【08】DestinationRule 高级配置功能

6.2 loadbalancer

1. 定义demoapp v1.0和demoapp v1.1版本和subset的dr规则。参考weight中定义；

2. 定义loadbalance在DestinationRule上定义规则

   apiVersion: networking.istio.io/v1beta1
   kind: DestinationRule
   metadata:
     name: demoapp
   spec:
     host: demoapp
     trafficPolicy:
       loadBalancer:
         simple: LEAST_CONN
     subsets:
     - name: v10
       labels:
         version: v1.0
       trafficPolicy:
         loadBalancer:
           consistentHash:
             httpHeaderName: X-User
     - name: v11
       labels:
         version: v1.1
   

3. 测试

   • curl demoapp:8080 到达v10版本，负载均衡策略为LEAST_CONN

     

   • curl -H "X-Use: wanglei" demoapp:8080到达v11版本的负载均衡策略是一致性哈希

     

6.3 connectionPool

1. 定义demoapp v1.0和demoapp v1.1版本和subset的dr规则。参考weight中定义；

2. 定义连接池的相关参数的DestinationRule

   apiVersion: networking.istio.io/v1beta1
   kind: DestinationRule
   metadata:
     name: demoapp
   spec:
     host: demoapp
     trafficPolicy:
       loadBalancer:
         simple: LEAST_CONN
       connectionPool:
         tcp:
           maxConnections: 100
           connectTimeout: 30ms
           tcpKeepalive:
             time: 7200s
             interval: 75s
         http:
           http2MaxRequests: 1000
           maxRequestsPerConnection: 10
     subsets:
     - name: v10
       labels:
         version: v1.0
       trafficPolicy:
         loadBalancer:
           consistentHash:
             httpHeaderName: X-User
     - name: v11
       labels:
         version: v1.1
   

6.4 异常点检测

场景：符合一般意义的熔断模型。健康检查分为主动检查和被动检查。异常点检测是被动的健康检查。

常用的错误标识:

• consecutiveLocalOriginFailures
• consecutiveGatewayErrors: 只包含502，503，504的网关错误；0表示禁用；
• consecutive5xxErrors： 5xx错误连续出现的次数

1. 定义demoapp v1.0和demoapp v1.1版本和subset的dr规则。参考weight中定义；

2. 定义异常值检测的DestinationRule规则

   apiVersion: networking.istio.io/v1beta1
   kind: DestinationRule
   metadata:
     name: demoapp
   spec:
     host: demoapp
     trafficPolicy:
       loadBalancer:
         simple: RANDOM
       connectionPool:
         tcp:
           maxConnections: 100
           connectTimeout: 30ms
           tcpKeepalive:
             time: 7200s
             interval: 75s
         http:
           http2MaxRequests: 1000
           maxRequestsPerConnection: 10
       outlierDetection:                # 异常值检测配置
         maxEjectionPercent: 50         # 可被驱逐的最大比例，默认为10%
         consecutive5xxErrors: 5        # 被驱逐前5**连续错误的和
         interval: 10s                  # 驱逐的时间间隔，默认值为10s
         baseEjectionTime: 1m           # 基准驱逐时长，具体时长取决于退避算法
         minHealthPercent: 10           # 低于该比例时，Outlier Detection将被禁用
     subsets:
     - name: v10
       labels:
         version: v1.0
     - name: v11
       labels:
         version: v1.1
   

3. 定义demoapp访问的路由规则

   apiVersion: networking.istio.io/v1beta1
   kind: VirtualService
   metadata:
     name: demoapp
   spec:
     hosts:
     - demoapp
     http:
     - name: canary
       match:
       - uri:
           prefix: /canary
       rewrite:
         uri: /
       route:
       - destination:
           host: demoapp
           subset: v11
     - name: default
       route:
       - destination:
           host: demoapp
           subset: v10
   

4. 测试

   • 访问demoapp，流量到达v10版本，curl demoapp:8080/livez,

     

   • 查看demoapp的pod

     

   • 给其中一个pod注入故障，使的请求这个pod的时候，返回5**错误

     curl -X POST -d 'livez=FAIL' 172.16.196.169:8080/livez
     

     # curl -vv 172.16.196.169:8080/livez
     *   Trying 172.16.196.169:8080...
     * TCP_NODELAY set
     * Connected to 172.16.196.169 (172.16.196.169) port 8080 (#0)
     > GET /livez HTTP/1.1
     > Host: 172.16.196.169:8080
     > User-Agent: curl/7.68.0
     > Accept: */*
     > 
     * Mark bundle as not supporting multiuse
     < HTTP/1.1 506 Variant Also Negotiates
     < content-type: text/html; charset=utf-8
     < content-length: 4
     < server: istio-envoy
     < date: Thu, 24 Aug 2023 08:02:19 GMT
     < x-envoy-upstream-service-time: 0
     < x-envoy-decorator-operation: demoapp.default.svc.cluster.local:8080/*
     < 
     * Connection #0 to host 172.16.196.169 left intact
     

   • 此时在访问demoapp服务，会出现访问出错5次FAIL，就会把这个pod驱逐出去，然后驱逐10秒后，重新对该pod检测，如果还是连续5次error，再驱逐，这次驱逐时长就会很长。和我们定义的异常点检测相吻合。
     
     而且在sidercar上查看该endpoint已经是unhealth状态。