There is no doubt that deploying and maintaining applications in K8s can be harsh for any DevOps team. Services are becoming more and more convoluted, involving several external services, different versions, and several APIs. It is for these reasons that security, authentication, monitoring, and maintenance become difficult and time-consuming tasks.

毫无疑问，对于任何DevOps团队而言，在K8s中部署和维护应用程序都是严峻的。 服务变得越来越复杂，涉及多个外部服务，不同的版本和多个API。 由于这些原因，安全性，身份验证，监视和维护变得困难而耗时。

Istio is gaining popularity among K8s practitioners and DevOps because it simplifies the connectivity between services. With a continuously growing community, it has become a tool you must consider for any production environment.

由于Istio简化了服务之间的连接，因此在K8的从业者和DevOps中越来越受欢迎。 随着社区的不断发展，它已成为任何生产环境中必须考虑的工具。

I have been working with Istio for a year and tested four versions in single and multi-cluster environments with different installation procedures. If you are considering using Istio in your K8s cluster(s), check out my six tips before you become Istio-ed.

我已经与Istio合作了一年，并在具有不同安装过程的单群集和多群集环境中测试了四个版本。 如果您正在考虑在K8s集群中使用Istio，请在成为Istio-ed之前查看我的六个提示。

1.了解Istio及其组成 (1. Understand Istio and Its Components)

At the time of writing, 1.7.2 is the latest version. Since 1.5, internal components have been reorganized for the sake of simplification. You can expect new versions to be released on a regular basis. This means that Istio is very “alive.”

在撰写本文时，最新版本为1.7.2。 从1.5开始，为简化起见对内部组件进行了重组。 您可以期望新版本会定期发布。 这意味着Istio非常“活跃”。

Prior to starting to design any deployment, you must understand Istio’s components and entities. I must insist on this. There are many CRDs you should get familiar with. Do not forget to understand its main concepts (Pilot, Citadel, Gateway, Mesh…).

在开始设计任何部署之前，您必须了解Istio的组件和实体。 我必须坚持这一点。 您应该熟悉许多CRD。 不要忘记理解其主要概念(飞行员，城堡，网关，网格……)。

I must confess I have not had great experiences with Istio’s documentation. Actually, I could have saved a lot of time with more updated documentation. I recommend taking a look at Istio discuss when something is not working. Normally, other users notice the same errors, and sharing experiences can be the best solution. Also, GitHub issues can be really helpful.

我必须承认，我在Istio的文档方面没有丰富的经验。 实际上，我可以通过更新文档来节省很多时间。 我建议看看Istio讨论什么不起作用时。 通常，其他用户会注意到相同的错误，而共享体验可能是最好的解决方案。 另外， GitHub问题确实很有帮助。

2.定义您的安装方案 (2. Define Your Installation Scenario)

Istio is designed for both single and multi-cluster scenarios. First, you need to define which one suits your scenario the best. I recommend installing Istio in a development cluster for testing. This may sound naive, but Istio comes with a plethora of configuration parameters and you may need to tweak some of them. Istioctl is a CLI client designed to facilitate the interaction with the Istio components. You may find several ways to install Istio on Google. However, stick to Istioctl because it is the approach used in the documentation.

Istio专为单群集和多群集方案而设计。 首先，您需要定义最适合您的方案的方案。 我建议在开发集群中安装Istio进行测试。 这听起来似乎很幼稚，但Istio附带了过多的配置参数，您可能需要对其进行一些调整。 Istioctl是一个CLI客户端，旨在促进与Istio组件的交互。 您可能会发现几种在Google上安装Istio的方法。 但是，请坚持使用Istioctl 因为这是文档中使用的方法。

A basic installation of Istio in a single cluster should not be difficult. Things can get more cumbersome for multiple clusters. Istio offers two multi-cluster modes based on the replication of the control planes. I will give a succinct explanation of both modes.

在单个群集中基本安装Istio应该不会很困难。 对于多个群集，事情可能变得更加繁琐。 Istio根据控制平面的复制提供两种多群集模式。 我将简要说明这两种模式。

2.1。 具有复制控制平面的多集群 (2.1. Multicluster with replicated control planes)

In this model, Istio is installed in two completely isolated K8s clusters. This means that pods and clusters’ CIDR can overlap. Istio entities have to be manually replicated among clusters, as they do not share the control plane. Services from cluster A are reachable from cluster B because they are declared as external services.

在此模型中，Istio安装在两个完全隔离的K8s群集中。 这意味着Pod和群集的CIDR可以重叠。 由于Istio实体不共享控制平面，因此必须在集群之间手动复制它们。 可以从群集B访问群集A的服务，因为它们被声明为外部服务。

This approach has some drawbacks. Maintaining the consistency of services can be a problem. If a service is removed from a cluster, it has to be updated in the other clusters. And this has to be done manually. However, this solution can be good enough for simple installations or to force the manual configuration of certain clusters for security reasons.

这种方法有一些缺点。 维护服务的一致性可能是一个问题。 如果从群集中删除服务，则必须在其他群集中对其进行更新。 这必须手动完成。 但是，此解决方案对于简单的安装可能已经足够好，或者出于安全原因而强制手动配置某些群集。

2.2。 具有共享控制平面的多集群 (2.2. Multicluster with shared control planes)

In this model, the control plane runs on a single cluster. Other clusters need to be connected with the master cluster for a correct DNS resolution. In this model, all the clusters are considered to be part of the same mesh. As shown in the documentation, a service deployed on two different clusters will have transparent load balancing.

在此模型中，控制平面在单个群集上运行。 其他群集需要与主群集连接才能获得正确的DNS解析。 在此模型中，所有群集都被视为同一网格的一部分。 如文档中所示，部署在两个不同群集上的服务将具有透明的负载平衡。

The installation in this mode requires more steps and can be a bit frightening at first. The final outcome looks more like a really federated bunch of clusters, and the automatic load balancing for services among clusters can be a powerful solution in many scenarios. However, using a single control plane could be a problem if the master cluster fails.

这种模式下的安装需要更多步骤，一开始可能会有些令人恐惧。 最终结果看起来更像是一群真正的联邦集群，并且在许多情况下，集群之间服务的自动负载平衡可能是一个强大的解决方案。 但是，如果主群集出现故障，则使用单个控制平面可能会出现问题。

3.入口与网关和虚拟服务 (3. Ingresses vs. Gateways and Virtual Services)

K8s requires the installation of ingress controllers such as ingress-nginx to satisfy ingresses. Istio supports ingresses, although they are not recommended. Why? Because you will lose many of the features supported by Istio.

K8s需要安装入口控制器(例如ingress-nginx)才能满足入口要求。 Istio支持入口，尽管不建议这样做。 为什么？ 因为您将失去Istio支持的许多功能。

We can say that ingresses are replaced by gateways and virtual services. For example, the following gateway:

可以说，入口已被网关和虚拟服务取代。 例如，以下网关：

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: httpbin-gateway
spec:
  selector:
    istio: ingressgateway # use Istio default gateway implementation
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "httpbin.example.com"

Declares that we expect HTTP traffic in port 80 for host httpbin.example.com. But the target IP of this gateway is the IP of the service exposing the default Istio ingress gateway.

声明我们期望主机httpbin.example.com端口80中的HTTP通信。 但是，此网关的目标IP是公开默认Istio入口网关的服务的IP。

The gateway above is useless unless it goes with the corresponding virtual service definition that sets which K8s services are the endpoints. For example, we can redirect traffic reaching that gateway depending on HTTP headers:

上面的网关没有用，除非它带有相应的虚拟服务定义，该定义设置了哪些K8s服务是端点。 例如，我们可以根据HTTP标头重定向到达该网关的流量：

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: httpbin
spec:
  hosts:
  - "*"
  gateways:
  - httpbin-gateway
  http:
  - match:
    - headers:
        end-user:
          exact: jason
    route:
    - destination:
        host: httpbin
        subset: v2
  - route:
    - destination:
        host: httpbin
        subset: v1

We redirect requests with the end-user header and value jason to the service from subset v2. This is a good solution for deploying several versions of the same service simultaneously.

我们将带有end-user标头和值jason请求重定向到子集v2的服务。 这是同时部署同一服务的多个版本的不错的解决方案。

This can be a problem when migrating existing solutions to Istio. Deployments strongly coupled to other ingress controllers can be really time-consuming when adapting to an Istio scenario. Check the feasibility or complexity of your ingresses and how dependent they are on other ingress controllers before going into Istio.

将现有解决方案迁移到Istio时可能会出现问题。 在适应Istio方案时，与其他入口控制器紧密耦合的部署可能非常耗时。 在进入Istio之前，请检查入口的可行性或复杂性以及它们对其他入口控制器的依赖性。

4.安全性 (4. Security)

Obviously, one of the main reasons to install Istio is the generalization of good security practices for your K8s deployments. As it usually happens, we are adding an extra layer of complexity to reduce the complexity of other tasks, and this may result in bigger problems. Be sure you understand what certificates, CAs, and root CAs you need to have the security levels your application requires. Be sure you manage your Letsencrypt issuer of any other solution you work with.

显然，安装Istio的主要原因之一是针对K8s部署的良好安全做法的普遍化。 通常情况下，我们会增加一层额外的复杂性以降低其他任务的复杂性，这可能会导致更大的问题。 确保您了解拥有应用程序所需的安全级别所需的证书，CA和根CA。 确保您管理与您一起使用的任何其他解决方案的Letsencrypt发行方。

5.监控 (5. Monitoring)

The more complex your interconnected components become, the more you need a single monitoring solution. Fortunately, Istio offers Kiali to monitor your deployments in an easy manner.

互连组件变得越复杂，就越需要单一的监视解决方案。 幸运的是，Istio提供了Kiali来轻松监控您的部署。

Do not hesitate to install Kiali from the very beginning. This may save you tons of time when searching for networking issues. Kiali notifies potential issues regarding configuration and shows variables such as the traffic between services. Remember to include the app and version labels in your deployments’ metadata.

不要从一开始就安装Kiali 。 搜索网络问题时，这可以为您节省大量时间。 Kiali会通知有关配置的潜在问题，并显示变量，例如服务之间的流量。 切记在部署的元数据中包含app和version标签。

6.调试 (6. Debugging)

This is probably the hardest part. The more complex your services become, the higher your probability of finding misconfigurations or performance issues. Following good practices can really help you to find your problems:

这可能是最难的部分。 服务变得越复杂，发现错误配置或性能问题的可能性就越高。 遵循良好实践可以真正帮助您发现问题：

• Monitor your Istio system.
  监控您的Istio系统。
• Think about what you need before you deploy it. How many services do you have? Do they require external access? What about the number of replicas?
  在部署之前，请先考虑一下您的需求。 您有几项服务？ 他们需要外部访问吗？ 副本数呢？
• Start with simple deployments and continue evolving them.
  从简单的部署开始，然后继续发展。
• Do not go into production until you know what you are doing.
  在知道自己在做什么之前，请勿投入生产。

• Use istioctl to observe your system configuration.

  使用istioctl观察系统配置。

• The community is there to help you.

  社区在那里为您提供帮助。

概要 (Summary)

If you have reached this point, it means you have a real interest in Istio. In the K8s ecosystem, Istio is one of the most promising projects. However, it still features a steep learning curve that may discourage practitioners from embracing this technology.

如果您达到了这一点，则意味着您对Istio真正感兴趣。 在K8s生态系统中，Istio是最有前途的项目之一。 但是，它仍然具有陡峭的学习曲线，这可能会阻止从业人员拥抱此技术。

I hope you find these tips useful if you are considering installing it. If you are already an Istio user, I would love to hear your experiences.

我希望如果您正在考虑安装这些技巧，它们会很有用。 如果您已经是Istio用户，我希望听听您的经验。

Thanks for reading!

谢谢阅读！