11.3 微服务治理
面试重要程度:⭐⭐⭐⭐⭐
常见提问方式:什么是Service Mesh?如何实现微服务链路追踪?
预计阅读时间:40分钟
📋 知识点概览
微服务治理是现代分布式系统的核心挑战,涉及服务发现、负载均衡、熔断降级、链路追踪等多个方面。本节将深入讲解Service Mesh架构、Istio实践以及可观测性建设。
🕸️ Service Mesh架构
Service Mesh核心概念
/**
* Service Mesh架构组件
*/
public class ServiceMeshArchitecture {
/**
* Service Mesh核心组件
*/
public enum ServiceMeshComponent {
DATA_PLANE("数据平面", "由Sidecar代理组成,处理服务间通信"),
CONTROL_PLANE("控制平面", "管理和配置数据平面的代理"),
SIDECAR_PROXY("边车代理", "与应用容器部署在同一Pod中的代理"),
SERVICE_REGISTRY("服务注册中心", "维护服务实例信息"),
POLICY_ENGINE("策略引擎", "执行访问控制、流量管理等策略");
private final String name;
private final String description;
ServiceMeshComponent(String name, String description) {
this.name = name;
this.description = description;
}
}
/**
* Service Mesh优势
*/
public static class ServiceMeshBenefits {
public static final String[] BENEFITS = {
"服务间通信的透明化",
"统一的安全策略管理",
"细粒度的流量控制",
"全链路可观测性",
"多语言服务支持",
"渐进式部署和升级"
};
/**
* 与传统微服务框架对比
*/
public static void compareWithTraditionalFramework() {
System.out.println("Service Mesh vs 传统微服务框架:");
System.out.println("1. 代码侵入性:Service Mesh无侵入 vs 框架需要集成SDK");
System.out.println("2. 语言支持:Service Mesh多语言 vs 框架通常单语言");
System.out.println("3. 升级维护:Service Mesh统一升级 vs 框架需要应用重新部署");
System.out.println("4. 性能开销:Service Mesh有网络跳转 vs 框架直接调用");
System.out.println("5. 运维复杂度:Service Mesh需要额外组件 vs 框架相对简单");
}
}
}
Istio架构实践
# Istio Gateway配置
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: spring-boot-gateway
namespace: default
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- api.example.com
tls:
httpsRedirect: true
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: api-tls-secret
hosts:
- api.example.com
---
# VirtualService流量路由
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: spring-boot-vs
namespace: default
spec:
hosts:
- api.example.com
gateways:
- spring-boot-gateway
http:
# 金丝雀发布:10%流量到v2版本
- match:
- headers:
canary:
exact: "true"
route:
- destination:
host: spring-boot-service
subset: v2
weight: 100
# 基于权重的流量分割
- match:
- uri:
prefix: /api/v1
route:
- destination:
host: spring-boot-service
subset: v1
weight: 90
- destination:
host: spring-boot-service
subset: v2
weight: 10
# 故障注入测试
fault:
delay:
percentage:
value: 1.0
fixedDelay: 5s
abort:
percentage:
value: 0.1
httpStatus: 500
# 超时设置
timeout: 10s
# 重试策略
retries:
attempts: 3
perTryTimeout: 3s
retryOn: gateway-error,connect-failure,refused-stream
---
# DestinationRule服务策略
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: spring-boot-dr
namespace: default
spec:
host: spring-boot-service
# 流量策略
trafficPolicy:
# 负载均衡算法
loadBalancer:
simple: LEAST_CONN # ROUND_ROBIN/LEAST_CONN/RANDOM/PASSTHROUGH
# 连接池设置
connectionPool:
tcp:
maxConnections: 100
connectTimeout: 30s
keepAlive:
time: 7200s
interval: 75s
http:
http1MaxPendingRequests: 100
http2MaxRequests: 1000
maxRequestsPerConnection: 10
maxRetries: 3
idleTimeout: 90s
# 熔断器设置
outlierDetection:
consecutiveGatewayErrors: 5
consecutive5xxErrors: 5
interval: 30s
baseEjectionTime: 30s
maxEjectionPercent: 50
minHealthPercent: 30
# 服务子集定义
subsets:
- name: v1
labels:
version: v1
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
- name: v2
labels:
version: v2
trafficPolicy:
loadBalancer:
simple: LEAST_CONN
🔒 安全策略管理
mTLS和授权策略
/**
* Istio安全策略配置
*/
public class IstioSecurityPolicy {
/**
* PeerAuthentication配置
*/
public static String getPeerAuthenticationYaml() {
return """
# 命名空间级别的mTLS策略
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: production
spec:
mtls:
mode: STRICT # STRICT/PERMISSIVE/DISABLE
---
# 特定服务的mTLS策略
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: spring-boot-mtls
namespace: production
spec:
selector:
matchLabels:
app: spring-boot
mtls:
mode: STRICT
portLevelMtls:
8080:
mode: STRICT
9090:
mode: DISABLE # metrics端口不启用mTLS
""";
}
/**
* AuthorizationPolicy配置
*/
public static String getAuthorizationPolicyYaml() {
return """
# 基于角色的访问控制
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: spring-boot-authz
namespace: production
spec:
selector:
matchLabels:
app: spring-boot
# 允许规则
rules:
# 允许来自frontend服务的请求
- from:
- source:
principals: ["cluster.local/ns/production/sa/frontend-service"]
to:
- operation:
methods: ["GET", "POST"]
paths: ["/api/v1/*"]
# 允许管理员访问所有接口
- from:
- source:
requestPrincipals: ["*"]
when:
- key: request.headers[role]
values: ["admin"]
to:
- operation:
methods: ["*"]
# 允许健康检查
- to:
- operation:
methods: ["GET"]
paths: ["/actuator/health"]
---
# 拒绝策略示例
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: deny-external
namespace: production
spec:
selector:
matchLabels:
app: internal-service
# 拒绝规则(空rules表示拒绝所有)
action: DENY
rules:
- from:
- source:
notNamespaces: ["production", "staging"]
""";
}
/**
* RequestAuthentication JWT验证
*/
public static String getRequestAuthenticationYaml() {
return """
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: jwt-auth
namespace: production
spec:
selector:
matchLabels:
app: spring-boot
jwtRules:
- issuer: "https://auth.example.com"
jwksUri: "https://auth.example.com/.well-known/jwks.json"
audiences:
- "api.example.com"
forwardOriginalToken: true
fromHeaders:
- name: Authorization
prefix: "Bearer "
fromParams:
- "access_token"
outputPayloadToHeader: "x-jwt-payload"
""";
}
}
📊 可观测性建设
分布式链路追踪
/**
* 分布式链路追踪实现
*/
public class DistributedTracing {
/**
* Jaeger配置
*/
public static String getJaegerConfiguration() {
return """
# Jaeger部署配置
apiVersion: apps/v1
kind: Deployment
metadata:
name: jaeger
namespace: istio-system
spec:
replicas: 1
selector:
matchLabels:
app: jaeger
template:
metadata:
labels:
app: jaeger
spec:
containers:
- name: jaeger
image: jaegertracing/all-in-one:1.35
env:
- name: COLLECTOR_ZIPKIN_HOST_PORT
value: ":9411"
- name: COLLECTOR_OTLP_ENABLED
value: "true"
ports:
- containerPort: 16686
name: ui
- containerPort: 14268
name: collector
- containerPort: 9411
name: zipkin
- containerPort: 4317
name: otlp-grpc
- containerPort: 4318
name: otlp-http
resources:
requests:
memory: "512Mi"
cpu: "250m"
limits:
剩余60%内容,订阅专栏后可继续查看/也可单篇购买
Java面试圣经 文章被收录于专栏
Java面试圣经,带你练透java圣经
查看17道真题和解析
投递淘天集团等公司10个岗位