Istio
サービスメッシュプラットフォーム。API Gateway機能を含む包括的なマイクロサービス管理。トラフィック管理、セキュリティ、可観測性を統合。
概要
Istioは、マイクロサービス間の通信を管理・制御・保護するオープンソースのサービスメッシュプラットフォームです。API Gateway機能を含む包括的なマイクロサービス管理ソリューションとして、トラフィック管理、セキュリティ、可観測性を統合的に提供します。
Googleが主導し、IBM、Lyfteとの協力により開発されたIstioは、Envoy Proxyをデータプレーンとして採用し、Kubernetes環境での事実上の標準となっています。CNCFのIncubating Projectから2022年にGraduated Projectとなり、エンタープライズ環境での採用が加速しています。
主要な特徴
- サービスメッシュアーキテクチャ: サイドカープロキシによる非侵襲的な通信制御
- 自動mTLS: サービス間の自動暗号化とアイデンティティ管理
- 統合可観測性: メトリクス、ログ、分散トレーシングの統合
- 高度なトラフィック管理: カナリアデプロイメント、A/Bテスト、フォルトインジェクション
- ゼロトラストセキュリティ: きめ細かな認証・認可制御
主要機能
トラフィック管理
- インテリジェントルーティング: 高度なリクエストルーティングとロードバランシング
- トラフィック分割: カナリアデプロイメントとA/Bテスト支援
- フォルトインジェクション: 障害テストとカオスエンジニアリング
- タイムアウト・リトライ: 自動的な耐障害性機能
- サーキットブレーカー: カスケード障害の防止
セキュリティ
- mTLS自動化: サービス間の相互TLS認証
- 認証・認可: JWT検証、RBAC、外部認証プロバイダー統合
- セキュリティポリシー: きめ細かなアクセス制御
- 証明書管理: 自動証明書回転とライフサイクル管理
可観測性
- メトリクス収集: Prometheus統合による詳細なメトリクス
- 分散トレーシング: Jaeger、Zipkin統合によるエンドツーエンドトレーシング
- アクセスログ: 包括的なリクエストログとアクセス監査
インストール・セットアップ
istioctl による基本インストール
Istio CLI インストール
# Istio最新版ダウンロード
curl -L https://istio.io/downloadIstio | sh -
# パス設定
export PATH=$PWD/istio-1.24.0/bin:$PATH
# インストール確認
istioctl version
# プリチェック
istioctl x precheck
Istio インストール
# デモプロファイルでインストール(開発・テスト用)
istioctl install --set values.defaultRevision=default
# プロダクション用最小構成
istioctl install --set values.pilot.traceSampling=1.0 \
--set values.global.meshConfig.enableAutoMtls=true \
--set values.global.meshConfig.defaultConfig.proxyMetadata.ISTIO_META_DNS_CAPTURE=true
# カスタム設定でインストール
istioctl install -f - <<EOF
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
name: control-plane
spec:
values:
global:
meshConfig:
defaultConfig:
gatewayTopology:
numTrustedProxies: 1
enableAutoMtls: true
trustDomain: cluster.local
components:
pilot:
k8s:
resources:
requests:
cpu: 200m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
ingressGateways:
- name: istio-ingressgateway
enabled: true
k8s:
service:
type: LoadBalancer
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 2000m
memory: 1024Mi
EOF
Helm による インストール
# Istio Helm リポジトリ追加
helm repo add istio https://istio-release.storage.googleapis.com/charts
helm repo update
# Istio base インストール
helm install istio-base istio/base -n istio-system --create-namespace
# Istiod インストール
helm install istiod istio/istiod -n istio-system --wait
# Ingress Gateway インストール
helm install istio-ingressgateway istio/gateway -n istio-system
Ambient Mesh インストール(新アーキテクチャ)
# Ambient Profile でインストール
istioctl install --set values.pilot.env.EXTERNAL_ISTIOD=false \
--set values.experimental.ambient.enabled=true
# Ztunnel DaemonSet 確認
kubectl get daemonset/ztunnel -n istio-system
# CNI プラグイン確認
kubectl get daemonset/istio-cni-node -n istio-system
サイドカー自動注入の設定
# 名前空間に自動注入を有効化
kubectl label namespace default istio-injection=enabled
# 特定Podにサイドカー注入
kubectl label namespace production istio-injection=enabled
# サイドカー注入ステータス確認
kubectl get namespace -L istio-injection
基本的な使い方
Gateway と VirtualService の設定
HTTP Gateway 設定
# http-gateway.yaml
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: bookinfo-gateway
namespace: default
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "bookinfo.example.com"
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: bookinfo-secret
hosts:
- "bookinfo.example.com"
VirtualService でのルーティング
# virtualservice.yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: bookinfo
namespace: default
spec:
hosts:
- "bookinfo.example.com"
gateways:
- bookinfo-gateway
http:
- match:
- uri:
prefix: /api/v1/
rewrite:
uri: /
route:
- destination:
host: productpage
port:
number: 9080
weight: 90
- destination:
host: productpage-v2
port:
number: 9080
weight: 10
timeout: 10s
retries:
attempts: 3
perTryTimeout: 2s
- match:
- uri:
prefix: /static/
route:
- destination:
host: productpage
port:
number: 9080
headers:
response:
add:
cache-control: "public, max-age=3600"
DestinationRule による負荷分散
# destinationrule.yaml
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: productpage
namespace: default
spec:
host: productpage
trafficPolicy:
loadBalancer:
simple: LEAST_CONN
connectionPool:
tcp:
maxConnections: 100
http:
http1MaxPendingRequests: 50
http2MaxRequests: 100
maxRequestsPerConnection: 2
maxRetries: 3
consecutiveErrors: 5
interval: 30s
baseEjectionTime: 30s
maxEjectionPercent: 50
outlierDetection:
consecutiveErrors: 5
interval: 30s
baseEjectionTime: 30s
maxEjectionPercent: 50
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2
Kubernetes Gateway API 使用
# kubernetes-gateway.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: bookinfo-gateway
namespace: default
spec:
gatewayClassName: istio
listeners:
- name: http
hostname: "bookinfo.example.com"
port: 80
protocol: HTTP
- name: https
hostname: "bookinfo.example.com"
port: 443
protocol: HTTPS
tls:
mode: Terminate
certificateRefs:
- name: bookinfo-secret
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: bookinfo-route
namespace: default
spec:
parentRefs:
- name: bookinfo-gateway
hostnames:
- "bookinfo.example.com"
rules:
- matches:
- path:
type: PathPrefix
value: /api/v1/
backendRefs:
- name: productpage
port: 9080
weight: 90
- name: productpage-v2
port: 9080
weight: 10
filters:
- type: URLRewrite
urlRewrite:
path:
type: ReplacePrefixMatch
replacePrefixMatch: /
設定例
カナリアデプロイメント
# canary-deployment.yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: reviews-canary
namespace: default
spec:
hosts:
- reviews
http:
# ヘッダーベースルーティング(ベータユーザー)
- match:
- headers:
x-user-type:
exact: beta
route:
- destination:
host: reviews
subset: v3
# 一般ユーザーの10%をv3にルーティング
- match:
- uri:
prefix: /
route:
- destination:
host: reviews
subset: v2
weight: 90
- destination:
host: reviews
subset: v3
weight: 10
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: reviews
namespace: default
spec:
host: reviews
subsets:
- name: v2
labels:
version: v2
- name: v3
labels:
version: v3
A/Bテスト設定
# ab-testing.yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: ab-testing
namespace: default
spec:
hosts:
- productpage
http:
- match:
- headers:
experiment:
exact: "new-ui"
route:
- destination:
host: productpage
subset: v2
fault:
delay:
percentage:
value: 0.1
fixedDelay: 5s
- route:
- destination:
host: productpage
subset: v1
外部サービス統合
# external-service.yaml
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: external-payment-api
namespace: default
spec:
hosts:
- payment.external.com
ports:
- number: 443
name: https
protocol: HTTPS
location: MESH_EXTERNAL
resolution: DNS
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: external-payment
namespace: default
spec:
hosts:
- payment.external.com
http:
- timeout: 10s
retries:
attempts: 3
perTryTimeout: 3s
route:
- destination:
host: payment.external.com
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: external-payment
namespace: default
spec:
host: payment.external.com
trafficPolicy:
tls:
mode: SIMPLE
認証・セキュリティ
JWT認証の実装
RequestAuthentication設定
# jwt-auth.yaml
apiVersion: security.istio.io/v1
kind: RequestAuthentication
metadata:
name: jwt-auth
namespace: default
spec:
selector:
matchLabels:
app: productpage
jwtRules:
- issuer: "https://auth.example.com"
jwksUri: "https://auth.example.com/.well-known/jwks.json"
audiences:
- "api.example.com"
forwardOriginalToken: true
fromHeaders:
- name: Authorization
prefix: "Bearer "
fromParams:
- "token"
outputClaimToHeaders:
- header: "x-user-id"
claim: "sub"
- header: "x-user-email"
claim: "email"
AuthorizationPolicy適用
# authorization-policy.yaml
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: productpage-authz
namespace: default
spec:
selector:
matchLabels:
app: productpage
rules:
# 管理者ロールのフルアクセス
- from:
- source:
requestPrincipals: ["https://auth.example.com/admin"]
to:
- operation:
methods: ["GET", "POST", "PUT", "DELETE"]
# 一般ユーザーの読み取り専用アクセス
- from:
- source:
requestPrincipals: ["https://auth.example.com/user"]
to:
- operation:
methods: ["GET"]
when:
- key: request.headers[x-user-verified]
values: ["true"]
# 公開API
- to:
- operation:
methods: ["GET"]
paths: ["/health", "/version"]
mTLS設定
PeerAuthentication設定
# peer-authentication.yaml
apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata:
name: default
namespace: istio-system
spec:
mtls:
mode: STRICT
---
# 特定サービスでmTLS無効化
apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata:
name: legacy-service
namespace: default
spec:
selector:
matchLabels:
app: legacy-service
mtls:
mode: DISABLE
DestinationRule でのTLS設定
# tls-destination-rule.yaml
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: secure-service
namespace: default
spec:
host: secure-service
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
portLevelSettings:
- port:
number: 443
tls:
mode: SIMPLE
caCertificates: /etc/ssl/certs/ca-cert.pem
privateKey: /etc/ssl/private/client-key.pem
clientCertificate: /etc/ssl/certs/client-cert.pem
外部認証プロバイダー統合
# external-authz.yaml
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: external-authz
namespace: default
spec:
selector:
matchLabels:
app: productpage
rules:
- to:
- operation:
methods: ["GET", "POST"]
when:
- key: source.ip
notValues: ["192.168.1.0/24"]
provider:
name: "external-authz"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: external-authz-config
namespace: istio-system
data:
mesh: |
extensionProviders:
- name: "external-authz"
ext_authz:
service: "authz-service.auth-system.svc.cluster.local"
port: "9000"
timeout: 0.5s
includeHeadersInCheck: ["authorization", "x-auth-token"]
headersToUpstreamOnAllow: ["x-auth-result"]
headersToDownstreamOnDeny: ["content-type"]
レート制限・トラフィック管理
Envoy Local Rate Limiting
# local-rate-limit.yaml
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: local-rate-limit
namespace: default
spec:
workloadSelector:
labels:
app: productpage
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.http.local_ratelimit
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
value:
stat_prefix: local_rate_limiter
token_bucket:
max_tokens: 100
tokens_per_fill: 100
fill_interval: 60s
filter_enabled:
runtime_key: local_rate_limit_enabled
default_value:
numerator: 100
denominator: HUNDRED
filter_enforced:
runtime_key: local_rate_limit_enforced
default_value:
numerator: 100
denominator: HUNDRED
Global Rate Limiting (Redis)
# global-rate-limit.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: ratelimit-config
namespace: istio-system
data:
config.yaml: |
domain: productpage-ratelimit
descriptors:
- key: header_match
value: "api_key"
rate_limit:
unit: minute
requests_per_unit: 100
- key: remote_address
rate_limit:
unit: minute
requests_per_unit: 50
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: global-rate-limit
namespace: default
spec:
workloadSelector:
labels:
app: productpage
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.http.ratelimit
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit
domain: productpage-ratelimit
rate_limit_service:
grpc_service:
envoy_grpc:
cluster_name: rate-limit-service
transport_api_version: V3
descriptors:
- entries:
- key: header_match
value: "api_key"
- key: remote_address
フォルトインジェクション
# fault-injection.yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: fault-injection
namespace: default
spec:
hosts:
- reviews
http:
- match:
- headers:
x-chaos-test:
exact: "true"
fault:
delay:
percentage:
value: 50.0
fixedDelay: 5s
abort:
percentage:
value: 10.0
httpStatus: 503
route:
- destination:
host: reviews
subset: v1
- route:
- destination:
host: reviews
subset: v1
Circuit Breaker設定
# circuit-breaker.yaml
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: circuit-breaker
namespace: default
spec:
host: httpbin
trafficPolicy:
connectionPool:
tcp:
maxConnections: 1
http:
http1MaxPendingRequests: 1
maxRequestsPerConnection: 1
outlierDetection:
consecutiveErrors: 3
interval: 30s
baseEjectionTime: 30s
maxEjectionPercent: 50
minHealthPercent: 50
モニタリング・ログ
Prometheus と Grafana 統合
Prometheus 設定
# prometheus.yaml
apiVersion: v1
kind: Service
metadata:
name: prometheus
namespace: istio-system
labels:
app: prometheus
spec:
ports:
- name: http-prometheus
port: 9090
protocol: TCP
selector:
app: prometheus
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: prometheus
namespace: istio-system
spec:
replicas: 1
selector:
matchLabels:
app: prometheus
template:
metadata:
labels:
app: prometheus
spec:
containers:
- name: prometheus
image: prom/prometheus:latest
ports:
- containerPort: 9090
volumeMounts:
- name: config-volume
mountPath: /etc/prometheus
args:
- '--config.file=/etc/prometheus/prometheus.yml'
- '--storage.tsdb.path=/prometheus'
- '--web.console.libraries=/etc/prometheus/console_libraries'
- '--web.console.templates=/etc/prometheus/consoles'
- '--storage.tsdb.retention.time=200h'
- '--web.enable-lifecycle'
volumes:
- name: config-volume
configMap:
name: prometheus-config
---
apiVersion: v1
kind: ConfigMap
metadata:
name: prometheus-config
namespace: istio-system
data:
prometheus.yml: |
global:
scrape_interval: 15s
scrape_configs:
- job_name: 'istio-mesh'
kubernetes_sd_configs:
- role: endpoints
namespaces:
names:
- istio-system
- default
relabel_configs:
- source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: istio-proxy;http-monitoring
- job_name: 'istio-policy'
kubernetes_sd_configs:
- role: endpoints
namespaces:
names:
- istio-system
relabel_configs:
- source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: istio-policy;http-monitoring
- job_name: 'pilot'
kubernetes_sd_configs:
- role: endpoints
namespaces:
names:
- istio-system
relabel_configs:
- source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: istiod;http-monitoring
Jaeger 分散トレーシング
# jaeger.yaml
apiVersion: v1
kind: Service
metadata:
name: jaeger-query
namespace: istio-system
labels:
app: jaeger
spec:
ports:
- name: query-http
port: 16686
protocol: TCP
targetPort: 16686
selector:
app: jaeger
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: jaeger
namespace: istio-system
labels:
app: jaeger
spec:
selector:
matchLabels:
app: jaeger
template:
metadata:
labels:
app: jaeger
annotations:
sidecar.istio.io/inject: "false"
spec:
containers:
- name: jaeger
image: jaegertracing/all-in-one:latest
env:
- name: COLLECTOR_ZIPKIN_HOST_PORT
value: ":9411"
ports:
- containerPort: 9411
- containerPort: 16686
- containerPort: 14250
- containerPort: 14267
- containerPort: 14268
- containerPort: 5775
protocol: UDP
- containerPort: 6831
protocol: UDP
- containerPort: 6832
protocol: UDP
Telemetry v2 設定
# telemetry.yaml
apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
name: default
namespace: istio-system
spec:
metrics:
- providers:
- name: prometheus
- overrides:
- match:
metric: requests_total
tagOverrides:
request_protocol:
value: "grpc"
- match:
metric: request_duration_milliseconds
buckets:
- 0.5
- 1
- 5
- 10
- 25
- 50
- 100
- 250
- 500
- 1000
- 2500
- 5000
- 10000
accessLogging:
- providers:
- name: otel
tracing:
- providers:
- name: jaeger
- randomSamplingPercentage: 1.0
アクセスログ設定
# access-log.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: istio
namespace: istio-system
data:
mesh: |
defaultConfig:
proxyStatsMatcher:
inclusionRegexps:
- ".*outlier_detection.*"
- ".*circuit_breakers.*"
- ".*upstream_rq_retry.*"
- ".*_cx_.*"
exclusionRegexps:
- ".*osconfig.*"
gatewayTopology:
numTrustedProxies: 1
defaultProviders:
metrics:
- prometheus
tracing:
- jaeger
accessLogging:
- envoy
extensionProviders:
- name: otel
envoyOtelAls:
service: "opentelemetry-collector.istio-system.svc.cluster.local"
port: 4317
- name: jaeger
jaeger:
service: jaeger.istio-system.svc.cluster.local
port: 14250
高度な機能
Waypoint プロキシ(Ambient Mesh)
# waypoint-proxy.yaml
apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
name: productpage-waypoint
namespace: default
annotations:
istio.io/service-account: productpage
spec:
gatewayClassName: istio-waypoint
listeners:
- name: mesh
port: 15008
protocol: HBONE
---
# L7ポリシーをAmbientで適用
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: productpage-l7-policy
namespace: default
spec:
targetRef:
kind: Gateway
name: productpage-waypoint
rules:
- from:
- source:
principals: ["cluster.local/ns/default/sa/reviews"]
to:
- operation:
methods: ["GET"]
paths: ["/productpage"]
Multi-Cluster Mesh
# multi-cluster.yaml
# Primary Cluster
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
name: control-plane
spec:
values:
global:
meshID: mesh1
multiCluster:
clusterName: cluster1
network: network1
pilot:
env:
ENABLE_CROSS_CLUSTER_WORKLOAD_ENTRY: true
---
# Remote Cluster Secret
apiVersion: v1
kind: Secret
metadata:
name: istio-remote-secret-cluster2
namespace: istio-system
labels:
istio/cluster: cluster2
data:
cluster2: <base64-encoded-kubeconfig>
Virtual Machine 統合
# vm-workload.yaml
apiVersion: networking.istio.io/v1beta1
kind: WorkloadEntry
metadata:
name: vm-workload
namespace: default
spec:
address: "192.168.1.100"
ports:
http: 8080
labels:
app: vm-service
version: v1
serviceAccount: vm-service-account
---
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: vm-service
namespace: default
spec:
hosts:
- vm-service.default.svc.cluster.local
location: MESH_EXTERNAL
ports:
- number: 8080
name: http
protocol: HTTP
resolution: STATIC
workloadSelector:
labels:
app: vm-service
WASM プラグイン
# wasm-plugin.yaml
apiVersion: extensions.istio.io/v1alpha1
kind: WasmPlugin
metadata:
name: custom-header
namespace: default
spec:
selector:
matchLabels:
app: productpage
url: oci://registry.example.com/custom-header:latest
phase: AUTHN
pluginConfig:
headers:
- name: "x-custom-header"
value: "custom-value"
- name: "x-request-time"
value: "{{.timestamp}}"
vmConfig:
env:
- name: LOG_LEVEL
value: "info"
パフォーマンス最適化
Proxy 設定最適化
# proxy-config.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: istio
namespace: istio-system
data:
mesh: |
defaultConfig:
# 並行性設定
concurrency: 2
# プロキシメタデータ
proxyMetadata:
PILOT_ENABLE_WORKLOAD_ENTRY_AUTOREGISTRATION: true
ISTIO_META_DNS_CAPTURE: true
ISTIO_META_PROXY_XDS_VIA_AGENT: true
# 統計設定
proxyStatsMatcher:
inclusionRegexps:
- ".*circuit_breakers.*"
- ".*retry.*"
- ".*_cx_.*"
exclusionRegexps:
- ".*osconfig.*"
- ".*wasm.*"
# リソース制限
proxyMemoryLimit: "256Mi"
# 接続プール
gatewayTopology:
numTrustedProxies: 1
# mTLS最適化
meshConfig:
enableAutoMtls: true
trustDomain: cluster.local
Pilot 設定最適化
# pilot-optimization.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
name: control-plane
spec:
components:
pilot:
k8s:
env:
# XDS Push最適化
- name: PILOT_PUSH_THROTTLE
value: "100"
- name: PILOT_MAX_REQUESTS_PER_SECOND
value: "100"
# デバッグレベル調整
- name: PILOT_LOG_LEVEL
value: "warning"
# XDS キャッシュ最適化
- name: PILOT_ENABLE_CROSS_CLUSTER_WORKLOAD_ENTRY
value: "false"
- name: PILOT_ENABLE_LEGACY_FSGROUP_INJECTION
value: "false"
resources:
requests:
cpu: 500m
memory: 2048Mi
limits:
cpu: 2000m
memory: 4096Mi
hpaSpec:
minReplicas: 2
maxReplicas: 10
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 80
Gateway 最適化
# gateway-optimization.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
name: gateway-optimization
spec:
components:
ingressGateways:
- name: istio-ingressgateway
k8s:
resources:
requests:
cpu: 1000m
memory: 1024Mi
limits:
cpu: 4000m
memory: 4096Mi
hpaSpec:
minReplicas: 3
maxReplicas: 20
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 70
env:
# 接続プール設定
- name: ENVOY_CONCURRENCY
value: "4"
- name: ENVOY_ADMIN_PORT
value: "15000"
service:
type: LoadBalancer
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
トラブルシューティング
診断ツールとコマンド
istioctl 診断コマンド
# クラスター状態確認
istioctl version
istioctl verify-install
# 設定検証
istioctl analyze
istioctl analyze --all-namespaces
# プロキシ設定確認
istioctl proxy-config cluster productpage-v1-xxxx
istioctl proxy-config listener productpage-v1-xxxx
istioctl proxy-config route productpage-v1-xxxx
istioctl proxy-config endpoint productpage-v1-xxxx
# プロキシステータス
istioctl proxy-status
# 設定同期確認
istioctl proxy-config cluster productpage-v1-xxxx --fqdn productpage.default.svc.cluster.local
# mTLS確認
istioctl authn tls-check productpage-v1-xxxx.default productpage.default.svc.cluster.local
# メトリクス確認
istioctl experimental metrics productpage-v1-xxxx
ログ分析
# Istiod ログ
kubectl logs -n istio-system deployment/istiod -f
# プロキシログレベル変更
istioctl proxy-config log productpage-v1-xxxx --level debug
# 特定コンポーネントのログレベル
istioctl proxy-config log productpage-v1-xxxx --level http:debug,router:debug
# アクセスログの有効化
kubectl patch configmap/istio -n istio-system --type merge -p '{"data":{"mesh":"defaultConfig:\n proxyStatsMatcher:\n inclusionRegexps:\n - \".*\"\n accessLogFile: \"/dev/stdout\""}}'
トラフィックフロー分析
# Kiali ダッシュボード
kubectl port-forward -n istio-system svc/kiali 20001:20001
# Jaeger トレーシング
kubectl port-forward -n istio-system svc/jaeger-query 16686:16686
# Grafana メトリクス
kubectl port-forward -n istio-system svc/grafana 3000:3000
# Prometheus
kubectl port-forward -n istio-system svc/prometheus 9090:9090
よくある問題と解決法
mTLS 通信問題
# mTLS設定確認
istioctl authn tls-check productpage-v1-xxxx.default productpage.default.svc.cluster.local
# 証明書確認
openssl s_client -connect productpage.default.svc.cluster.local:9080 \
-cert /etc/ssl/certs/cert-chain.pem \
-key /etc/ssl/private/key.pem \
-CAfile /etc/ssl/certs/root-cert.pem
# PeerAuthentication の一時的無効化
kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata:
name: disable-mtls
namespace: default
spec:
mtls:
mode: DISABLE
EOF
Gateway 接続問題
# Gateway設定確認
kubectl get gateway,virtualservice -A
# Ingress Gateway ステータス
kubectl get pods -n istio-system -l istio=ingressgateway
# 外部IPアドレス確認
kubectl get svc -n istio-system istio-ingressgateway
# TLS証明書確認
kubectl get secret -n istio-system
kubectl describe secret bookinfo-secret -n istio-system
パフォーマンス問題診断
# プロキシメトリクス
kubectl exec productpage-v1-xxxx -c istio-proxy -- curl localhost:15000/stats | grep -E "(upstream_rq|downstream_rq)"
# Circuit Breaker状態
kubectl exec productpage-v1-xxxx -c istio-proxy -- curl localhost:15000/stats | grep outlier_detection
# 接続プール使用状況
kubectl exec productpage-v1-xxxx -c istio-proxy -- curl localhost:15000/stats | grep -E "(cx_|pending)"
# Pilot リソース使用量
kubectl top pods -n istio-system -l app=istiod
デバッグ用設定
# debug-config.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: istio
namespace: istio-system
data:
mesh: |
defaultConfig:
proxyStatsMatcher:
inclusionRegexps:
- ".*"
accessLogFile: "/dev/stdout"
accessLogFormat: |
[%START_TIME%] "%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%"
%RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT%
%DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% "%REQ(X-FORWARDED-FOR)%"
"%REQ(USER-AGENT)%" "%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%"
%UPSTREAM_CLUSTER% %UPSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_LOCAL_ADDRESS%
%DOWNSTREAM_REMOTE_ADDRESS% %REQUESTED_SERVER_NAME% %ROUTE_NAME%
holdApplicationUntilProxyStarts: true
参考リンク
公式ドキュメント
学習リソース
ツールとエコシステム
- Kiali - サービスメッシュ可視化
- Jaeger - 分散トレーシング
- Envoy Proxy - データプレーン
- cert-manager - 証明書管理