初时istio服务网格(3)

2023年 7月 15日 53.1k 0

网格中有很多service,sidecar就会看到很多egerss listeners通过正向代理来确保pod访问之外服务的时候是通过sidecar来代理,ingress是来接受外部访问内部的,但这并不多,该pod被后端端点的service 的端口所属的服务会在该pod的sidecar生成ingress listeners,通过ingress反向代理完成访问

如: istio-system和被打上标签的名称空间,这两个名称空间下的service会被发现并转换成sidecar的envoy的网格内配置,经过网格的流量转化为sidecar转发。而service主要被istio用于服务发现服务而存在的

sidecar通过VirtualService来管理的,流量到达sidecar后被拦截且重定向到一个统一的端口,所有出去的流量也会被在该pod被iptables拦截重定向到这个唯一的端口,分别是15001和15006的虚拟端口,这个过程会生成很多iptables规则,这个功能就称为流量拦截,拦截后被交给eneoy作为正向或者反向代理

此前的prox-status能看到配置下发的状态

PS C:\Users\usert> istioctl.exe proxy-status
NAME                                                   CLUSTER        CDS        LDS        EDS        RDS          ECDS         ISTIOD                      VERSION
details-v1-6d89cf9847-46c4z.java-demo                  Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-8689fcd796-mqd8n     1.14.1
istio-egressgateway-65b46d7874-xdjkr.istio-system      Kubernetes     SYNCED     SYNCED     SYNCED     NOT SENT     NOT SENT     istiod-8689fcd796-mqd8n     1.14.1
istio-ingressgateway-559d4ffc58-7rgft.istio-system     Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-8689fcd796-mqd8n     1.14.1
marksugar.java-demo                                    Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-8689fcd796-mqd8n     1.14.1
productpage-v1-f44fc594c-fmrf4.java-demo               Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-8689fcd796-mqd8n     1.14.1
ratings-v1-6c77b94555-twmls.java-demo                  Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-8689fcd796-mqd8n     1.14.1
reviews-v1-765697d479-tbprw.java-demo                  Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-8689fcd796-mqd8n     1.14.1
reviews-v2-86855c588b-sm6w2.java-demo                  Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-8689fcd796-mqd8n     1.14.1
reviews-v3-6ff967c97f-g6x8b.java-demo                  Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-8689fcd796-mqd8n     1.14.1
sleep-557747455f-46jf5.java-demo                       Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-8689fcd796-mqd8n     1.14.1

proxy-config能查看对应pod之上sidecar的配置信息,这比config_dump查看的要直观

3.1 查看listeners

查看marksugar之上的listeners

istioctl -n java-demo proxy-config listeners marksugar

查看marksugar之上sidecar的listeners,默认是格式化后的格式展示

PS C:\Users\usert> istioctl.exe proxy-config listeners marksugar.java-demo
ADDRESS        PORT  MATCH                                                                    DESTINATION
10.96.0.10     53    ALL                                                                      Cluster: outbound|53||kube-dns.kube-system.svc.cluster.local
0.0.0.0        80    Trans: raw_buffer; App: http/1.1,h2c                                     Route: 80
0.0.0.0        80    ALL                                                                      PassthroughCluster
10.104.119.238 80    Trans: raw_buffer; App: http/1.1,h2c                                     Route: skywalking-ui.skywalking.svc.cluster.local:80
10.104.119.238 80    ALL                                                                      Cluster: outbound|80||skywalking-ui.skywalking.svc.cluster.local
10.104.18.194  80    Trans: raw_buffer; App: http/1.1,h2c                                     Route: web-nginx.test.svc.cluster.local:80
10.104.18.194  80    ALL                                                                      Cluster: outbound|80||web-nginx.test.svc.cluster.local
10.107.112.228 80    Trans: raw_buffer; App: http/1.1,h2c                                     Route: marksugar.java-demo.svc.cluster.local:80
10.107.112.228 80    ALL                                                                      Cluster: outbound|80||marksugar.java-demo.svc.cluster.local
10.102.45.140  443   ALL                                                                      Cluster: outbound|443||ingress-nginx-controller-admission.ingress-nginx.svc.cluster.local
10.107.160.181 443   ALL                                                                      Cluster: outbound|443||metrics-server.kube-system.svc.cluster.local
10.109.235.93  443   ALL                                                                      Cluster: outbound|443||prometheus-adapter.monitoring.svc.cluster.local
10.96.0.1      443   ALL                                                                      Cluster: outbound|443||kubernetes.default.svc.cluster.local
........

对于每一个网格内的服务都会有两个listeners,一个向外outbound,一个向内的Route

对于这些,我们针对性进行--port过滤查看

istioctl -n java-demo proxy-config listeners marksugar --port 80
PS C:\Users\usert> istioctl.exe -n java-demo proxy-config listeners marksugar --port 80
ADDRESS        PORT MATCH                                DESTINATION
0.0.0.0        80   Trans: raw_buffer; App: http/1.1,h2c Route: 80
0.0.0.0        80   ALL                                  PassthroughCluster
10.104.119.238 80   Trans: raw_buffer; App: http/1.1,h2c Route: skywalking-ui.skywalking.svc.cluster.local:80
10.104.119.238 80   ALL                                  Cluster: outbound|80||skywalking-ui.skywalking.svc.cluster.local
10.104.18.194  80   Trans: raw_buffer; App: http/1.1,h2c Route: web-nginx.test.svc.cluster.local:80
10.104.18.194  80   ALL                                  Cluster: outbound|80||web-nginx.test.svc.cluster.local
10.107.112.228 80   Trans: raw_buffer; App: http/1.1,h2c Route: marksugar.java-demo.svc.cluster.local:80
10.107.112.228 80   ALL                                  Cluster: outbound|80||marksugar.java-demo.svc.cluster.local

在或者添加ip过滤 --address

istioctl -n java-demo proxy-config listeners marksugar --port 80 --address 10.104.119.238
PS C:\Users\usert> istioctl.exe -n java-demo proxy-config listeners marksugar --port 80 --address 10.104.119.238
ADDRESS        PORT MATCH                                DESTINATION
10.104.119.238 80   Trans: raw_buffer; App: http/1.1,h2c Route: skywalking-ui.skywalking.svc.cluster.local:80
10.104.119.238 80   ALL                                  Cluster: outbound|80||skywalking-ui.skywalking.svc.cluster.local

如果需要查看更详细的配置需要在后添加-o yaml,其他参考--help

3.2 查看routes

  • 当路由进入侦听器后,路由的匹配规则是先匹配虚拟主机,而后在虚拟主机内部匹配流量匹配路由条件MATCH
istioctl -n java-demo proxy-config routes marksugar

过滤80

istioctl -n java-demo proxy-config routes marksugar --name 80
  • 匹配DOMAINS
  • 匹配MATCH
  • 路由目标VIRTUAL SERVICE

没有显示VIRTUAL SERVICE会被路由到DOMAINS到后端端点

PS C:\Users\usert> istioctl.exe -n java-demo proxy-config routes marksugar --name 80
NAME     DOMAINS                                             MATCH     VIRTUAL SERVICE
80       argocd-server.argocd, 10.98.127.60                  /*
80       details.java-demo.svc.cluster.local                 /*        details.java-demo
80       dpment-a, dpment-a.java-demo + 1 more...            /*
80       dpment-b, dpment-b.java-demo + 1 more...            /*
80       dpment, dpment.java-demo + 1 more...                /*        dpment.java-demo
80       dpment, dpment.java-demo + 1 more...                /*        dpment.java-demo
80       istio-egressgateway.istio-system, 10.97.213.128     /*
80       istio-ingressgateway.istio-system, 10.97.154.56     /*
80       kuboard.kube-system, 10.97.104.136                  /*
80       marksugar, marksugar.java-demo + 1 more...          /*
80       productpage.java-demo.svc.cluster.local             /*        productpage.java-demo
80       ratings.java-demo.svc.cluster.local                 /*        ratings.java-demo
80       reviews.java-demo.svc.cluster.local                 /*        reviews.java-demo
80       skywalking-ui.skywalking, 10.104.119.238            /*
80       sleep, sleep.java-demo + 1 more...                  /*
80       tracing.istio-system, 10.104.76.74                  /*
80       web-nginx.test, 10.104.18.194                       /*

其他参考--help

3.3 查看cluster

查看

istioctl.exe -n java-demo proxy-config cluster marksugar

过滤端口

istioctl -n java-demo proxy-config cluster marksugar --port 80

inbound为入站侦听器,outbound为出站

PS C:\Users\usert> istioctl.exe -n java-demo proxy-config cluster marksugar --port 80
SERVICE FQDN                                            PORT     SUBSET     DIRECTION     TYPE             DESTINATION RULE
                                                        80       -          inbound       ORIGINAL_DST
argocd-server.argocd.svc.cluster.local                  80       -          outbound      EDS
dpment-a.java-demo.svc.cluster.local                    80       -          outbound      EDS
dpment-b.java-demo.svc.cluster.local                    80       -          outbound      EDS
dpment.java-demo.svc.cluster.local                      80       -          outbound      EDS
istio-egressgateway.istio-system.svc.cluster.local      80       -          outbound      EDS
istio-ingressgateway.istio-system.svc.cluster.local     80       -          outbound      EDS
kuboard.kube-system.svc.cluster.local                   80       -          outbound      EDS
marksugar.java-demo.svc.cluster.local                   80       -          outbound      EDS
skywalking-ui.skywalking.svc.cluster.local              80       -          outbound      EDS
sleep.java-demo.svc.cluster.local                       80       -          outbound      EDS
tracing.istio-system.svc.cluster.local                  80       -          outbound      EDS
web-nginx.test.svc.cluster.local                        80       -          outbound      EDS

除此之外可以使用 --direction查看特定方向的详情,其他参考--help

 istioctl.exe -n java-demo proxy-config cluster marksugar --port 80  --direction inbound

3.4 查看endpoints

对于集群而言还可以看endpoints

使用 --port 80过滤80端口

PS C:\Users\usert> istioctl.exe -n java-demo proxy-config endpoints marksugar --port 80
ENDPOINT             STATUS      OUTLIER CHECK     CLUSTER
130.130.0.106:80     HEALTHY     OK                outbound|80||marksugar.java-demo.svc.cluster.local
130.130.0.12:80      HEALTHY     OK                outbound|80||kuboard.kube-system.svc.cluster.local
130.130.0.16:80      HEALTHY     OK                outbound|80||web-nginx.test.svc.cluster.local
130.130.0.17:80      HEALTHY     OK                outbound|80||web-nginx.test.svc.cluster.local
130.130.0.18:80      HEALTHY     OK                outbound|80||web-nginx.test.svc.cluster.local
130.130.1.103:80     HEALTHY     OK                outbound|80||sleep.java-demo.svc.cluster.local
130.130.1.60:80      HEALTHY     OK                outbound|80||web-nginx.test.svc.cluster.local
130.130.1.61:80      HEALTHY     OK                outbound|80||web-nginx.test.svc.cluster.local

如果要查看所有的信息,使用all即可

istioctl -n java-demo proxy-config all marksugar --port 80
PS C:\Users\usert> istioctl.exe -n java-demo proxy-config all marksugar --port 80
SERVICE FQDN                                            PORT     SUBSET     DIRECTION     TYPE             DESTINATION RULE
                                                        80       -          inbound       ORIGINAL_DST
argocd-server.argocd.svc.cluster.local                  80       -          outbound      EDS
dpment-a.java-demo.svc.cluster.local                    80       -          outbound      EDS
dpment-b.java-demo.svc.cluster.local                    80       -          outbound      EDS
dpment.java-demo.svc.cluster.local                      80       -          outbound      EDS
nginx.test.svc.cluster.local
...........
10.107.112.228 80   Trans: raw_buffer; App: http/1.1,h2c Route: marksugar.java-demo.svc.cluster.local:80
10.107.112.228 80   ALL                                  Cluster: outbound|80||marksugar.java-
..............
RESOURCE NAME     TYPE           STATUS     VALID CERT     SERIAL NUMBER                               NOT AFTER                NOT BEFORE
default           Cert Chain     ACTIVE     true           102059676829591632788425320896870277908     2022-07-27T21:03:04Z     2022-07-26T21:01:04Z
ROOTCA            CA             ACTIVE     true           301822650017575269000203210584654904630     2032-07-11T02:27:37Z     2022-07-14T02:27:37Z

3.5 查看bootstrap

有很多配置是之后加载的,而bootstrap是启动的基础配置

istioctl -n java-demo proxy-config bootstrap marksugar

相关文章

LeaferJS 1.0 重磅发布:强悍的前端 Canvas 渲染引擎
10分钟搞定支持通配符的永久有效免费HTTPS证书
300 多个 Microsoft Excel 快捷方式
一步步配置基于kubeadmin的kubevip高可用
istio全链路传递cookie和header灰度
REST Web 服务版本控制

发布评论