Skip to main content

Istio


Before utilizing Istio

After utilizing Istio

Proxy & Service mesh#

Client ─── Service A ┬── Service B
└── Service C

Clientκ°€ Service A에 μ–΄λ–€ μš”μ²­μ„ ν•˜λƒμ— 따라 Service B λ˜λŠ” Service Cλ₯Ό ν˜ΈμΆœν•˜λŠ” μ‹œμŠ€ν…œμ΄ μžˆλ‹€κ³  κ°€μ •ν•©λ‹ˆλ‹€.

Service B에 λ¬Έμ œκ°€ λ°œμƒν•΄μ„œ Service Aλ‘œλΆ€ν„°μ˜ ν˜ΈμΆœμ— 응닡을 λͺ»ν•˜λ©΄ Service A의 ν•œ μŠ€λ ˆλ“œκ°€ λŒ€κΈ° μƒνƒœμ— λ“€μ–΄κ°€κ²Œ 될 수 μžˆμŠ΅λ‹ˆλ‹€. μ΄λŸ¬ν•œ 상황이 반볡되면 λŒ€κΈ°μ€‘μΈ μŠ€λ ˆλ“œκ°€ λ§Žμ•„μ§€κ³ , κ·Έ κ²°κ³Ό Service Aκ°€ 멈좜 수 있고, Service Cλ₯Ό ν˜ΈμΆœν•΄μ„œ μ§„ν–‰λ˜λŠ” 과정에도 λ¬Έμ œκ°€ λ°œμƒν•  수 μžˆμŠ΅λ‹ˆλ‹€.

Client ─── Service A ┬── Circuit breaker B ─── Service B
└── Circuit breaker C ─── Service C

μ΄λŸ¬ν•œ 지연을 κ°μ§€ν•˜μ—¬ λ„€νŠΈμ›Œν¬λ₯Ό λŠμ–΄μ£ΌλŠ” μ„œν‚· 브레이컀(Circuit breaker)λ₯Ό μ„œλΉ„μŠ€λ“€ 사이에 μΆ”κ°€ν•˜λ©΄ λ¬Έμ œκ°€ λ°œμƒν–ˆμ„ λ•Œ, λ„€νŠΈμ›Œν¬κ°€ λŠκΈ°λ©΄μ„œ Service A의 λŒ€κΈ° 쀑인 μŠ€λ ˆλ“œκ°€ 톡신 μ—λŸ¬λ₯Ό κ°μ§€ν•˜κ²Œ 되고 그에 따라 μŠ€λ ˆλ“œλ₯Ό 정리할 수 μžˆμŠ΅λ‹ˆλ‹€. κ·Έλ ‡κ²Œ 되면 Service Cλ₯Ό μ΄μš©ν•˜λ˜ μ„œλΉ„μŠ€λŠ” λ¬Έμ œμ—†μ΄ 제곡될 수 μžˆμŠ΅λ‹ˆλ‹€.

Client ─── Service A ─── Proxy A ┬── Proxy B ─── Service B
└── Proxy C ─── Service C

톡신 μž₯μ•  처리 외에도, 톡신 흐름을 μ œμ–΄ν•˜κ±°λ‚˜ 톡신 흐름을 λͺ¨λ‹ˆν„°λ§ν•˜λŠ” λ“± λ‹€μ–‘ν•œ λ¬Έμ œκ°€ μžˆλŠ”λ°, μ„œλΉ„μŠ€λ“€μ„ 직접 μ—°κ²°ν•˜λŠ” 것이 μ•„λ‹ˆλΌ μ„œλΉ„μŠ€ 사이에 ν”„λ‘μ‹œλ₯Ό μΆ”κ°€ν•˜μ—¬ μ—°κ²°ν•˜λ©΄ μ΄λŸ¬ν•œ 문제λ₯Ό ν•΄κ²°ν•  수 μžˆμŠ΅λ‹ˆλ‹€.

Client ─── Service A ─── Proxy A ┬── Proxy B ─── Service B
└── Proxy C ─── Service C
Client ─── Service D ─── Proxy D ┬── Proxy E ─── Service E
└── Proxy F ─── Service F
...
Control Plane

μ„œλΉ„μŠ€ 규λͺ¨κ°€ μž‘μ„ λ•ŒλŠ” 직접 ν”„λ‘μ‹œ 섀정을 λ³€κ²½ν•΄κ°€λ©° λ„€νŠΈμ›Œν¬λ₯Ό ꡬ성할 수 μžˆμ§€λ§Œ 규λͺ¨κ°€ 컀지면 섀정이 μ–΄λ €μ›Œμ§‘λ‹ˆλ‹€. ν”„λ‘μ‹œλ“€(Data Plane)을 ν•œ λ²ˆμ— 관리할 수 μžˆλŠ” Control Plane을 μΆ”κ°€ν•˜λ©΄ μ΄λŸ¬ν•œ 문제λ₯Ό ν•΄κ²° ν•  수 μžˆμŠ΅λ‹ˆλ‹€.

μ΄λ ‡κ²Œ μ„œλΉ„μŠ€κ°„ 톡신을 κ΄€λ¦¬ν•˜κΈ° μœ„ν•΄ κ΅¬μΆ•ν•œ μ „μš© 인프라 계측을 μ„œλΉ„μŠ€ 메쉬라고 ν•©λ‹ˆλ‹€.

Envoy#

EnvoyλŠ” L7 ν”„λ‘μ‹œλ‘œ Istioμ—μ„œλŠ” μˆ˜μ •λœ Envoyκ°€ μ‚¬μš©λ©λ‹ˆλ‹€.

μ‚¬μ΄λ“œμΉ΄(sidecar)λž€ Pod에 κΈ°λŠ₯을 μΆ”κ°€ν•˜κΈ° μœ„ν•΄ μΆ”κ°€λœ μ»¨ν…Œμ΄λ„ˆλ₯Ό λ§ν•˜λŠ” 데, IstioλŠ” Podκ°€ 생성될 λ•Œ Injection rules에 따라 Envoyλ₯Ό μ‚¬μ΄λ“œμΉ΄λ‘œ μΆ”κ°€ν•©λ‹ˆλ‹€.

Injection rule examples#

μ•„λž˜μ™€ 같이 μ„€μ •ν•œ νŒŒμΌμ„ Kustomizeλ₯Ό μ‚¬μš©ν•˜μ—¬ νŒ¨μΉ˜ν•˜λ©΄ 같이 μ„€μ •λ˜λŠ” λͺ¨λ“  Deployment에 μ‚¬μ΄λ“œμΉ΄κ°€ μ£Όμž…λ©λ‹ˆλ‹€.

kubeflow/common/knative/knative-serving/base/patches/sidecar-injection.yaml
patches:
apiVersion: apps/v1
kind: Deployment
metadata:
name: '*'
spec:
template:
metadata:
annotations:
sidecar.istio.io/inject: 'true'

μ•„λž˜μ™€ 같이 μ„€μ •ν•œ 경우 ν•΄λ‹Ή Namespace에 μžˆλŠ” Podμ—λŠ” μ‚¬μ΄λ“œμΉ΄κ°€ μ£Όμž…λ˜μ§€ μ•ŠμŠ΅λ‹ˆλ‹€.

kubeflow/manifests/common/istio-1-9-0/istio-namespace/base/namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
name: istio-system
labels:
istio-operator-managed: Reconcile
istio-injection: disabled

Gateway & VirtualService#

kubeflow/manifests/common/istio-1-9-0/kubeflow-istio-resources/base/kf-istio-resources.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: kubeflow-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- '*'
manifests/apps/centraldashboard/upstream/base/params.env
CD_CLUSTER_DOMAIN=cluster.local
CD_USERID_HEADER=kubeflow-userid
CD_USERID_PREFIX=
CD_REGISTRATION_FLOW=false
kubeflow/manifests/apps/centraldashboard/upstream/base/kustomization.yaml
# ...
configMapGenerator:
- envs:
- params.env
name: centraldashboard-parameters
generatorOptions:
disableNameSuffixHash: true
vars:
- fieldref:
fieldPath: metadata.namespace
name: CD_NAMESPACE
objref:
apiVersion: v1
kind: Service
name: centraldashboard
- fieldref:
fieldPath: data.CD_CLUSTER_DOMAIN
name: CD_CLUSTER_DOMAIN
objref:
apiVersion: v1
kind: ConfigMap
name: centraldashboard-parameters
# ...
kubeflow/manifests/apps/centraldashboard/upstream/overlays/istio/params.yaml
varReference:
- path: spec/http/route/destination/host
kind: VirtualService
kubeflow/manifests/apps/centraldashboard/upstream/overlays/istio/virtual-service.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: centraldashboard
spec:
gateways:
- kubeflow-gateway
hosts:
- '*'
http:
- match:
- uri:
prefix: /
rewrite:
uri: /
route:
- destination:
host: centraldashboard.$(CD_NAMESPACE).svc.$(CD_CLUSTER_DOMAIN)
port:
number: 80
kubeflow/manifests/apps/centraldashboard/upstream/base/service.yaml
apiVersion: v1
kind: Service
metadata:
labels:
app: centraldashboard
name: centraldashboard
spec:
ports:
- port: 80
protocol: TCP
targetPort: 8082
selector:
app: centraldashboard
sessionAffinity: None
type: ClusterIP
kubeflow/manifests/apps/centraldashboard/upstream/base/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: centraldashboard
name: centraldashboard
spec:
replicas: 1
selector:
matchLabels:
app: centraldashboard
template:
metadata:
labels:
app: centraldashboard
annotations:
sidecar.istio.io/inject: 'false'
spec:
containers:
- name: centraldashboard
image: public.ecr.aws/j1r0q0g6/notebooks/central-dashboard
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /healthz
port: 8082
initialDelaySeconds: 30
periodSeconds: 30
ports:
- containerPort: 8082
protocol: TCP
#...

Kiali#

Reference#

Last updated on