欢迎关注我的公众号：

watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBAaHhwamF2YTE_size_8_color_FFFFFF_t_70_g_se_x_16

目前刚开始写一个月，一共写了18篇原创文章，文章目录如下：

istio多集群探秘，部署了50次多集群后我得出的结论

istio多集群链路追踪，附实操视频

istio防故障利器，你知道几个,istio新手不要读，太难！

istio业务权限控制，原来可以这么玩

istio实现非侵入压缩，微服务之间如何实现压缩

不懂envoyfilter也敢说精通istio系列-http-rbac-不要只会用AuthorizationPolicy配置权限

不懂envoyfilter也敢说精通istio系列-02-http-corsFilter-不要只会vs

不懂envoyfilter也敢说精通istio系列-03-http-csrf filter-再也不用再代码里写csrf逻辑了

不懂envoyfilter也敢说精通istio系列http-jwt_authn-不要只会RequestAuthorization

不懂envoyfilter也敢说精通istio系列-05-fault-filter-故障注入不止是vs

不懂envoyfilter也敢说精通istio系列-06-http-match-配置路由不只是vs

不懂envoyfilter也敢说精通istio系列-07-负载均衡配置不止是dr

不懂envoyfilter也敢说精通istio系列-08-连接池和断路器

不懂envoyfilter也敢说精通istio系列-09-http-route filter

不懂envoyfilter也敢说精通istio系列-network filter-redis proxy

不懂envoyfilter也敢说精通istio系列-network filter-HttpConnectionManager

不懂envoyfilter也敢说精通istio系列-ratelimit-istio ratelimit完全手册

————————————————

manifest文件：

[root@master01 manifest]# cat ./*
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: mysql-clusterrole-binding
  labels:
    app: "mysql"
    component: "mysql"
    chart: "mysql-0.1"
    release: "mysql"
    heritage: "Helm"
roleRef:
  kind: ClusterRole
  name: mysql-clusterrole
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
  name: mysql-sa
  namespace: mysql
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: mysql-clusterrole
  labels:
    app: "mysql"
    component: "mysql"
    chart: "mysql-0.1"
    release: "mysql"
    heritage: "Helm"
rules:
- apiGroups: ['policy']
  resources: ['podsecuritypolicies']
  verbs:     ['use']
apiVersion: v1
data:
  my.cnf: |
    [mysqld]
    skip-name-resolve
    port=3306
    innodb_file_per_table = 1
kind: ConfigMap
metadata:
  name: mysql-configmap
  labels:
    app: "mysql"
    component: "mysql"
    chart: "mysql"
    release: "mysql"
    heritage: "helm"
apiVersion: apps/v1
kind: Deployment
metadata:
  name: mysql
  labels:
    app: mysql
    chart: "mysql-0.1"
    release: "mysql"
    heritage: "Helm"
spec:
  progressDeadlineSeconds: 600
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app: mysql
      release: mysql
  replicas: 1
  template:
    metadata:
      labels:
        app: mysql
        release: mysql
    spec:
      tolerations:
      - key: "example-key"
        operator: "Exists"
        effect: "NoSchedule"
      serviceAccountName: mysql-sa
      terminationGracePeriodSeconds: 60
      containers:
      - name: mysql
        image: mysql:5.6
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 3306
        env:
        - name: MYSQL_ROOT_PASSWORD
          value: "mysql"
        readinessProbe:
          exec:
            command:
            - sh
            - -c
            - "mysqladmin ping -u root -p${MYSQL_ROOT_PASSWORD}"
          initialDelaySeconds: 30
          periodSeconds: 10
          timeoutSeconds: 5
          successThreshold: 1
          failureThreshold: 3 
        livenessProbe:
          exec:
            command:
            - sh
            - -c
            - "mysqladmin ping -u root -p${MYSQL_ROOT_PASSWORD}"
          initialDelaySeconds: 30
          periodSeconds: 10
          timeoutSeconds: 5
          successThreshold: 1
          failureThreshold: 3
        resources:
          requests:
            cpu: 0.2
            memory: 100Mi
          limits:
            cpu: 0.5
            memory: 500Mi
        securityContext:
          allowPrivilegeEscalation: false
        volumeMounts:
        - mountPath: /var/lib/mysql 
          name: data
        - name: configurations
          mountPath: /etc/mysql/conf.d/
          subPath: mysql.cnf
      volumes:
      - name: data
        persistentVolumeClaim:
          claimName: mysql-nfs-pvc
      - name: configurations
        configMap:
          name: mysql-configmap
apiVersion: autoscaling/v1
kind: HorizontalPodAutoscaler
metadata:
  name: mysql-hpa
  labels:
    app: "mysql"
    component: "mysql"
    chart: "mysql-0.1"
    release: "mysql"
    heritage: "Helm"
spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: mysql
  minReplicas: 1
  maxReplicas: 5
  targetCPUUtilizationPercentage: 50
apiVersion: policy/v1beta1  
kind: PodDisruptionBudget  
metadata:  
  name: mysql-pdb
  labels:
    app: "mysql"
    component: "mysql"
    chart: "mysql-0.1"
    release: "mysql"
    heritage: "Helm"  
spec:  
 minAvailable: 1
 selector:  
   matchLabels:  
     app: mysql
     release: mysql
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: mysql-psp
  labels:
    app: "mysql"
    component: "mysql"
    chart: "mysql-0.1"
    release: "mysql"
    heritage: "Helm"
spec:
  runAsUser:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
      - min: 1
        max: 65535
  fsGroup:
    rule: 'MustRunAs'
    ranges:
      - min: 1
        max: 65535
  volumes:
    - 'configMap'
    - 'emptyDir'
    - 'projected'
    - 'secret'
    - 'downwardAPI'
    - 'persistentVolumeClaim'
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: mysql-nfs-pvc
  labels:
    app: "mysql"
    component: "mysql"
    chart: "mysql-0.1"
    release: "mysql"
    heritage: "Helm"
spec:
  storageClassName: mysql-sc
  accessModes:
  - ReadWriteMany
  resources:
    requests:
      storage: 500Mi
apiVersion: v1
kind: ServiceAccount
metadata:
  name: mysql-sa
  labels:
    app: mysql
    chart: mysql-0.1
    release: mysql
    heritage: helm
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: mysql-sc
  labels:
    app: "mysql"
    component: "mysql"
    chart: "mysql-0.1"
    release: "mysql"
    heritage: "Helm"
provisioner: fuseim.pri/ifs
reclaimPolicy: Retain
apiVersion: v1
kind: Service
metadata:
  name: mysql-svc
  labels:
    app: "mysql"
    component: "mysql"
    chart: "mysql-0.1"
    release: "mysql"
    heritage: "Helm"
spec:
 selector:  
   app: mysql
   release: mysql
 type: NodePort
 ports:
 -  name: tcp
    port: 3306      
    targetPort: 3306

template文件：

[root@master01 templates]# cat ./*
{
   {- if .Values.rbac.create}}
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: {
   {include "mysql.fullname" .}}-binding
  labels:{
   {include "mysql.labels" .|nindent 4}}
roleRef:
  kind: ClusterRole
  name: {
   {include "mysql.fullname" .}}-clusterrole
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
  name: {
   {include "mysql.fullname" .}}-sa
  namespace: {
   {.Release.Namespace}}
{
   {- end}}
{
   {- if .Values.rbac.create}}
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: {
   {include "mysql.fullname" .}}-clusterrole
  labels:{
   {include "mysql.labels" .|nindent 4}}
rules:
- apiGroups: ['policy']
  resources: ['podsecuritypolicies']
  verbs:     ['use']
{
   {- end}}
apiVersion: v1
data:
  my.cnf: |
    [mysqld]
    skip-name-resolve
    port=3306
    innodb_file_per_table = 1
kind: ConfigMap
metadata:
  name: {
   {include "mysql.fullname" .}}-configmap
  labels:{
   {include "mysql.labels" .|nindent 4}}
apiVersion: {
   {include "deployment.apiVersion" .}}
kind: Deployment
metadata:
  name: {
   {include "mysql.fullname" .}}
  labels:{
   {include "mysql.labels" .|nindent 4}}
spec:
  progressDeadlineSeconds: {
   {.Values.deployment.progressDeadlineSeconds}}
  {
   {- if .Values.deployment.strategy}}
  strategy:{
   {toYaml .Values.deployment.strategy|nindent 4}}
  {
   {- end}}
  revisionHistoryLimit: {
   {.Values.deployment.revisionHistoryLimit}}
  selector:
    matchLabels: {
   {include "mysql.selectorLabels" .|nindent 6}}
  replicas: {
   {.Values.deployment.replicaCount}}
  template:
    metadata:
      labels: {
   {include "mysql.labels" .|nindent 8}}
    spec:
     {
   {- if .Values.deployment.tolerations}}
      tolerations:{
   {toYaml .Values.deployment.tolerations|nindent 8}}
     {
   {- end}}
      serviceAccountName: {
   {include "mysql.serviceAccountName" .}}
      terminationGracePeriodSeconds: {
   {.Values.deployment.terminationGracePeriodSeconds}}
      containers:
      - name: mysql
        image: {
   {.Values.deployment.image.repository}}:{
   {.Values.deployment.image.tag}}
        imagePullPolicy: {
   {.Values.deployment.image.pullPolicy}}
        ports:
        - containerPort: 3306
        env:
        - name: MYSQL_ROOT_PASSWORD
          value: {
   {.Values.deployment.mysql_root_password|quote}}
        {
   {- if .Values.deployment.readinessProbe}}
        readinessProbe:
          exec:
            command:
            - sh
            - -c
            - "mysqladmin ping -u root -p${MYSQL_ROOT_PASSWORD}"
          initialDelaySeconds: {
   {.Values.deployment.readinessProbe.initialDelaySeconds}}
          periodSeconds: {
   {.Values.deployment.readinessProbe.periodSeconds}}
          timeoutSeconds: {
   {.Values.deployment.readinessProbe.timeoutSeconds}}
          successThreshold: {
   {.Values.deployment.readinessProbe.successThreshold}}
          failureThreshold: {
   {.Values.deployment.readinessProbe.failureThreshold}}
        {
   {- end}}
        {
   {- if .Values.deployment.livenessProbe}}
        livenessProbe:
          exec:
            command:
            - sh
            - -c
            - "mysqladmin ping -u root -p${MYSQL_ROOT_PASSWORD}"
          initialDelaySeconds: {
   {.Values.deployment.livenessProbe.initialDelaySeconds}}
          periodSeconds: {
   {.Values.deployment.livenessProbe.periodSeconds}}
          timeoutSeconds: {
   {.Values.deployment.livenessProbe.timeoutSeconds}}
          successThreshold: {
   {.Values.deployment.livenessProbe.successThreshold}}
          failureThreshold: {
   {.Values.deployment.livenessProbe.failureThreshold}}
        {
   {- end}}
        {
   {- if .Values.deployment.resources}}
        resources:{
   {toYaml .Values.deployment.resources|nindent 10}}
        {
   {- end}}
        {
   {- if .Values.deployment.securityContext}}
        securityContext:{
   {toYaml .Values.deployment.securityContext|nindent 10}}
        {
   {- end}}
        volumeMounts:
        - mountPath: /var/lib/mysql 
          name: data
        - name: configurations
          mountPath: /etc/mysql/conf.d/
          subPath: mysql.cnf
      volumes:
      - name: data
        persistentVolumeClaim:
          claimName: {
   {include "mysql.fullname" .}}-pvc
      - name: configurations
        configMap:
          name: {
   {include "mysql.fullname" .}}-configmap
{
   {/* vim: set filetype=mustache: */}}
{
   {/*
Expand the name of the chart.
*/}}
{
   {- define "mysql.name" -}}
{
   {- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{
   {- end -}}
{
   {/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{
   {- define "mysql.fullname" -}}
{
   {- if .Values.fullnameOverride -}}
{
   {- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{
   {- else -}}
{
   {- $name := default .Chart.Name .Values.nameOverride -}}
{
   {- if contains $name .Release.Name -}}
{
   {- .Release.Name | trunc 63 | trimSuffix "-" -}}
{
   {- else -}}
{
   {- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{
   {- end -}}
{
   {- end -}}
{
   {- end -}}
{
   {/*
Create chart name and version as used by the chart label.
*/}}
{
   {- define "mysql.chart" -}}
{
   {- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{
   {- end -}}
{
   {/*
Common labels
*/}}
{
   {- define "mysql.labels" -}}
helm.sh/chart: {
   { include "mysql.chart" . }}
{
   { include "mysql.selectorLabels" . }}
{
   {- if .Chart.AppVersion }}
app.kubernetes.io/version: {
   { .Chart.AppVersion | quote }}
{
   {- end }}
app.kubernetes.io/managed-by: {
   { .Release.Service }}
{
   {- end -}}
{
   {/*
Selector labels
*/}}
{
   {- define "mysql.selectorLabels" -}}
app.kubernetes.io/name: {
   { include "mysql.name" . }}
app.kubernetes.io/instance: {
   { .Release.Name }}
{
   {- end -}}
{
   {/*
Create the name of the service account to use
*/}}
{
   {- define "mysql.serviceAccountName" -}}
{
   {- if .Values.serviceAccount.create -}}
    {
   { default (include "mysql.fullname" .) .Values.serviceAccount.name }}
{
   {- else -}}
    {
   { default "default" .Values.serviceAccount.name }}
{
   {- end -}}
{
   {- end -}}
{
   {/*
Return the appropriate apiVersion for deployment.
*/}}
{
   {- define "deployment.apiVersion" -}}
{
   {- if semverCompare ">=1.9-0" .Capabilities.KubeVersion.GitVersion -}}
{
   {- print "apps/v1" -}}
{
   {- else -}}
{
   {- print "extensions/v1beta1" -}}
{
   {- end -}}
{
   {- end -}}
{
   {/*
Return the appropriate apiGroup for PodSecurityPolicy.
*/}}
{
   {- define "podSecurityPolicy.apiGroup" -}}
{
   {- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
{
   {- print "policy" -}}
{
   {- else -}}
{
   {- print "extensions" -}}
{
   {- end -}}
{
   {- end -}}
{
   {/*
Return the appropriate apiVersion for podSecurityPolicy.
*/}}
{
   {- define "podSecurityPolicy.apiVersion" -}}
{
   {- if semverCompare ">=1.10-0" .Capabilities.KubeVersion.GitVersion -}}
{
   {- print "policy/v1beta1" -}}
{
   {- else -}}
{
   {- print "extensions/v1beta1" -}}
{
   {- end -}}
{
   {- end -}}
{
   {- if .Values.hpa.create}}
apiVersion: autoscaling/v1
kind: HorizontalPodAutoscaler
metadata:
  name: {
   {include "mysql.fullname" .}}-hpa
  labels:{
   {include "mysql.labels" .|nindent 4}}
spec:
  scaleTargetRef:
    apiVersion: {
   {include "deployment.apiVersion" .}}
    kind: Deployment
    name: {
   {include "mysql.fullname" .}}
  minReplicas: {
   {.Values.hpa.minReplicas}}
  maxReplicas: {
   {.Values.hpa.maxReplicas}}
  targetCPUUtilizationPercentage: {
   {.Values.hpa.targetCPUUtilizationPercentage}}
{
   {- end}}
1. Get the application URL by running these commands:
{
   {-  if contains "NodePort" .Values.service.type }}
  export NODE_PORT=$(kubectl get --namespace {
   { .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {
   { include "mysql.fullname" . }})
  export NODE_IP=$(kubectl get nodes --namespace {
   { .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
  echo http://$NODE_IP:$NODE_PORT
{
   {- else if contains "LoadBalancer" .Values.service.type }}
     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
           You can watch the status of by running 'kubectl get --namespace {
   { .Release.Namespace }} svc -w {
   { include "mysql.fullname" . }}'
  export SERVICE_IP=$(kubectl get svc --namespace {
   { .Release.Namespace }} {
   { include "mysql.fullname" . }} --template "{
   {"{
   { range (index .status.loadBalancer.ingress 0) }}{
   {.}}{
   { end }}"}}")
  echo http://$SERVICE_IP:{
   { .Values.service.port }}
{
   {- else if contains "ClusterIP" .Values.service.type }}
  export POD_NAME=$(kubectl get pods --namespace {
   { .Release.Namespace }} -l "app.kubernetes.io/name={
   { include "mysql.name" . }},app.kubernetes.io/instance={
   { .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
  echo "Visit http://127.0.0.1:8080 to use your application"
  kubectl --namespace {
   { .Release.Namespace }} port-forward $POD_NAME 8080:80
{
   {- end }}
{
   {- if and .Values.pdb.create (or (gt (.Values.deployment.replicaCount|int) 1) .Values.hpa.create )}}
apiVersion: policy/v1beta1  
kind: PodDisruptionBudget  
metadata:  
  name: {
   {include "mysql.fullname" .}}-pdb
  labels: {
   {include "mysql.labels" .|nindent 4}}
spec:  
  minAvailable: {
   {.Values.pdb.minAvailable}}
  selector:  
    matchLabels:{
   {include "mysql.selectorLabels" .|nindent 6}}  
{
   {- end}}
{
   {- if .Values.psp.create}}
apiVersion: {
   {include "podSecurityPolicy.apiVersion" .}}
kind: PodSecurityPolicy
metadata:
  name: {
   {include "mysql.fullname" .}}-psp
  labels: {
   {include "mysql.labels" .|nindent 4}}
spec:
  runAsUser:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
      - min: 1
        max: 65535
  fsGroup:
    rule: 'MustRunAs'
    ranges:
      - min: 1
        max: 65535
  volumes:
    - 'configMap'
    - 'emptyDir'
    - 'projected'
    - 'secret'
    - 'downwardAPI'
    - 'persistentVolumeClaim'
{
   {- end}}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: {
   {include "mysql.fullname" .}}-pvc
  labels: {
   {include "mysql.labels" .|nindent 4}}
spec:
  storageClassName: {
   {include "mysql.fullname" .}}-sc
  accessModes:{
   {toYaml .Values.pvc.accessModes|nindent 2}}
  resources:
    requests:
      storage: {
   {.Values.pvc.storage}}
{
   {- if .Values.serviceAccount.create}}
apiVersion: v1
kind: ServiceAccount
metadata:
  name: {
   {include "mysql.fullname" .}}-sa
  labels: {
   {include "mysql.labels" .|nindent 4}}
{
   {- end}}
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: {
   {include "mysql.fullname" .}}-sc
  labels: {
   {include "mysql.labels" .|nindent 4}}
provisioner: {
   {.Values.sc.provisioner}}
reclaimPolicy: {
   {.Values.sc.reclaimPolicy}}
apiVersion: v1
kind: Service
metadata:
  name: {
   {include "mysql.fullname" .}}-svc
  labels: {
   {include "mysql.labels" .|nindent 4}}
spec:
 selector:{
   {include "mysql.selectorLabels" .|nindent 4}}
 {
   {- if eq .Values.service.type "NodePort"}}  
 type: NodePort
 ports:
 -  name: tcp
    port: 3306      
    targetPort: 3306
    {
   {- if .Values.service.nodePort}}
    nodePort: {
   {.Values.service.nodePort}}
    {
   {- end}}
 {
   {- else if eq .Values.service.type "ClusterIP"}}
 ports:
 -  name: tcp
    port: 3306
    targetPort: 3306
 {
   {- end}}