k8s-service-mesh
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseKubernetes Service Mesh (Istio)
Kubernetes服务网格(Istio)
Traffic management, security, and observability using kubectl-mcp-server's Istio/Kiali tools.
借助kubectl-mcp-server的Istio/Kiali工具实现流量管理、安全与可观测性。
When to Apply
适用场景
Use this skill when:
- User mentions: "Istio", "service mesh", "mTLS", "VirtualService", "traffic shifting"
- Operations: traffic management, canary deployments, security policies
- Keywords: "sidecar", "proxy", "traffic split", "mutual TLS"
在以下场景中使用本技能:
- 用户提及:"Istio"、"service mesh"、"mTLS"、"VirtualService"、"traffic shifting"
- 操作需求:流量管理、金丝雀部署、安全策略配置
- 关键词:"sidecar"、"proxy"、"traffic split"、"mutual TLS"
Priority Rules
优先级规则
| Priority | Rule | Impact | Tools |
|---|---|---|---|
| 1 | Detect Istio installation first | CRITICAL | |
| 2 | Run analyze before changes | HIGH | |
| 3 | Check proxy status for sync | HIGH | |
| 4 | Verify sidecar injection | MEDIUM | |
| 优先级 | 规则 | 影响程度 | 工具 |
|---|---|---|---|
| 1 | 先检测Istio安装状态 | 关键 | |
| 2 | 执行变更前先运行分析 | 高 | |
| 3 | 检查代理同步状态 | 高 | |
| 4 | 验证sidecar注入情况 | 中 | |
Quick Reference
快速参考
| Task | Tool | Example |
|---|---|---|
| Detect Istio | | |
| Analyze config | | |
| Proxy status | | |
| List VirtualServices | | |
| 任务 | 工具 | 示例 |
|---|---|---|
| 检测Istio | | |
| 分析配置 | | |
| 代理状态 | | |
| 列出VirtualServices | | |
Quick Status Check
快速状态检查
Detect Istio Installation
检测Istio安装状态
python
istio_detect_tool()python
istio_detect_tool()Check Proxy Status
检查代理状态
python
istio_proxy_status_tool()
istio_sidecar_status_tool(namespace)python
istio_proxy_status_tool()
istio_sidecar_status_tool(namespace)Analyze Configuration
分析配置
python
istio_analyze_tool(namespace)python
istio_analyze_tool(namespace)Traffic Management
流量管理
VirtualServices
VirtualServices
List and inspect:
python
istio_virtualservices_list_tool(namespace)
istio_virtualservice_get_tool(name, namespace)See TRAFFIC-SHIFTING.md for canary and blue-green patterns.
列出并查看:
python
istio_virtualservices_list_tool(namespace)
istio_virtualservice_get_tool(name, namespace)查看TRAFFIC-SHIFTING.md了解金丝雀和蓝绿发布模式。
DestinationRules
DestinationRules
python
istio_destinationrules_list_tool(namespace)python
istio_destinationrules_list_tool(namespace)Gateways
Gateways
python
istio_gateways_list_tool(namespace)python
istio_gateways_list_tool(namespace)Traffic Shifting Patterns
流量切换模式
Canary Release (Weight-Based)
金丝雀发布(基于权重)
VirtualService for 90/10 split:
yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: my-service
spec:
hosts:
- my-service
http:
- route:
- destination:
host: my-service
subset: stable
weight: 90
- destination:
host: my-service
subset: canary
weight: 10Apply and verify:
python
kubectl_apply(vs_yaml, namespace)
istio_virtualservice_get_tool("my-service", namespace)实现90/10流量分配的VirtualService:
yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: my-service
spec:
hosts:
- my-service
http:
- route:
- destination:
host: my-service
subset: stable
weight: 90
- destination:
host: my-service
subset: canary
weight: 10应用并验证:
python
kubectl_apply(vs_yaml, namespace)
istio_virtualservice_get_tool("my-service", namespace)Header-Based Routing
基于Header的路由
Route beta users:
yaml
http:
- match:
- headers:
x-user-type:
exact: beta
route:
- destination:
host: my-service
subset: canary
- route:
- destination:
host: my-service
subset: stable将beta用户路由至指定服务:
yaml
http:
- match:
- headers:
x-user-type:
exact: beta
route:
- destination:
host: my-service
subset: canary
- route:
- destination:
host: my-service
subset: stableSecurity (mTLS)
安全(mTLS)
See MTLS.md for detailed mTLS configuration.
查看MTLS.md获取详细的mTLS配置说明。
PeerAuthentication (mTLS Mode)
PeerAuthentication(mTLS模式)
python
istio_peerauthentications_list_tool(namespace)python
istio_peerauthentications_list_tool(namespace)AuthorizationPolicy
AuthorizationPolicy
python
istio_authorizationpolicies_list_tool(namespace)python
istio_authorizationpolicies_list_tool(namespace)Observability
可观测性
Proxy Metrics
代理指标
python
istio_proxy_status_tool()python
istio_proxy_status_tool()Hubble (Cilium Integration)
Hubble(与Cilium集成)
If using Cilium with Istio:
python
hubble_flows_query_tool(namespace)
cilium_endpoints_list_tool(namespace)若将Istio与Cilium配合使用:
python
hubble_flows_query_tool(namespace)
cilium_endpoints_list_tool(namespace)Troubleshooting
故障排查
Sidecar Not Injected
Sidecar未注入
python
istio_sidecar_status_tool(namespace)python
istio_sidecar_status_tool(namespace)Traffic Not Routing
流量未正确路由
python
istio_analyze_tool(namespace)
istio_virtualservice_get_tool(name, namespace)
istio_destinationrules_list_tool(namespace)
istio_proxy_status_tool()python
istio_analyze_tool(namespace)
istio_virtualservice_get_tool(name, namespace)
istio_destinationrules_list_tool(namespace)
istio_proxy_status_tool()mTLS Failures
mTLS失败
python
istio_peerauthentications_list_tool(namespace)python
istio_peerauthentications_list_tool(namespace)Common Issues
常见问题
| Symptom | Check | Resolution |
|---|---|---|
| 503 errors | | Fix VirtualService/DestinationRule |
| No sidecar | | Label namespace |
| Config not applied | | Wait for sync or restart pod |
| 症状 | 检查项 | 解决方案 |
|---|---|---|
| 503错误 | | 修复VirtualService/DestinationRule配置 |
| 无sidecar | | 为命名空间添加标签 |
| 配置未生效 | | 等待同步或重启Pod |
Multi-Cluster Service Mesh
多集群服务网格
Istio multi-cluster setup:
python
istio_proxy_status_tool(context="primary")
istio_virtualservices_list_tool(namespace, context="primary")
istio_proxy_status_tool(context="remote")Istio多集群配置:
python
istio_proxy_status_tool(context="primary")
istio_virtualservices_list_tool(namespace, context="primary")
istio_proxy_status_tool(context="remote")Prerequisites
前置条件
- Istio: Required for all Istio tools
bash
istioctl install --set profile=demo
- Istio:所有Istio工具均需依赖Istio
bash
istioctl install --set profile=demo
Related Skills
相关技能
- k8s-deploy - Deployment with traffic shifting
- k8s-security - Authorization policies
- k8s-deploy - 结合流量切换的部署
- k8s-security - 授权策略配置