Istio 架构
https://istio.io/latest/docs/ops/deployment/architecture/
Istio 服务网格在逻辑上分为 数据平面 和 控制平面。
-
-
The data plane is composed of a set of intelligent proxies (Envoy) deployed as sidecars. These proxies mediate and control all network communication between microservices. They also collect and report telemetry on all mesh traffic.
-
(数据平面由一组作为 sidecars 部署的智能代理(Envoy)组成。这些代理协调和控制微服务之间的所有网络通信。他们还收集和报告所有网格传输遥测。)
-
- The control plane manages and configures the proxies to route traffic.
(控制平面管理和配置代理以路由传输)
下图显示了组成每个平面的不同部件:
一、Envoy
Istio uses an extended version of the Envoy proxy. Envoy is a high-performance proxy developed in C++ to mediate all inbound and outbound traffic for all services in the service mesh. Envoy proxies are the only Istio components that interact with data plane traffic.
(Istio 使用了 Envoy 代理的扩展版本。Envoy 是一个用 C + + 开发的高性能代理,用于协调服务网格中所有服务的所有入站和出站流量。Envoy 代理是唯一与数据平面通信交互的 Istio 组件。)
Envoy proxies are deployed as sidecars to services, logically augmenting the services with Envoy’s many built-in features, for example:
(Envoy代理被部署为服务的 sidecars,从逻辑上增加了 Envoy 的许多内置功能的服务,例如):
-
- Dynamic service discovery (动态服务发现)
- Load balancing (负载平衡)
- TLS termination (TLS 终止)
- HTTP/2 and gRPC proxies (HTTP/2和 gRPC 代理)
- Circuit breakers (断路器)
- Health checks (健康检查)
- Staged rollouts with %-based traffic split (分阶段推出基于 % 的流量分割)
- Fault injection (故障注入)
- Rich metrics (丰富的指标)
This sidecar deployment allows Istio to enforce policy decisions and extract rich telemetry which can be sent to monitoring systems to provide information about the behavior of the entire mesh.
(这种 sidecar 部署使 Istio 能够强制执行政策决定,并提取丰富的遥测数据,这些数据可以发送到监控系统,以提供关于整个网格行为的信息。)
The sidecar proxy model also allows you to add Istio capabilities to an existing deployment without requiring you to rearchitect or rewrite code.
(Sidecar 代理模型还允许您向现有部署添加 Istio 功能,而无需重新架构或重写代码。)
Some of the Istio features and tasks enabled by Envoy proxies include:
(Envoy 代理推动的 Istio 的一些特点和任务包括):
-
-
Traffic control features: enforce fine-grained traffic control with rich routing rules for HTTP, gRPC, WebSocket, and TCP traffic.
流量控制特性: 对 HTTP、 gRPC、 WebSocket 和 TCP 流量使用丰富的路由规则实施细粒度流量控制。
-
Network resiliency features: setup retries, failovers, circuit breakers, and fault injection.
网络弹性特性: 安装重试、故障转移、断路器和故障注入。
-
Security and authentication features: enforce security policies and enforce access control and rate limiting defined through the configuration API.
安全和身份验证特性: 强制执行安全策略,并强制通过配置 API 定义的访问控制和速率限制。
-
Pluggable extensions model based on WebAssembly that allows for custom policy enforcement and telemetry generation for mesh traffic.
基于 WebAssembly 的可插拔扩展模型,支持自定义策略实施和网格通信的遥测生成。
-
二、Istiod
Istiod provides service discovery, configuration and certificate management.
(Istiod 提供服务发现、配置和证书管理。)
Istiod converts high level routing rules that control traffic behavior into Envoy-specific configurations, and propagates them to the sidecars at runtime. Pilot abstracts platform-specific service discovery mechanisms and synthesizes them into a standard format that any sidecar conforming with the Envoy API can consume.
(Istiod 将控制流量行为的高级路由规则转换为特使特有的配置,并在运行时将其传播到 sirdecars。示范项目对特定于平台的服务发现机制进行了抽象,并将其综合成符合特使 API 的任何边车都可以使用的标准格式。)
Istio can support discovery for multiple environments such as Kubernetes or VMs.
(Istio 可以支持针对多个环境(如 Kubernetes 或 VM)的发现。)
You can use Istio’s Traffic Management API to instruct Istiod to refine the Envoy configuration to exercise more granular control over the traffic in your service mesh.
(您可以使用 Istio 的流量管理 API 来指示 Istiod 改进 Envoy 配置,以便对服务网格中的流量进行更细粒度的控制。)
Istiod security enables strong service-to-service and end-user authentication with built-in identity and credential management. You can use Istio to upgrade unencrypted traffic in the service mesh. Using Istio, operators can enforce policies based on service identity rather than on relatively unstable layer 3 or layer 4 network identifiers. Additionally, you can use Istio’s authorization feature to control who can access your services.
(Istiod 安全性支持内置身份和凭证管理的强大服务对服务和终端用户身份验证。您可以使用 Istio 升级服务网格中的未加密流量。使用 Istio,运营商可以根据服务标识而不是相对不稳定的第3层或第4层网络标识来执行策略。此外,您可以使用 Istio 的授权特性来控制谁可以访问您的服务。)
Istiod acts as a Certificate Authority (CA) and generates certificates to allow secure mTLS communication in the data plane.
(Istiod 充当证书颁发机构(CA) ,并生成证书以允许数据平面中的安全 mTLS 通信。)
标签:control,架构,入门,service,Envoy,Istio,traffic,Istiod From: https://www.cnblogs.com/zuoyang/p/17133772.html