The first matching override is applied.
    # A requestcount instance is checked against override dimensions.
    overrides:
    # The following override applies to 'ratings' when
    # the source is 'reviews'.
    - dimensions:
        destination: ratings
        source: reviews
      maxAmount: 1
      validDuration: 1s
    # The following override applies to 'ratings' regardless
    # of the source.
    - dimensions:
        destination: ratings
      maxAmount: 100
      validDuration: 1s

---
apiVersion: "config.istio.io/v1alpha2"
kind: quota
metadata:
  name: requestcount
  namespace: istio-system
spec:
  dimensions:
    source: source.labels["app"] | source.service | "unknown"
    sourceVersion: source.labels["version"] | "unknown"
    destination: destination.labels["app"] | destination.service | "unknown"
    destinationVersion: destination.labels["version"] | "unknown"

---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
  name: quota
  namespace: istio-system
spec:
  actions:
  - handler: handler.memquota
    instances:
    - requestcount.quota
---
apiVersion: config.istio.io/v1alpha2
kind: QuotaSpec
metadata:
  creationTimestamp: null
  name: request-count
  namespace: istio-system
spec:
  rules:
  - quotas:
    - charge: 1
      quota: RequestCount
---
apiVersion: config.istio.io/v1alpha2
kind: QuotaSpecBinding
metadata:
  creationTimestamp: null
  name: request-count
  namespace: istio-system
spec:
  quotaSpecs:
  - name: request-count
    namespace: istio-system
  services:
  - name: ratings
  - name: reviews
  - name: details
  - name: productpage

参考文档

© Pengfei Ni all right reserved,powered by GitbookUpdated at 2018-06-22 07:00:40

results matching ""

    No results matching ""