service-mesh
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseService Mesh
服务网格(Service Mesh)
A Service Mesh is a dedicated infrastructure layer for handling service-to-service communication. It's usually implemented as lightweight network proxies (Sidecars) deployed alongside the application code.
服务网格是专门用于处理服务间通信的基础设施层,通常以轻量级网络代理(Sidecar,边车代理)的形式实现,与应用代码一同部署。
When to Use
适用场景
- Mature Microservices: You have 20+ services and managing retries, timeouts, and auth in each language is becoming a nightmare.
- Zero Trust Security: You need mTLS (Mutual TLS) between all services.
- Observability: You need uniform metrics (Gold signals) and tracing across a polyglot stack.
- 成熟微服务架构:当你拥有20个以上服务,且在每种语言中管理重试、超时和认证变得极为繁琐时。
- 零信任安全:你需要在所有服务间启用mTLS(双向TLS认证)。
- 可观测性:你需要在多语言技术栈中实现统一的指标(黄金信号)和链路追踪。
Core Concepts
核心概念
Sidecar Proxy
边车代理(Sidecar Proxy)
The mesh injects a proxy (e.g., Envoy) next to your app container. Your app talks to localhost, the proxy handles the network magic.
网格会在你的应用容器旁注入一个代理(例如Envoy)。应用与本地主机通信,代理负责处理所有网络相关的复杂操作。
Control Plane
控制平面(Control Plane)
The brain that configures the proxies (e.g., Istio Control Plane).
用于配置代理的核心管理组件(例如Istio Control Plane)。
Data Plane
数据平面(Data Plane)
The set of proxies that actually route the traffic.
实际负责流量路由的所有代理集合。
Features
核心功能
- Traffic Management: Canary deployments (1% traffic to v2), Circuit Breaking, Retries.
- Security: mTLS rotation, Authorization policies.
- Observability: Automatic metrics (latency, success rate) without code changes.
- 流量管理:灰度发布(将1%流量导向v2版本)、熔断机制、重试策略。
- 安全防护:mTLS证书轮换、授权策略。
- 可观测性:无需修改代码即可自动生成指标(延迟、成功率等)。
Best Practices
最佳实践
Do:
- Assess if the Complexity is worth it. For small clusters, it's overkill.
- Use simpler alternatives (Linkerd) if Istio is too heavy.
- Start with Observability features before enabling strict enforcement/mTLS.
Don't:
- Don't use a Service Mesh to fix bad application code.
- Don't ignore the resource overhead (CPU/RAM) of sidecars at scale.
建议:
- 评估引入服务网格的复杂度是否值得。对于小型集群来说,这属于过度设计。
- 如果Istio过于繁重,可以使用更轻量的替代方案(如Linkerd)。
- 在启用严格的强制策略或mTLS之前,先从可观测性功能开始入手。
禁忌:
- 不要用服务网格来修复糟糕的应用代码问题。
- 不要忽视大规模场景下边车代理带来的资源开销(CPU/内存)。