欢迎关注我的公众号:
目前刚开始写一个月,一共写了18篇原创文章,文章目录如下:
istio多集群探秘,部署了50次多集群后我得出的结论
istio多集群链路追踪,附实操视频
istio防故障利器,你知道几个,istio新手不要读,太难!
istio业务权限控制,原来可以这么玩
istio实现非侵入压缩,微服务之间如何实现压缩
不懂envoyfilter也敢说精通istio系列-http-rbac-不要只会用AuthorizationPolicy配置权限
不懂envoyfilter也敢说精通istio系列-02-http-corsFilter-不要只会vs
不懂envoyfilter也敢说精通istio系列-03-http-csrf filter-再也不用再代码里写csrf逻辑了
不懂envoyfilter也敢说精通istio系列http-jwt_authn-不要只会RequestAuthorization
不懂envoyfilter也敢说精通istio系列-05-fault-filter-故障注入不止是vs
不懂envoyfilter也敢说精通istio系列-06-http-match-配置路由不只是vs
不懂envoyfilter也敢说精通istio系列-07-负载均衡配置不止是dr
不懂envoyfilter也敢说精通istio系列-08-连接池和断路器
不懂envoyfilter也敢说精通istio系列-09-http-route filter
不懂envoyfilter也敢说精通istio系列-network filter-redis proxy
不懂envoyfilter也敢说精通istio系列-network filter-HttpConnectionManager
不懂envoyfilter也敢说精通istio系列-ratelimit-istio ratelimit完全手册
学习目标
什么是sidecar
Sidecar描述了sidecar代理的配置,sidecar代理调解与其连接的工作负载的 inbound 和 outbound 通信。 默认情况下,Istio将为网格中的所有Sidecar代理服务,使其具有到达网格中每个工作负载所需的必要配置,并在与工作负载关联的所有端口上接收流量。 Sidecar资源提供了一种的方法,在向工作负载转发流量或从工作负载转发流量时,微调端口集合和代理将接收的协议。 此外,可以限制代理在从工作负载转发 outbound 流量时可以达到的服务集合。
网格中的服务和配置被组织成一个或多个名称空间(例如,Kubernetes名称空间或CF org/space)。 命名空间中的Sidecar资源将应用于同一命名空间中的一个或多个工作负载,由workloadSelector选择。 如果没有workloadSelector,它将应用于同一名称空间中的所有工作负载。 在确定要应用于工作负载的Sidecar资源时,将优先使用通过workloadSelector而选择到此工作负载的的资源,而不是没有任何workloadSelector的资源。
注意:每个命名空间只能有一个没有任何工作负载选择器的Sidecar资源。 如果给定命名空间中存在多个无选择器的Sidecar资源,则系统的行为是不确定的。 如果具有工作负载选择器的两个或多个Sidecar资源选择相同的工作负载,则系统的行为是不确定的。
资源详解
Field
|
Type
|
Description
|
Required
|
workloadSelector |
WorkloadSelector |
Criteria used to select the specific set of pods/VMs on which this Sidecar configuration should be applied. If omitted, the Sidecar configuration will be applied to all workload instances in the same namespace. |
No
|
ingress |
IstioIngressListener[] |
Ingress specifies the configuration of the sidecar for processing inbound traffic to the attached workload instance. If omitted, Istio will automatically configure the sidecar based on the information about the workload obtained from the orchestration platform (e.g., exposed ports, services, etc.). If specified, inbound ports are configured if and only if the workload instance is associated with a service.
|
No
|
egress |
IstioEgressListener[] |
Egress specifies the configuration of the sidecar for processing outbound traffic from the attached workload instance to other services in the mesh.
|
Yes
|
outboundTrafficPolicy |
OutboundTrafficPolicy |
This allows to configure the outbound traffic policy. If your application uses one or more external services that are not known apriori, setting the policy to ALLOW_ANY will cause the sidecars to route any unknown traffic originating from the application to its requested destination. |
No
|
全局有效
sc-default-global.yaml
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: default
namespace: istio-system
spec:
ingress:
- port:
number: 9080
protocol: HTTP
name: http
defaultEndpoint: 127.0.0.1:9080
workloadSelector
没有selector
sc-default-istio-ingress.yaml
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: default
spec:
ingress:
- port:
number: 9080
protocol: HTTP
name: http
defaultEndpoint: 127.0.0.1:9080
有selector
sc-productpage-selector.yaml
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
ingress:
- port:
number: 9081
protocol: HTTP
name: http
defaultEndpoint: 127.0.0.1:9080
监听端口和目标端口不一致,可用于端口转换
此时service需要添加端口
kubectl edit svc productpage -n istio
- name: http9081
port: 9081
protocol: TCP
targetPort: 9081
修改vs端口
sidecar/vs-bookinfo-hosts-star.yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: bookinfo
spec:
hosts:
- "*"
gateways:
- bookinfo-gateway
http:
- match:
- uri:
exact: /productpage
- uri:
prefix: /static
- uri:
exact: /login
- uri:
exact: /logout
- uri:
prefix: /api/v1/products
route:
- destination:
host: productpage.istio.svc.cluster.local
port:
number: 9081
egress
Field
|
Type
|
Description
|
Required
|
port |
Port |
The port associated with the listener. If using Unix domain socket, use 0 as the port number, with a valid protocol. The port if specified, will be used as the default destination port associated with the imported hosts. If the port is omitted, Istio will infer the listener ports based on the imported hosts. Note that when multiple egress listeners are specified, where one or more listeners have specific ports while others have no port, the hosts exposed on a listener port will be based on the listener with the most specific port.
|
No
|
bind |
string |
The IP or the Unix domain socket to which the listener should be bound to. Port MUST be specified if bind is not empty. Format: x.x.x.x or unix:///path/to/uds or unix://@foobar (Linux abstract namespace). If omitted, Istio will automatically configure the defaults based on imported services, the workload instances to which this configuration is applied to and the captureMode. If captureMode is NONE , bind will default to 127.0.0.1. |
No
|
captureMode |
CaptureMode |
When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). captureMode must be DEFAULT or NONE for Unix domain socket binds. |
No
|
hosts |
string[] |
One or more service hosts exposed by the listener in namespace/dnsName format. Services in the specified namespace matching dnsName will be exposed. The corresponding service can be a service in the service registry (e.g., a Kubernetes or cloud foundry service) or a service specified using a ServiceEntry or VirtualService configuration. Any associated DestinationRule in the same namespace will also be used.The dnsName should be specified using FQDN format, optionally including a wildcard character in the left-most component (e.g., prod/*.example.com ). Set the dnsName to * to select all services from the specified namespace (e.g., prod/* ).The namespace can be set to * , . , or ~ , representing any, the current, or no namespace, respectively. For example, */foo.example.com selects the service from any available namespace while ./foo.example.com only selects the service from the namespace of the sidecar. If a host is set to */* , Istio will configure the sidecar to be able to reach every service in the mesh that is exported to the sidecar’s namespace. The value ~/* can be used to completely trim the configuration for sidecars that simply receive traffic and respond, but make no outbound connections of their own.NOTE: Only services and configuration artifacts exported to the sidecar’s namespace (e.g., exportTo value of * ) can be referenced. Private configurations (e.g., exportTo set to . ) will not be available. Refer to the exportTo setting in VirtualService , DestinationRule , and ServiceEntry configurations for details.WARNING: The list of egress hosts in a Sidecar must also include the Mixer control plane services if they are enabled. Envoy will not be able to reach them otherwise. For example, add host istio-system/istio-telemetry.istio-system.svc.cluster.local if telemetry is enabled, istio-system/istio-policy.istio-system.svc.cluster.local if policy is enabled, or add istio-system/* to allow all services in the istio-system namespace. This requirement is temporary and will be removed in a future Istio release. |
Yes
|
port
sc-productpage-egress-port.yaml
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
egress:
- hosts:
- "./*"
port:
number: 9080
protocol: HTTP
name: egresshttp
bind
0.0.0.0
sc-productpage-egress-bind.yaml
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
egress:
- hosts:
- "./*"
port:
number: 9080
protocol: HTTP
name: egresshttp
bind: 0.0.0.0
目标svc ip
sc-productpage-egress-bind-svc-ip.yaml
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
egress:
- hosts:
- "./*"
port:
number: 9080
protocol: HTTP
name: egresshttp
bind: 10.68.190.94
captureMode
Name
|
Description
|
DEFAULT |
The default capture mode defined by the environment.
|
IPTABLES |
Capture traffic using IPtables redirection.
|
NONE |
No traffic capture. When used in an egress listener, the application is expected to explicitly communicate with the listener port or Unix domain socket. When used in an ingress listener, care needs to be taken to ensure that the listener port is not in use by other processes on the host.
|
DEFAULT
sc-productpage-egress-captureMode-DEFAULT.yaml
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
egress:
- hosts:
- "./*"
port:
number: 9080
protocol: HTTP
name: egresshttp
bind: 0.0.0.0
captureMode: DEFAULT
IPTABLES
sc-productpage-egress-captureMode-IPTABLES.yaml
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
egress:
- hosts:
- "./*"
port:
number: 9080
protocol: HTTP
name: egresshttp
bind: 0.0.0.0
captureMode: IPTABLES
NONE
sc-productpage-egress-captureMode-NONE.yaml
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
egress:
- hosts:
- "./*"
port:
number: 9080
protocol: HTTP
name: egresshttp
bind: 0.0.0.0
captureMode: NONE
sc-productpage-ingress-captureMode-NONE.yaml
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
ingress:
- captureMode: NONE
defaultEndpoint: 127.0.0.1:9080
port:
number: 9080
protocol: HTTP
name: http
egress:
- hosts:
- "./*"
port:
number: 9080
protocol: HTTP
name: egresshttp
bind: 127.0.0.1
captureMode: NONE
进入和出去流量都不捕获,相当于去掉了sidecar,对这个pod的istio资源将不起作用。
注意mesh配置,允许集群外访问
outboundTrafficPolicy: mode: REGISTRY_ONLY| ALLOW_ANY
hosts
dot
sc-productpage-egress-hosts-dot.yaml
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
egress:
- hosts:
- "./*"
semi-star
sc-productpage-egress-hosts-semi-star.yaml
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
egress:
- hosts:
- "istio/*"
double-star
sc-productpage-egress-hosts-double-star.yaml
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
egress:
- hosts:
- "*/*"
specific
sc-productpage-egress-hosts-specific.yaml
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
egress:
- hosts:
- "istio/details.istio.svc.cluster.local"
ingress
Field
|
Type
|
Description
|
Required
|
port |
Port |
The port associated with the listener.
|
Yes
|
bind |
string |
The IP to which the listener should be bound. Must be in the format x.x.x.x . Unix domain socket addresses are not allowed in the bind field for ingress listeners. If omitted, Istio will automatically configure the defaults based on imported services and the workload instances to which this configuration is applied to. |
No
|
captureMode |
CaptureMode |
The captureMode option dictates how traffic to the listener is expected to be captured (or not).
|
No
|
defaultEndpoint |
string |
The loopback IP endpoint or Unix domain socket to which traffic should be forwarded to. This configuration can be used to redirect traffic arriving at the bind IP:Port on the sidecar to a localhost:port or Unix domain socket where the application workload instance is listening for connections. Format should be 127.0.0.1:PORT or unix:///path/to/socket |
Yes
|
port
sc-productpage-ingress-port.yaml
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
ingress:
- captureMode: IPTABLES
defaultEndpoint: 127.0.0.1:9080
port:
number: 9080
protocol: HTTP
name: http
bind
sc-productpage-ingress-bind.yaml
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
ingress:
- captureMode: IPTABLES
bind: 0.0.0.0
defaultEndpoint: 127.0.0.1:9080
port:
number: 9080
protocol: HTTP
name: http
sc-productpage-ingress-bind-pod-ip.yaml
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
ingress:
- captureMode: IPTABLES
bind: 172.20.1.174
defaultEndpoint: 127.0.0.1:9080
port:
number: 9080
protocol: HTTP
name: http
bind pod ip
captureMode
Name
|
Description
|
DEFAULT |
The default capture mode defined by the environment.
|
IPTABLES |
Capture traffic using IPtables redirection.
|
NONE |
No traffic capture. When used in an egress listener, the application is expected to explicitly communicate with the listener port or Unix domain socket. When used in an ingress listener, care needs to be taken to ensure that the listener port is not in use by other processes on the host.
|
DEFAULT
sc-productpage-ingress-capture-mode-DEFAULT.yaml
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
ingress:
- captureMode: DEFAULT
bind: 0.0.0.0
defaultEndpoint: 127.0.0.1:9080
port:
number: 9080
protocol: HTTP
name: http
IPTABLES
sc-productpage-ingress-capture-mode-IPTABLES.yaml
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
ingress:
- captureMode: IPTABLES
bind: 0.0.0.0
defaultEndpoint: 127.0.0.1:9080
port:
number: 9080
protocol: HTTP
name: http
NONE
sc-productpage-ingress-capture-mode-NONE.yaml
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
ingress:
- captureMode: NONE
defaultEndpoint: 127.0.0.1:9080
port:
number: 9080
protocol: HTTP
name: http
defaultEndpoint
unix socket
1部署mysqlgateway
kubectl apply -f gateway/gateway-mysql.yaml -n istio
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: mysql
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 3306
name: mysql
protocol: MYSQL
hosts:
- "*"
2部署mysql vs
kubectl apply -f gateway/protocol/vs-mysql.yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: mysql
spec:
hosts:
- "*"
gateways:
- mysql
tcp:
- match:
- port: 3306
route:
- destination:
host: mysqldb.istio.svc.cluster.local
port:
number: 3306
3添加svc 端口
kubectl edit svc istio-ingressgateway -n istio-system
3306端口
4部署sidecar
sc-mysql-defaultEndpoint-unix.yaml
当绑定地址是IP时,captureMode选项指示如何劫持(或不劫持)到监听器的流量。 对于Unix domain socket,captureMode必须为DEFAULT或NONE。
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: mysql
spec:
workloadSelector:
labels:
app: mysqldb
ingress:
- bind: 0.0.0.0
port:
number: 3306
protocol: MYSQL
name: mysql
defaultEndpoint: unix:///var/run/mysqld/mysqld.sock
captureMode: NONE
ip -port
sc-productpage-ingerss-defaultEndpoint-ip.yaml
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
ingress:
- captureMode: NONE
defaultEndpoint: 127.0.0.1:9080
port:
number: 9080
protocol: HTTP
name: http
outboundTrafficPolicy
egressProxy
egressProxy
|
Destination
|
|
Specifies the details of the egress proxy to which unknown traffic should be forwarded to from the sidecar. Valid only if the mode is set to ALLOW_ANY. If not specified when the mode is ALLOW_ANY, the sidecar will send the unknown traffic directly to the IP requested by the application. ** NOTE 1: The specified egress host must be imported in the egress section for the traffic forwarding to work. NOTE 2**: An Envoy based egress gateway is unlikely to be able to handle plain text TCP connections forwarded from the sidecar. Envoy's dynamic forward proxy can handle only HTTP and TLS connections. $hide_from_docs |
|
|
|
|
FIELD
|
TYPE
|
LABEL
|
DESCRIPTION
|
host
|
string
|
|
The name of a service from the service registry. Service names are looked up from the platform's service registry (e.g., Kubernetes services, Consul services, etc.) and from the hosts declared by ServiceEntry. Traffic forwarded to destinations that are not found in either of the two, will be dropped. Note for Kubernetes users: When short names are used (e.g. “reviews” instead of “reviews.default.svc.cluster.local”), Istio will interpret the short name based on the namespace of the rule, not the service. A rule in the “default” namespace containing a host “reviews will be interpreted as “reviews.default.svc.cluster.local”, irrespective of the actual namespace associated with the reviews service. To avoid potential misconfiguration, it is recommended to always use fully qualified domain names over short names. |
subset
|
string
|
|
The name of a subset within the service. Applicable only to services within the mesh. The subset must be defined in a corresponding DestinationRule.
|
port
|
PortSelector
|
|
Specifies the port on the host that is being addressed. If a service exposes only a single port it is not required to explicitly select the port
|
host
sc-productpage-outboundTrafficPolicy-egressProxy-host.yaml
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
outboundTrafficPolicy:
egressProxy:
host: "details.istio.svc.cluster.local"
port:
number: 9080
mode: ALLOW_ANY
port
sc-productpage-outboundTrafficPolicy-egressProxy-port.yaml
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
outboundTrafficPolicy:
egressProxy:
host: "details.istio.svc.cluster.local"
port:
number: 9080
mode: ALLOW_ANY
subset
sc-productpage-outboundTrafficPolicy-egressProxy-subset.yaml
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
outboundTrafficPolicy:
egressProxy:
host: "details.istio.svc.cluster.local"
port:
number: 9080
subset: v1
mode: ALLOW_ANY
mode
Name
|
Description
|
REGISTRY_ONLY |
Outbound traffic will be restricted to services defined in the service registry as well as those defined through ServiceEntry configurations. |
ALLOW_ANY |
Outbound traffic to unknown destinations will be allowed, in case there are no services or ServiceEntry configurations for the destination port. |
REGISTRY_ONLY
sc-productpage-outboundTrafficPolicy-mode-REGISTRY_ONLY.yaml
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
outboundTrafficPolicy:
mode: REGISTRY_ONLY
ALLOW_ANY
sc-productpage-outboundTrafficPolicy-mode-ALLOW_ANY.yaml
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
outboundTrafficPolicy:
mode: ALLOW_ANY
组合应用
sc-productpage-complex.yaml
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
ingress:
- captureMode: NONE
defaultEndpoint: 127.0.0.1:9080
port:
number: 9080
protocol: HTTP
name: http
egress:
- hosts:
- "./*"
port:
number: 9080
protocol: HTTP
name: egresshttp
bind: 127.0.0.1
captureMode: NONE
outboundTrafficPolicy:
mode: REGISTRY_ONLY
outbound将不能访问
sc-productpage-complex-02.yaml
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
ingress:
- captureMode: NONE
defaultEndpoint: 127.0.0.1:9080
port:
number: 9080
protocol: HTTP
name: http
egress:
- hosts:
- "./*"
port:
number: 9080
protocol: HTTP
name: egresshttp
bind: 127.0.0.1
captureMode: NONE
outboundTrafficPolicy:
mode: ALLOW_ANY
可以访问outbound
sc-productpage-complex-03.yaml
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
ingress:
- captureMode: NONE
defaultEndpoint: 127.0.0.1:9080
port:
number: 9080
protocol: HTTP
name: http
egress:
- hosts:
- "./*"
port:
number: 9080
protocol: HTTP
name: egresshttp
bind: 127.0.0.1
captureMode: NONE
outboundTrafficPolicy:
mode: ALLOW_ANY
egressProxy:
host: "details.istio.svc.cluster.local"
port:
number: 9080
subset: v1
只有detail outbound能访问
egress_proxy must be set only with ALLOW_ANY outbound_traffic_policy mode
使用ServiceEntry
1进入pod访问www.baidu.com
kubectl exec -it sleep-557747455f-ft9bs -n istio -- /bin/sh
curl www.baidu.com
可以访问
2部署sidecar
sc-sleep-REGISTRY_ONLY.yaml
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: sleep
spec:
workloadSelector:
labels:
app: sleep
outboundTrafficPolicy:
mode: REGISTRY_ONLY
3在访问www.baidu.com
不能访问
4部署serviceentry
serviceentries/se-baidu.yaml
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: baidu
spec:
hosts:
- "www.baidu.com"
ports:
- number: 80
name: http
protocol: HTTP
location: MESH_EXTERNAL
resolution: DNS
5再访问www.baidu.com
可以访问