Kubernetes服务网格与网络策略配置：构建安全可控的微服务网络

Kubernetes服务网格与网络策略配置构建安全可控的微服务网络一、服务网格概述服务网格是一种基础设施层用于管理微服务之间的通信提供服务发现、负载均衡、流量控制和安全认证等功能。1.1 服务网格架构┌─────────────────────────────────────────────────────────────────┐ │ 控制平面 │ │ ┌──────────┐ ┌─────────────┐ ┌──────────────┐ ┌──────────┐ │ │ │ Pilot │ │ Citadel │ │ Galley │ │ Mixer │ │ │ └────┬─────┘ └──────┬──────┘ └──────┬───────┘ └────┬─────┘ │ └───────┼───────────────┼───────────────┼────────────────┼───────┘ │ │ │ │ └───────────────┼───────────────┼────────────────┘ ▼ ▼ ┌─────────────────────────────────────────────────────────────────┐ │ 数据平面 │ │ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ │ │ Envoy │──────│ Envoy │──────│ Envoy │ │ │ │ Sidecar │ │ Sidecar │ │ Sidecar │ │ │ └────┬─────┘ └────┬─────┘ └────┬─────┘ │ │ │ │ │ │ │ ┌────▼─────┐ ┌────▼─────┐ ┌────▼─────┐ │ │ │ Service │ │ Service │ │ Service │ │ │ │ A │ │ B │ │ C │ │ │ └──────────┘ └──────────┘ └──────────┘ │ └─────────────────────────────────────────────────────────────────┘1.2 服务网格功能功能说明服务发现自动发现集群内服务负载均衡智能流量分发流量控制限流、熔断、重试安全认证mTLS加密通信可观测性监控、追踪、日志二、Istio安装与配置2.1 Istio安装istioctl install --set profiledemo -y kubectl label namespace default istio-injectionenabled2.2 Istio Gateway配置apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: my-gateway spec: selector: istio: ingressgateway servers: - port: number: 80 name: http protocol: HTTP hosts: - example.com - port: number: 443 name: https protocol: HTTPS tls: mode: SIMPLE credentialName: example-cert hosts: - example.com2.3 Istio VirtualService配置apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: my-service spec: hosts: - example.com gateways: - my-gateway http: - match: - uri: prefix: /api route: - destination: host: api-service port: number: 8080 - match: - uri: prefix: / route: - destination: host: frontend-service port: number: 80三、流量管理配置3.1 金丝雀发布apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: canary-release spec: hosts: - my-app http: - route: - destination: host: my-app subset: stable weight: 90 - destination: host: my-app subset: canary weight: 10 --- apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: my-app-destination spec: host: my-app subsets: - name: stable labels: version: v1 - name: canary labels: version: v23.2 路由规则apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: routing-rules spec: hosts: - my-service http: - match: - headers: user-agent: regex: .*Mobile.* route: - destination: host: my-service-mobile - match: - headers: user-agent: regex: .*Desktop.* route: - destination: host: my-service-desktop3.3 重试与超时配置apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: retry-config spec: hosts: - my-service http: - route: - destination: host: my-service retries: attempts: 3 perTryTimeout: 2s retryOn: 5xx,connect-failure,refused-stream timeout: 10s四、网络策略配置4.1 基础网络策略apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all spec: podSelector: {} policyTypes: - Ingress - Egress4.2 允许特定流量apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-frontend-to-backend spec: podSelector: matchLabels: app: backend policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app: frontend ports: - protocol: TCP port: 80804.3 限制外部访问apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: restrict-external spec: podSelector: matchLabels: app: database policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: name: default - podSelector: matchLabels: app: api ports: - protocol: TCP port: 5432五、mTLS配置5.1 启用mTLSapiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: default namespace: default spec: mtls: mode: STRICT5.2 目标规则配置apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: my-service spec: host: my-service trafficPolicy: tls: mode: ISTIO_MUTUAL六、服务网格最佳实践6.1 监控配置apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: istio-monitor spec: selector: matchLabels: istio: pilot endpoints: - port: http-monitoring6.2 分布式追踪apiVersion: jaegertracing.io/v1 kind: Jaeger metadata: name: jaeger spec: strategy: allInOne ingress: enabled: true七、总结服务网格提供了流量控制灵活的路由和负载均衡策略安全通信mTLS加密和身份认证可观测性完善的监控和追踪能力故障恢复自动重试和熔断机制建议在微服务架构中引入服务网格提升系统的可靠性和可维护性。参考资料Istio文档Kubernetes网络策略文档Envoy文档