网格中有很多service,sidecar就会看到很多egerss listeners通过正向代理来确保pod访问之外服务的时候是通过sidecar来代理,ingress是来接受外部访问内部的,但这并不多,该pod被后端端点的service 的端口所属的服务会在该pod的sidecar生成ingress listeners,通过ingress反向代理完成访问
如: istio-system和被打上标签的名称空间,这两个名称空间下的service会被发现并转换成sidecar的envoy的网格内配置,经过网格的流量转化为sidecar转发。而service主要被istio用于服务发现服务而存在的
sidecar通过VirtualService来管理的,流量到达sidecar后被拦截且重定向到一个统一的端口,所有出去的流量也会被在该pod被iptables拦截重定向到这个唯一的端口,分别是15001和15006的虚拟端口,这个过程会生成很多iptables规则,这个功能就称为流量拦截,拦截后被交给eneoy作为正向或者反向代理
此前的prox-status能看到配置下发的状态
PS C:\Users\usert> istioctl.exe proxy-status
NAME CLUSTER CDS LDS EDS RDS ECDS ISTIOD VERSION
details-v1-6d89cf9847-46c4z.java-demo Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-8689fcd796-mqd8n 1.14.1
istio-egressgateway-65b46d7874-xdjkr.istio-system Kubernetes SYNCED SYNCED SYNCED NOT SENT NOT SENT istiod-8689fcd796-mqd8n 1.14.1
istio-ingressgateway-559d4ffc58-7rgft.istio-system Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-8689fcd796-mqd8n 1.14.1
marksugar.java-demo Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-8689fcd796-mqd8n 1.14.1
productpage-v1-f44fc594c-fmrf4.java-demo Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-8689fcd796-mqd8n 1.14.1
ratings-v1-6c77b94555-twmls.java-demo Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-8689fcd796-mqd8n 1.14.1
reviews-v1-765697d479-tbprw.java-demo Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-8689fcd796-mqd8n 1.14.1
reviews-v2-86855c588b-sm6w2.java-demo Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-8689fcd796-mqd8n 1.14.1
reviews-v3-6ff967c97f-g6x8b.java-demo Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-8689fcd796-mqd8n 1.14.1
sleep-557747455f-46jf5.java-demo Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-8689fcd796-mqd8n 1.14.1proxy-config能查看对应pod之上sidecar的配置信息,这比config_dump查看的要直观
3.1 查看listeners
查看marksugar之上的listeners
istioctl -n java-demo proxy-config listeners marksugar查看marksugar之上sidecar的listeners,默认是格式化后的格式展示
PS C:\Users\usert> istioctl.exe proxy-config listeners marksugar.java-demo
ADDRESS PORT MATCH DESTINATION
10.96.0.10 53 ALL Cluster: outbound|53||kube-dns.kube-system.svc.cluster.local
0.0.0.0 80 Trans: raw_buffer; App: http/1.1,h2c Route: 80
0.0.0.0 80 ALL PassthroughCluster
10.104.119.238 80 Trans: raw_buffer; App: http/1.1,h2c Route: skywalking-ui.skywalking.svc.cluster.local:80
10.104.119.238 80 ALL Cluster: outbound|80||skywalking-ui.skywalking.svc.cluster.local
10.104.18.194 80 Trans: raw_buffer; App: http/1.1,h2c Route: web-nginx.test.svc.cluster.local:80
10.104.18.194 80 ALL Cluster: outbound|80||web-nginx.test.svc.cluster.local
10.107.112.228 80 Trans: raw_buffer; App: http/1.1,h2c Route: marksugar.java-demo.svc.cluster.local:80
10.107.112.228 80 ALL Cluster: outbound|80||marksugar.java-demo.svc.cluster.local
10.102.45.140 443 ALL Cluster: outbound|443||ingress-nginx-controller-admission.ingress-nginx.svc.cluster.local
10.107.160.181 443 ALL Cluster: outbound|443||metrics-server.kube-system.svc.cluster.local
10.109.235.93 443 ALL Cluster: outbound|443||prometheus-adapter.monitoring.svc.cluster.local
10.96.0.1 443 ALL Cluster: outbound|443||kubernetes.default.svc.cluster.local
........对于每一个网格内的服务都会有两个listeners,一个向外outbound,一个向内的Route
对于这些,我们针对性进行--port过滤查看
istioctl -n java-demo proxy-config listeners marksugar --port 80PS C:\Users\usert> istioctl.exe -n java-demo proxy-config listeners marksugar --port 80
ADDRESS PORT MATCH DESTINATION
0.0.0.0 80 Trans: raw_buffer; App: http/1.1,h2c Route: 80
0.0.0.0 80 ALL PassthroughCluster
10.104.119.238 80 Trans: raw_buffer; App: http/1.1,h2c Route: skywalking-ui.skywalking.svc.cluster.local:80
10.104.119.238 80 ALL Cluster: outbound|80||skywalking-ui.skywalking.svc.cluster.local
10.104.18.194 80 Trans: raw_buffer; App: http/1.1,h2c Route: web-nginx.test.svc.cluster.local:80
10.104.18.194 80 ALL Cluster: outbound|80||web-nginx.test.svc.cluster.local
10.107.112.228 80 Trans: raw_buffer; App: http/1.1,h2c Route: marksugar.java-demo.svc.cluster.local:80
10.107.112.228 80 ALL Cluster: outbound|80||marksugar.java-demo.svc.cluster.local在或者添加ip过滤 --address
istioctl -n java-demo proxy-config listeners marksugar --port 80 --address 10.104.119.238PS C:\Users\usert> istioctl.exe -n java-demo proxy-config listeners marksugar --port 80 --address 10.104.119.238
ADDRESS PORT MATCH DESTINATION
10.104.119.238 80 Trans: raw_buffer; App: http/1.1,h2c Route: skywalking-ui.skywalking.svc.cluster.local:80
10.104.119.238 80 ALL Cluster: outbound|80||skywalking-ui.skywalking.svc.cluster.local如果需要查看更详细的配置需要在后添加-o yaml,其他参考--help
3.2 查看routes
- 当路由进入侦听器后,路由的匹配规则是先匹配虚拟主机,而后在虚拟主机内部匹配流量匹配路由条件MATCH
istioctl -n java-demo proxy-config routes marksugar过滤80
istioctl -n java-demo proxy-config routes marksugar --name 80- 匹配DOMAINS
- 匹配MATCH
- 路由目标VIRTUAL SERVICE
没有显示VIRTUAL SERVICE会被路由到DOMAINS到后端端点
PS C:\Users\usert> istioctl.exe -n java-demo proxy-config routes marksugar --name 80
NAME DOMAINS MATCH VIRTUAL SERVICE
80 argocd-server.argocd, 10.98.127.60 /*
80 details.java-demo.svc.cluster.local /* details.java-demo
80 dpment-a, dpment-a.java-demo + 1 more... /*
80 dpment-b, dpment-b.java-demo + 1 more... /*
80 dpment, dpment.java-demo + 1 more... /* dpment.java-demo
80 dpment, dpment.java-demo + 1 more... /* dpment.java-demo
80 istio-egressgateway.istio-system, 10.97.213.128 /*
80 istio-ingressgateway.istio-system, 10.97.154.56 /*
80 kuboard.kube-system, 10.97.104.136 /*
80 marksugar, marksugar.java-demo + 1 more... /*
80 productpage.java-demo.svc.cluster.local /* productpage.java-demo
80 ratings.java-demo.svc.cluster.local /* ratings.java-demo
80 reviews.java-demo.svc.cluster.local /* reviews.java-demo
80 skywalking-ui.skywalking, 10.104.119.238 /*
80 sleep, sleep.java-demo + 1 more... /*
80 tracing.istio-system, 10.104.76.74 /*
80 web-nginx.test, 10.104.18.194 /*其他参考--help
3.3 查看cluster
查看
istioctl.exe -n java-demo proxy-config cluster marksugar过滤端口
istioctl -n java-demo proxy-config cluster marksugar --port 80inbound为入站侦听器,outbound为出站
PS C:\Users\usert> istioctl.exe -n java-demo proxy-config cluster marksugar --port 80
SERVICE FQDN PORT SUBSET DIRECTION TYPE DESTINATION RULE
80 - inbound ORIGINAL_DST
argocd-server.argocd.svc.cluster.local 80 - outbound EDS
dpment-a.java-demo.svc.cluster.local 80 - outbound EDS
dpment-b.java-demo.svc.cluster.local 80 - outbound EDS
dpment.java-demo.svc.cluster.local 80 - outbound EDS
istio-egressgateway.istio-system.svc.cluster.local 80 - outbound EDS
istio-ingressgateway.istio-system.svc.cluster.local 80 - outbound EDS
kuboard.kube-system.svc.cluster.local 80 - outbound EDS
marksugar.java-demo.svc.cluster.local 80 - outbound EDS
skywalking-ui.skywalking.svc.cluster.local 80 - outbound EDS
sleep.java-demo.svc.cluster.local 80 - outbound EDS
tracing.istio-system.svc.cluster.local 80 - outbound EDS
web-nginx.test.svc.cluster.local 80 - outbound EDS除此之外可以使用 --direction查看特定方向的详情,其他参考--help
istioctl.exe -n java-demo proxy-config cluster marksugar --port 80 --direction inbound3.4 查看endpoints
对于集群而言还可以看endpoints
使用 --port 80过滤80端口
PS C:\Users\usert> istioctl.exe -n java-demo proxy-config endpoints marksugar --port 80
ENDPOINT STATUS OUTLIER CHECK CLUSTER
130.130.0.106:80 HEALTHY OK outbound|80||marksugar.java-demo.svc.cluster.local
130.130.0.12:80 HEALTHY OK outbound|80||kuboard.kube-system.svc.cluster.local
130.130.0.16:80 HEALTHY OK outbound|80||web-nginx.test.svc.cluster.local
130.130.0.17:80 HEALTHY OK outbound|80||web-nginx.test.svc.cluster.local
130.130.0.18:80 HEALTHY OK outbound|80||web-nginx.test.svc.cluster.local
130.130.1.103:80 HEALTHY OK outbound|80||sleep.java-demo.svc.cluster.local
130.130.1.60:80 HEALTHY OK outbound|80||web-nginx.test.svc.cluster.local
130.130.1.61:80 HEALTHY OK outbound|80||web-nginx.test.svc.cluster.local如果要查看所有的信息,使用all即可
istioctl -n java-demo proxy-config all marksugar --port 80PS C:\Users\usert> istioctl.exe -n java-demo proxy-config all marksugar --port 80
SERVICE FQDN PORT SUBSET DIRECTION TYPE DESTINATION RULE
80 - inbound ORIGINAL_DST
argocd-server.argocd.svc.cluster.local 80 - outbound EDS
dpment-a.java-demo.svc.cluster.local 80 - outbound EDS
dpment-b.java-demo.svc.cluster.local 80 - outbound EDS
dpment.java-demo.svc.cluster.local 80 - outbound EDS
nginx.test.svc.cluster.local
...........
10.107.112.228 80 Trans: raw_buffer; App: http/1.1,h2c Route: marksugar.java-demo.svc.cluster.local:80
10.107.112.228 80 ALL Cluster: outbound|80||marksugar.java-
..............
RESOURCE NAME TYPE STATUS VALID CERT SERIAL NUMBER NOT AFTER NOT BEFORE
default Cert Chain ACTIVE true 102059676829591632788425320896870277908 2022-07-27T21:03:04Z 2022-07-26T21:01:04Z
ROOTCA CA ACTIVE true 301822650017575269000203210584654904630 2032-07-11T02:27:37Z 2022-07-14T02:27:37Z3.5 查看bootstrap
有很多配置是之后加载的,而bootstrap是启动的基础配置
istioctl -n java-demo proxy-config bootstrap marksugar
