Linkerd的部署与入门--service mesh初步体验

Linkerd2初探

部署环境

k8s环境:

KIND 模拟kubernetes 1.21.1

kubectl 1.21.1
操作系统:

Ubuntu 18.04.1
Linkerd:

2.12.0

以下步骤是按照官方的Geting Started文档来完成的。本文侧重怎样将linkerd部署、运行起来,并简单介绍了Linkerd在一个模拟应用中的使用,以及Linkerd可视化面板。

Linkerd简介

Linkerd是一种服务网格(service mesh)的实现。官方主页上介绍它是一种超轻量化,超便捷,超强的服务网格,它是CNCF孵化的开源项目,对于kubernetes来说是安全可靠,无需修改应用代码,为应用程序添加可观察性(observability)、安全性(security)和可靠性(reliability)功能。

Linkerd 是 Kubernetes 的一个完全开源的服务网格实现。它通过为你提供运行时调试、可观测性、可靠性和安全性,使运行服务更轻松、更安全,所有这些都不需要对你的代码进行任何更改。

Linkerd 通过在每个服务实例旁边安装一组超轻、透明的代理(sidecar)来工作。这些代理会自动处理进出服务的所有流量。由于它们是透明的,这些代理充当高度仪表化的进程外网络堆栈,向控制平面发送遥测数据并从控制平面接收控制信号。

安装Linkerd客户端

直接从官网下载安装

plain 复制代码
curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/install | sh

或者从github下载可执行文件

将安装包放到 /usr/local/bin下

plain 复制代码
chmod +x linkerd2-cli-stable-2.12.0-rc2-linux-arm64
cp linkerd2-cli-stable-2.12.0-rc2-linux-arm64 /usr/local/bin/linkerd

检查系统:

plain 复制代码
linkerd check --pre

在k8s上安装Linkerd控制平面(服务端)

plain 复制代码
linkerd install | kubectl apply -f -

但是实际安装时提示先要安装 CRDs

Linkerd CRDs must be installed first. Run linkerd install with the --crds flag.

plain 复制代码
linkerd install --crds | kubectl apply -f -

完成上面后,开始部署控制平面

plain 复制代码
linkerd install --ignore-cluster > linkerd-install.yaml
sudo kubectl apply -f linkerd-install.yaml  

或者直接

plain 复制代码
linkerd install | sudo kubectl apply -f -

安装过程会在k8s集群上完成一系列设置和部署,以下为安装过程的输出

plain 复制代码
namespace/linkerd created
clusterrole.rbac.authorization.k8s.io/linkerd-linkerd-identity created
clusterrolebinding.rbac.authorization.k8s.io/linkerd-linkerd-identity created
serviceaccount/linkerd-identity created
clusterrole.rbac.authorization.k8s.io/linkerd-linkerd-destination created
clusterrolebinding.rbac.authorization.k8s.io/linkerd-linkerd-destination created
serviceaccount/linkerd-destination created
secret/linkerd-sp-validator-k8s-tls created
validatingwebhookconfiguration.admissionregistration.k8s.io/linkerd-sp-validator-webhook-config created
secret/linkerd-policy-validator-k8s-tls created
validatingwebhookconfiguration.admissionregistration.k8s.io/linkerd-policy-validator-webhook-config created
clusterrole.rbac.authorization.k8s.io/linkerd-policy created
clusterrolebinding.rbac.authorization.k8s.io/linkerd-destination-policy created
role.rbac.authorization.k8s.io/linkerd-heartbeat created
rolebinding.rbac.authorization.k8s.io/linkerd-heartbeat created
clusterrole.rbac.authorization.k8s.io/linkerd-heartbeat created
clusterrolebinding.rbac.authorization.k8s.io/linkerd-heartbeat created
serviceaccount/linkerd-heartbeat created
clusterrole.rbac.authorization.k8s.io/linkerd-linkerd-proxy-injector created
clusterrolebinding.rbac.authorization.k8s.io/linkerd-linkerd-proxy-injector created
serviceaccount/linkerd-proxy-injector created
secret/linkerd-proxy-injector-k8s-tls created
mutatingwebhookconfiguration.admissionregistration.k8s.io/linkerd-proxy-injector-webhook-config created
configmap/linkerd-config created
secret/linkerd-identity-issuer created
configmap/linkerd-identity-trust-roots created
service/linkerd-identity created
service/linkerd-identity-headless created
deployment.apps/linkerd-identity created
service/linkerd-dst created
service/linkerd-dst-headless created
service/linkerd-sp-validator created
service/linkerd-policy created
service/linkerd-policy-validator created
deployment.apps/linkerd-destination created
cronjob.batch/linkerd-heartbeat created
deployment.apps/linkerd-proxy-injector created
service/linkerd-proxy-injector created
secret/linkerd-config-overrides created

等待直到Pod启动成功(第一次需要下载镜像,时间跟网络环境有关)

检查Linkerd是否部署成功

plain 复制代码
linkerd check

部署成功会返回以下内容

plain 复制代码
Linkerd core checks
===================

kubernetes-api
--------------
√ can initialize the client
√ can query the Kubernetes API

kubernetes-version
------------------
√ is running the minimum Kubernetes API version
√ is running the minimum kubectl version

linkerd-existence
-----------------
√ 'linkerd-config' config map exists
√ heartbeat ServiceAccount exist
√ control plane replica sets are ready
√ no unschedulable pods
√ control plane pods are ready
√ cluster networks contains all node podCIDRs
√ cluster networks contains all pods

linkerd-config
--------------
√ control plane Namespace exists
√ control plane ClusterRoles exist
√ control plane ClusterRoleBindings exist
√ control plane ServiceAccounts exist
√ control plane CustomResourceDefinitions exist
√ control plane MutatingWebhookConfigurations exist
√ control plane ValidatingWebhookConfigurations exist
√ proxy-init container runs as root user if docker container runtime is used

linkerd-identity
----------------
√ certificate config is valid
√ trust anchors are using supported crypto algorithm
√ trust anchors are within their validity period
√ trust anchors are valid for at least 60 days
√ issuer cert is using supported crypto algorithm
√ issuer cert is within its validity period
√ issuer cert is valid for at least 60 days
√ issuer cert is issued by the trust anchor

linkerd-webhooks-and-apisvc-tls
-------------------------------
√ proxy-injector webhook has valid cert
√ proxy-injector cert is valid for at least 60 days
√ sp-validator webhook has valid cert
√ sp-validator cert is valid for at least 60 days
√ policy-validator webhook has valid cert
√ policy-validator cert is valid for at least 60 days

linkerd-version
---------------
√ can determine the latest version
√ cli is up-to-date

control-plane-version
---------------------
√ can retrieve the control plane version
√ control plane is up-to-date
√ control plane and cli versions match

linkerd-control-plane-proxy
---------------------------
√ control plane proxies are healthy
√ control plane proxies are up-to-date
√ control plane proxies and cli versions match

Status check results are √

实验:数据平面代理注入demo应用

使用官方的Emojivoto 应用来体验Linkerd,这个应用由三个服务(web、emoji、voting)组成,另外vote-bot模拟发起投票。开发者在这个应用中设置了异常,当给某个表情投票时会返回404页面。这是开发者故意设置的,用来在linkerd面板(linkerd viz)中观察这个失败的情况。

新建应用emoji用于实验

plain 复制代码
# http://run.linkerd.io/emojivoto.yml
kubectl apply -f emojivoto.yml
或者
curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/emojivoto.yml  | kubectl apply -f -

暴露对外访问的端口

kubectl -n emojivoto port-forward svc/web-svc 8080:80

(注意:此时emoji应用每个pod的container数量都是1)

应用启动正常

将上面示例应用加入到service mesh中,向其添加Linkerd的数据平面代理(data plane proxies)

直接运行下面的命令

plain 复制代码
kubectl get -n emojivoto deploy -o yaml  | linkerd inject -   | kubectl apply -f -
plain 复制代码
# 也可以使用如下脚本注入
kubectl annotate ns emojivoto linkerd.io/inject=enabled
kubectl rollout restart deploy -n emojivoto

上面的命令检索在 emojivoto 命名空间中运行的所有deployments,通过 linkerd inject 运行清单,然后将其重新应用到集群。

linkerd inject 命令向 pod spec 添加注解(annotations),指示 Linkerd 将代理(proxy)作为容器添加("注入")到 pod spec 中。

然后通过管道传输到 kubectl apply,Kubernetes 将执行滚动部署(rolling deploy)并使用数据平面的代理更新每个 pod,所有这些都没有任何停机时间。

添加数据平面代理后,每个pod中容器数量从1个变成2个,比之前多了一个Linkerd的sidecar代理容器。

查看某个Pod其中的sidecar容器如下:

Pod增加了注解:linkerd.io/inject: enabled

This annotation triggers automatic proxy injection when the resources are created or updated.

NOTE: Adding the annotation to existing pods does not automatically mesh them. For existing pods, after adding the annotation you will also need to recreate or update the resource (e.g. by using kubectl rollout restart to perform a rolling update)to trigger proxy injection.

查看数据平面状态:

plain 复制代码
linkerd -n emojivoto check --proxy

安装viz插件(可视化面板)

安装viz插件,Linkerd-Viz插件包含Linkerd的可观察性和可视化组件,可以看到服务调用成功率, 每秒请求数等信息,还能在deployment页面中看到从源到目的的调用路径及情况。安装命令如下

plain 复制代码
linkerd viz install | kubectl apply -f -

直接把pod的端口暴露

plain 复制代码
kubectl -n linkerd-viz port-forward web-7cccdbd9b6-vmrbp  8084:8084

因为emoji应用中设置了调用投票服务会有失败的概率,所以可以看到有应用的SR(success rate)不到100%。

部署grafana

参考:hook-grafana-with-linkerd-viz-dashboard

如果linkerd viz已经部署,先停止

plain 复制代码
sudo linkerd viz uninstall | sudo kubectl delete -f -

使用helm部署grafana

plain 复制代码
helm repo add grafana https://grafana.github.io/helm-charts
helm install grafana -n grafana --create-namespace grafana/grafana \
  -f https://raw.githubusercontent.com/linkerd/linkerd2/main/grafana/values.yaml  -f

为grafana增加AuthorizationPolicy

plain 复制代码
sudo kubectl apply -f authzpolicy-grafana.yaml
yaml 复制代码
# authzpolicy-grafana.yaml
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
  namespace: linkerd-viz
  name: grafana
spec:
  targetRef:
    group: policy.linkerd.io
    kind: Server
    name: prometheus-admin
  requiredAuthenticationRefs:
    - kind: ServiceAccount
      name: grafana
      namespace: grafana

开启viz,部署时指定了grafana的端口(默认配置情况)

plain 复制代码
linkerd viz install --set grafana.url=grafana.grafana:3000   | kubectl apply -f -

可以从最右边的grafana图标打开grafana面板

其他

plain 复制代码
# viz卸载
linkerd viz uninstall
# 反注入
kubectl get deploy -o yaml -n emojivoto | linkerd uninject - |  kubectl apply -f -
# 卸载linkerd
sudo linkerd  uninstall | sudo kubectl delete -f -
相关推荐
微刻时光5 分钟前
Docker部署Nginx
运维·nginx·docker·容器·经验
@东辰19 分钟前
【golang-技巧】-自定义k8s-operator-by kubebuilder
开发语言·golang·kubernetes
小安运维日记21 分钟前
CKA认证 | Day3 K8s管理应用生命周期(上)
运维·云原生·容器·kubernetes·云计算·k8s
陈小肚28 分钟前
k8s 1.28.2 集群部署 docker registry 接入 MinIO 存储
docker·容器·kubernetes
A陈雷44 分钟前
springboot整合elasticsearch,并使用docker desktop运行elasticsearch镜像容器遇到的问题。
spring boot·elasticsearch·docker
小扳1 小时前
Docker 篇-Docker 详细安装、了解和使用 Docker 核心功能(数据卷、自定义镜像 Dockerfile、网络)
运维·spring boot·后端·mysql·spring cloud·docker·容器
politeboy2 小时前
关于k8s中镜像的服务端口被拒绝的问题
云原生·容器·kubernetes
weixin_438197382 小时前
K8S创建云主机配置docker仓库
linux·云原生·容器·eureka·kubernetes
皮锤打乌龟8 小时前
(干货)Jenkins使用kubernetes插件连接k8s的认证方式
运维·kubernetes·jenkins
南猿北者9 小时前
docker Network(网络)
网络·docker·容器