Istio使用帮助
# istioctl --help
Istio configuration command line utility for service operators to
debug and diagnose their Istio mesh.
Usage:
istioctl [command]
Available Commands:
admin Manage control plane (istiod) configuration
analyze Analyze Istio configuration and print validation messages
authz (authz is experimental. Use `istioctl experimental authz`)
bug-report Cluster information and log capture support tool.
completion Generate the autocompletion script for the specified shell
create-remote-secret Create a secret with credentials to allow Istio to access remote Kubernetes apiservers
dashboard Access to Istio web UIs
experimental Experimental commands that may be modified or deprecated
help Help about any command
install Applies an Istio manifest, installing or reconfiguring Istio on a cluster.
kube-inject Inject Istio sidecar into Kubernetes pod resources
manifest Commands related to Istio manifests
operator Commands related to Istio operator controller.
profile Commands related to Istio configuration profiles
proxy-config Retrieve information about proxy configuration from Envoy [kube only]
proxy-status Retrieves the synchronization status of each Envoy in the mesh [kube only]
remote-clusters Lists the remote clusters each istiod instance is connected to.
tag Command group used to interact with revision tags
uninstall Uninstall Istio from a cluster
upgrade Upgrade Istio control plane in-place
validate Validate Istio policy and rules files
verify-install Verifies Istio Installation Status
version Prints out build version information
Flags:
--context string The name of the kubeconfig context to use
-h, --help help for istioctl
-i, --istioNamespace string Istio system namespace (default "istio-system")
-c, --kubeconfig string Kubernetes configuration file
-n, --namespace string Config namespace
--vklog Level number for the log level verbosity. Like -v flag. ex: --vklog=9
Additional help topics:
istioctl options Displays istioctl global options
Use "istioctl [command] --help" for more information about a command.
查看Istio内置profile
# istioctl profile --help
The profile command lists, dumps or diffs Istio configuration profiles.
Usage:
istioctl profile [command]
Examples:
istioctl profile list
istioctl install --set profile=demo # Use a profile from the list
Available Commands:
diff Diffs two Istio configuration profiles
dump Dumps an Istio configuration profile
list Lists available Istio configuration profiles
Flags:
--dry-run Console/log output only, make no changes.
-h, --help help for profile
Global Flags:
--context string The name of the kubeconfig context to use
-c, --kubeconfig string Kubernetes configuration file
--vklog Level number for the log level verbosity. Like -v flag. ex: --vklog=9
Use "istioctl profile [command] --help" for more information about a command.
使用样例一
# istioctl profile list
Istio configuration profiles:
default
demo
empty
external
minimal
openshift
preview
使用样例二
查看代码
# istioctl profile dump demo
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
components:
base:
enabled: true
cni:
enabled: false
egressGateways:
- enabled: true
k8s:
resources:
requests:
cpu: 10m
memory: 40Mi
name: istio-egressgateway
ingressGateways:
- enabled: true
k8s:
resources:
requests:
cpu: 10m
memory: 40Mi
service:
ports:
- name: status-port
port: 15021
targetPort: 15021
- name: http2
port: 80
targetPort: 8080
- name: https
port: 443
targetPort: 8443
- name: tcp
port: 31400
targetPort: 31400
- name: tls
port: 15443
targetPort: 15443
name: istio-ingressgateway
istiodRemote:
enabled: false
pilot:
enabled: true
k8s:
env:
- name: PILOT_TRACE_SAMPLING
value: "100"
resources:
requests:
cpu: 10m
memory: 100Mi
hub: docker.io/istio
meshConfig:
accessLogFile: /dev/stdout
defaultConfig:
proxyMetadata: {}
enablePrometheusMerge: true
extensionProviders:
- envoyOtelAls:
port: 4317
service: opentelemetry-collector.istio-system.svc.cluster.local
name: otel
profile: demo
tag: 1.15.2
values:
base:
enableCRDTemplates: false
validationURL: ""
defaultRevision: ""
gateways:
istio-egressgateway:
autoscaleEnabled: false
env: {}
name: istio-egressgateway
secretVolumes:
- mountPath: /etc/istio/egressgateway-certs
name: egressgateway-certs
secretName: istio-egressgateway-certs
- mountPath: /etc/istio/egressgateway-ca-certs
name: egressgateway-ca-certs
secretName: istio-egressgateway-ca-certs
type: ClusterIP
istio-ingressgateway:
autoscaleEnabled: false
env: {}
name: istio-ingressgateway
secretVolumes:
- mountPath: /etc/istio/ingressgateway-certs
name: ingressgateway-certs
secretName: istio-ingressgateway-certs
- mountPath: /etc/istio/ingressgateway-ca-certs
name: ingressgateway-ca-certs
secretName: istio-ingressgateway-ca-certs
type: LoadBalancer
global:
configValidation: true
defaultNodeSelector: {}
defaultPodDisruptionBudget:
enabled: true
defaultResources:
requests:
cpu: 10m
imagePullPolicy: ""
imagePullSecrets: []
istioNamespace: istio-system
istiod:
enableAnalysis: false
jwtPolicy: third-party-jwt
logAsJson: false
logging:
level: default:info
meshNetworks: {}
mountMtlsCerts: false
multiCluster:
clusterName: ""
enabled: false
network: ""
omitSidecarInjectorConfigMap: false
oneNamespace: false
operatorManageWebhooks: false
pilotCertProvider: istiod
priorityClassName: ""
proxy:
autoInject: enabled
clusterDomain: cluster.local
componentLogLevel: misc:error
enableCoreDump: false
excludeIPRanges: ""
excludeInboundPorts: ""
excludeOutboundPorts: ""
image: proxyv2
includeIPRanges: '*'
logLevel: warning
privileged: false
readinessFailureThreshold: 30
readinessInitialDelaySeconds: 1
readinessPeriodSeconds: 2
resources:
limits:
cpu: 2000m
memory: 1024Mi
requests:
cpu: 10m
memory: 40Mi
statusPort: 15020
tracer: zipkin
proxy_init:
image: proxyv2
resources:
limits:
cpu: 2000m
memory: 1024Mi
requests:
cpu: 10m
memory: 10Mi
sds:
token:
aud: istio-ca
sts:
servicePort: 0
tracer:
datadog: {}
lightstep: {}
stackdriver: {}
zipkin: {}
useMCP: false
istiodRemote:
injectionURL: ""
pilot:
autoscaleEnabled: false
autoscaleMax: 5
autoscaleMin: 1
configMap: true
cpu:
targetAverageUtilization: 80
enableProtocolSniffingForInbound: true
enableProtocolSniffingForOutbound: true
env: {}
image: pilot
keepaliveMaxServerConnectionAge: 30m
nodeSelector: {}
podLabels: {}
replicaCount: 1
traceSampling: 1
telemetry:
enabled: true
v2:
enabled: true
metadataExchange:
wasmEnabled: false
prometheus:
enabled: true
wasmEnabled: false
stackdriver:
configOverride: {}
enabled: false
logging: false
monitoring: false
topology: false
转换为k8s格式的配置清单
# istioctl manifest --help
The manifest command generates and diffs Istio manifests.
Usage:
istioctl manifest [command]
Available Commands:
diff Compare manifests and generate diff
generate Generates an Istio install manifest
install Applies an Istio manifest, installing or reconfiguring Istio on a cluster.
Flags:
--dry-run Console/log output only, make no changes.
-h, --help help for manifest
Global Flags:
--context string The name of the kubeconfig context to use
-c, --kubeconfig string Kubernetes configuration file
--vklog Level number for the log level verbosity. Like -v flag. ex: --vklog=9
Use "istioctl manifest [command] --help" for more information about a command.
使用示例
# istioctl manifest generate --set profile=demo | kubectl apply -f -
安装Istio格式
# istioctl install --help
The install command generates an Istio install manifest and applies it to a cluster.
Usage:
istioctl install [flags]
Aliases:
install, apply
Examples:
# Apply a default Istio installation
istioctl install
# Enable Tracing
istioctl install --set meshConfig.enableTracing=true
# Generate the demo profile and don't wait for confirmation
istioctl install --set profile=demo --skip-confirmation
# To override a setting that includes dots, escape them with a backslash (\). Your shell may require enclosing quotes.
istioctl install --set "values.sidecarInjectorWebhook.injectedAnnotations.container\.apparmor\.security\.beta\.kubernetes\.io/istio-proxy=runtime/default"
# For setting boolean-string option, it should be enclosed quotes and escaped with a backslash (\).
istioctl install --set meshConfig.defaultConfig.proxyMetadata.PROXY_XDS_VIA_AGENT=\"false\"
Flags:
--dry-run Console/log output only, make no changes.
-f, --filename strings Path to file containing IstioOperator custom resource
This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order.
--force Proceed even with validation errors.
-h, --help help for install
-d, --manifests string Specify a path to a directory of charts and profiles
(e.g. ~/Downloads/istio-1.15.2/manifests)
or release tar URL (e.g. https://github.com/istio/istio/releases/download/1.15.2/istio-1.15.2-linux-amd64.tar.gz).
--readiness-timeout duration Maximum time to wait for Istio resources in each component to be ready. (default 5m0s)
-r, --revision string Target control plane revision for the command.
-s, --set stringArray Override an IstioOperator value, e.g. to choose a profile
(--set profile=demo), enable or disable components (--set components.cni.enabled=true), or override Istio
settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.15/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec
-y, --skip-confirmation The skipConfirmation determines whether the user is prompted for confirmation.
If set to true, the user is not prompted and a Yes response is assumed in all cases.
--verify Verify the Istio control plane after installation/in-place upgrade
Global Flags:
--context string The name of the kubeconfig context to use
-c, --kubeconfig string Kubernetes configuration file
--vklog Level number for the log level verbosity. Like -v flag. ex: --vklog=9
查看网格中配置下发状态
命令格式
~# istioctl proxy-status --help
Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in the mesh
Usage:
istioctl proxy-status [<type>/]<name>[.<namespace>] [flags]
Aliases:
proxy-status, ps
Examples:
# Retrieve sync status for all Envoys in a mesh
istioctl proxy-status
# Retrieve sync diff for a single Envoy and Istiod
istioctl proxy-status istio-egressgateway-59585c5b9c-ndc59.istio-system
# Retrieve sync diff between Istiod and one pod under a deployment
istioctl proxy-status deployment/productpage-v1
# Write proxy config-dump to file, and compare to Istio control plane
kubectl port-forward -n istio-system istio-egressgateway-59585c5b9c-ndc59 15000 &
curl localhost:15000/config_dump > cd.json
istioctl proxy-status istio-egressgateway-59585c5b9c-ndc59.istio-system --file cd.json
Flags:
-f, --file string Envoy config dump JSON file
-h, --help help for proxy-status
-r, --revision string Control plane revision
Global Flags:
--context string The name of the kubeconfig context to use
-i, --istioNamespace string Istio system namespace (default "istio-system")
-c, --kubeconfig string Kubernetes configuration file
-n, --namespace string Config namespace
--vklog Level number for the log level verbosity. Like -v flag. ex: --vklog=9
使用示例
# istioctl proxy-status
NAME CLUSTER CDS LDS EDS RDS ECDS ISTIOD
demo.default Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-5456fd558d-7l7xd
istio-egressgateway-fffc799cf-vt4b7.istio-system Kubernetes SYNCED SYNCED SYNCED NOT SENT NOT SENT istiod-5456fd558d-7l7xd
istio-ingressgateway-7d68764b55-n2wk8.istio-system Kubernetes SYNCED SYNCED SYNCED NOT SENT NOT SENT istiod-5456fd558d-7l7xd
查看pod配置信息
命令格式
~# istioctl proxy-config --help
A group of commands used to retrieve information about proxy configuration from the Envoy config dump
Usage:
istioctl proxy-config [command]
Aliases:
proxy-config, pc
Examples:
# Retrieve information about proxy configuration from an Envoy instance.
istioctl proxy-config <clusters|listeners|routes|endpoints|bootstrap|log|secret> <pod-name[.namespace]>
Available Commands:
all Retrieves all configuration for the Envoy in the specified pod
bootstrap Retrieves bootstrap configuration for the Envoy in the specified pod
cluster Retrieves cluster configuration for the Envoy in the specified pod
endpoint Retrieves endpoint configuration for the Envoy in the specified pod
listener Retrieves listener configuration for the Envoy in the specified pod
log (experimental) Retrieves logging levels of the Envoy in the specified pod
rootca-compare Compare ROOTCA values for the two given pods
route Retrieves route configuration for the Envoy in the specified pod
secret Retrieves secret configuration for the Envoy in the specified pod
Flags:
-h, --help help for proxy-config
-o, --output string Output format: one of json|yaml|short (default "short")
Global Flags:
--context string The name of the kubeconfig context to use
-i, --istioNamespace string Istio system namespace (default "istio-system")
-c, --kubeconfig string Kubernetes configuration file
-n, --namespace string Config namespace
--vklog Level number for the log level verbosity. Like -v flag. ex: --vklog=9
Use "istioctl proxy-config [command] --help" for more information about a command.
使用示例
查看pod上sidecar listeners
~# istioctl proxy-config listener --help
Retrieve information about listener configuration for the Envoy instance in the specified pod.
Usage:
istioctl proxy-config listener [<type>/]<name>[.<namespace>] [flags]
Aliases:
listener, listeners, l
Examples:
# Retrieve summary about listener configuration for a given pod from Envoy.
istioctl proxy-config listeners <pod-name[.namespace]>
# Retrieve listener summary for listeners with port 9080.
istioctl proxy-config listeners <pod-name[.namespace]> --port 9080
# Retrieve full listener dump for HTTP listeners with a wildcard address (0.0.0.0).
istioctl proxy-config listeners <pod-name[.namespace]> --type HTTP --address 0.0.0.0 -o json
# Retrieve listener summary without using Kubernetes API
ssh <user@hostname> 'curl localhost:15000/config_dump' > envoy-config.json
istioctl proxy-config listeners --file envoy-config.json
Flags:
--address string Filter listeners by address field
-f, --file string Envoy config dump JSON file
-h, --help help for listener
--port int Filter listeners by Port field
--type string Filter listeners by type field
--verbose Output more information (default true)
Global Flags:
--context string The name of the kubeconfig context to use
-i, --istioNamespace string Istio system namespace (default "istio-system")
-c, --kubeconfig string Kubernetes configuration file
-n, --namespace string Config namespace
-o, --output string Output format: one of json|yaml|short (default "short")
--vklog Level number for the log level verbosity. Like -v flag. ex: --vklog=9
~# istioctl proxy-config listener demo
ADDRESS PORT MATCH DESTINATION
10.100.0.2 53 ALL Cluster: outbound|53||kube-dns.kube-system.svc.cluster.local
0.0.0.0 80 Trans: raw_buffer; App: http/1.1,h2c Route: 80
0.0.0.0 80 ALL PassthroughCluster
10.100.0.1 443 ALL Cluster: outbound|443||kubernetes.default.svc.cluster.local
10.100.107.86 443 Trans: raw_buffer; App: http/1.1,h2c Route: kubernetes-dashboard.kubernetes-dashboard.svc.cluster.local:443
10.100.107.86 443 ALL Cluster: outbound|443||kubernetes-dashboard.kubernetes-dashboard.svc.cluster.local
10.100.50.155 443 ALL Cluster: outbound|443||istiod.istio-system.svc.cluster.local
10.100.63.147 443 ALL Cluster: outbound|443||istio-ingressgateway.istio-system.svc.cluster.local
10.100.86.184 443 ALL Cluster: outbound|443||istio-egressgateway.istio-system.svc.cluster.local
10.100.196.126 3000 Trans: raw_buffer; App: http/1.1,h2c Route: grafana.istio-system.svc.cluster.local:3000
10.100.196.126 3000 ALL Cluster: outbound|3000||grafana.istio-system.svc.cluster.local
10.100.128.238 8000 Trans: raw_buffer; App: http/1.1,h2c Route: dashboard-metrics-scraper.kubernetes-dashboard.svc.cluster.local:8000
10.100.128.238 8000 ALL Cluster: outbound|8000||dashboard-metrics-scraper.kubernetes-dashboard.svc.cluster.local
0.0.0.0 9090 Trans: raw_buffer; App: http/1.1,h2c Route: 9090
0.0.0.0 9090 ALL PassthroughCluster
10.100.0.2 9153 Trans: raw_buffer; App: http/1.1,h2c Route: kube-dns.kube-system.svc.cluster.local:9153
10.100.0.2 9153 ALL Cluster: outbound|9153||kube-dns.kube-system.svc.cluster.local
0.0.0.0 9411 Trans: raw_buffer; App: http/1.1,h2c Route: 9411
0.0.0.0 9411 ALL PassthroughCluster
10.100.194.250 14250 Trans: raw_buffer; App: http/1.1,h2c Route: jaeger-collector.istio-system.svc.cluster.local:14250
10.100.194.250 14250 ALL Cluster: outbound|14250||jaeger-collector.istio-system.svc.cluster.local
10.100.194.250 14268 Trans: raw_buffer; App: http/1.1,h2c Route: jaeger-collector.istio-system.svc.cluster.local:14268
10.100.194.250 14268 ALL Cluster: outbound|14268||jaeger-collector.istio-system.svc.cluster.local
0.0.0.0 15001 ALL PassthroughCluster
0.0.0.0 15001 Addr: *:15001 Non-HTTP/Non-TCP
0.0.0.0 15006 Addr: *:15006 Non-HTTP/Non-TCP
0.0.0.0 15006 Trans: tls; App: istio-http/1.0,istio-http/1.1,istio-h2; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4
0.0.0.0 15006 Trans: raw_buffer; App: http/1.1,h2c; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4
0.0.0.0 15006 Trans: tls; App: TCP TLS; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4
0.0.0.0 15006 Trans: raw_buffer; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4
0.0.0.0 15006 Trans: tls; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4
0.0.0.0 15010 Trans: raw_buffer; App: http/1.1,h2c Route: 15010
0.0.0.0 15010 ALL PassthroughCluster
10.100.50.155 15012 ALL Cluster: outbound|15012||istiod.istio-system.svc.cluster.local
0.0.0.0 15014 Trans: raw_buffer; App: http/1.1,h2c Route: 15014
0.0.0.0 15014 ALL PassthroughCluster
0.0.0.0 15021 ALL Inline Route: /healthz/ready*
10.100.63.147 15021 Trans: raw_buffer; App: http/1.1,h2c Route: istio-ingressgateway.istio-system.svc.cluster.local:15021
10.100.63.147 15021 ALL Cluster: outbound|15021||istio-ingressgateway.istio-system.svc.cluster.local
0.0.0.0 15090 ALL Inline Route: /stats/prometheus*
10.100.63.147 15443 ALL Cluster: outbound|15443||istio-ingressgateway.istio-system.svc.cluster.local
0.0.0.0 16685 Trans: raw_buffer; App: http/1.1,h2c Route: 16685
0.0.0.0 16685 ALL PassthroughCluster
0.0.0.0 20001 Trans: raw_buffer; App: http/1.1,h2c Route: 20001
0.0.0.0 20001 ALL PassthroughCluster
10.100.63.147 31400 ALL Cluster: outbound|31400||istio-ingressgateway.istio-system.svc.cluster.local
查看pod路由信息
~# istioctl proxy-config routes --help
Retrieve information about route configuration for the Envoy instance in the specified pod.
Usage:
istioctl proxy-config route [<type>/]<name>[.<namespace>] [flags]
Aliases:
route, routes, r
Examples:
# Retrieve summary about route configuration for a given pod from Envoy.
istioctl proxy-config routes <pod-name[.namespace]>
# Retrieve route summary for route 9080.
istioctl proxy-config route <pod-name[.namespace]> --name 9080
# Retrieve full route dump for route 9080
istioctl proxy-config route <pod-name[.namespace]> --name 9080 -o json
# Retrieve route summary without using Kubernetes API
ssh <user@hostname> 'curl localhost:15000/config_dump' > envoy-config.json
istioctl proxy-config routes --file envoy-config.json
Flags:
-f, --file string Envoy config dump JSON file
-h, --help help for route
--name string Filter listeners by route name field
--verbose Output more information (default true)
Global Flags:
--context string The name of the kubeconfig context to use
-i, --istioNamespace string Istio system namespace (default "istio-system")
-c, --kubeconfig string Kubernetes configuration file
-n, --namespace string Config namespace
-o, --output string Output format: one of json|yaml|short (default "short")
--vklog Level number for the log level verbosity. Like -v flag. ex: --vklog=9
~# istioctl proxy-config routes demo
NAME DOMAINS MATCH VIRTUAL SERVICE
jaeger-collector.istio-system.svc.cluster.local:14268 * /*
kube-dns.kube-system.svc.cluster.local:9153 * /*
16685 tracing.istio-system, 10.100.18.156 /*
grafana.istio-system.svc.cluster.local:3000 * /*
jaeger-collector.istio-system.svc.cluster.local:14250 * /*
80 istio-egressgateway.istio-system, 10.100.86.184 /*
80 istio-ingressgateway.istio-system, 10.100.63.147 /*
80 tracing.istio-system, 10.100.18.156 /*
15010 istiod.istio-system, 10.100.50.155 /*
kubernetes-dashboard.kubernetes-dashboard.svc.cluster.local:443 * /*
InboundPassthroughClusterIpv4 * /*
istio-ingressgateway.istio-system.svc.cluster.local:15021 * /*
9090 kiali.istio-system, 10.100.139.46 /*
9090 prometheus.istio-system, 10.100.127.66 /*
20001 kiali.istio-system, 10.100.139.46 /*
15014 istiod.istio-system, 10.100.50.155 /*
9411 jaeger-collector.istio-system, 10.100.194.250 /*
9411 zipkin.istio-system, 10.100.155.241 /*
* /healthz/ready*
InboundPassthroughClusterIpv4 * /*
* /stats/prometheus*
dashboard-metrics-scraper.kubernetes-dashboard.svc.cluster.local:8000 * /*
查看clusters
~# istioctl proxy-config clusters --help
Retrieve information about cluster configuration for the Envoy instance in the specified pod.
Usage:
istioctl proxy-config cluster [<type>/]<name>[.<namespace>] [flags]
Aliases:
cluster, clusters, c
Examples:
# Retrieve summary about cluster configuration for a given pod from Envoy.
istioctl proxy-config clusters <pod-name[.namespace]>
# Retrieve cluster summary for clusters with port 9080.
istioctl proxy-config clusters <pod-name[.namespace]> --port 9080
# Retrieve full cluster dump for clusters that are inbound with a FQDN of details.default.svc.cluster.local.
istioctl proxy-config clusters <pod-name[.namespace]> --fqdn details.default.svc.cluster.local --direction inbound -o json
# Retrieve cluster summary without using Kubernetes API
ssh <user@hostname> 'curl localhost:15000/config_dump' > envoy-config.json
istioctl proxy-config clusters --file envoy-config.json
Flags:
--direction string Filter clusters by Direction field
-f, --file string Envoy config dump JSON file
--fqdn string Filter clusters by substring of Service FQDN field
-h, --help help for cluster
--port int Filter clusters by Port field
--subset string Filter clusters by substring of Subset field
Global Flags:
--context string The name of the kubeconfig context to use
-i, --istioNamespace string Istio system namespace (default "istio-system")
-c, --kubeconfig string Kubernetes configuration file
-n, --namespace string Config namespace
-o, --output string Output format: one of json|yaml|short (default "short")
--vklog Level number for the log level verbosity. Like -v flag. ex: --vklog=9
~# istioctl proxy-config clusters demo
SERVICE FQDN PORT SUBSET DIRECTION TYPE DESTINATION RULE
BlackHoleCluster - - - STATIC
InboundPassthroughClusterIpv4 - - - ORIGINAL_DST
PassthroughCluster - - - ORIGINAL_DST
agent - - - STATIC
dashboard-metrics-scraper.kubernetes-dashboard.svc.cluster.local 8000 - outbound EDS
grafana.istio-system.svc.cluster.local 3000 - outbound EDS
istio-egressgateway.istio-system.svc.cluster.local 80 - outbound EDS
istio-egressgateway.istio-system.svc.cluster.local 443 - outbound EDS
istio-ingressgateway.istio-system.svc.cluster.local 80 - outbound EDS
istio-ingressgateway.istio-system.svc.cluster.local 443 - outbound EDS
istio-ingressgateway.istio-system.svc.cluster.local 15021 - outbound EDS
istio-ingressgateway.istio-system.svc.cluster.local 15443 - outbound EDS
istio-ingressgateway.istio-system.svc.cluster.local 31400 - outbound EDS
istiod.istio-system.svc.cluster.local 443 - outbound EDS
istiod.istio-system.svc.cluster.local 15010 - outbound EDS
istiod.istio-system.svc.cluster.local 15012 - outbound EDS
istiod.istio-system.svc.cluster.local 15014 - outbound EDS
jaeger-collector.istio-system.svc.cluster.local 9411 - outbound EDS
jaeger-collector.istio-system.svc.cluster.local 14250 - outbound EDS
jaeger-collector.istio-system.svc.cluster.local 14268 - outbound EDS
kiali.istio-system.svc.cluster.local 9090 - outbound EDS
kiali.istio-system.svc.cluster.local 20001 - outbound EDS
kube-dns.kube-system.svc.cluster.local 53 - outbound EDS
kube-dns.kube-system.svc.cluster.local 9153 - outbound EDS
kubernetes-dashboard.kubernetes-dashboard.svc.cluster.local 443 - outbound EDS
kubernetes.default.svc.cluster.local 443 - outbound EDS
prometheus.istio-system.svc.cluster.local 9090 - outbound EDS
prometheus_stats - - - STATIC
sds-grpc - - - STATIC
tracing.istio-system.svc.cluster.local 80 - outbound EDS
tracing.istio-system.svc.cluster.local 16685 - outbound EDS
xds-grpc - - - STATIC
zipkin - - - STRICT_DNS
zipkin.istio-system.svc.cluster.local 9411 - outbound EDS
查看endpoints
~# istioctl proxy-config endpoints --help
Retrieve information about endpoint configuration for the Envoy instance in the specified pod.
Usage:
istioctl proxy-config endpoint [<type>/]<name>[.<namespace>] [flags]
Aliases:
endpoint, endpoints, ep
Examples:
# Retrieve full endpoint configuration for a given pod from Envoy.
istioctl proxy-config endpoint <pod-name[.namespace]>
# Retrieve endpoint summary for endpoint with port 9080.
istioctl proxy-config endpoint <pod-name[.namespace]> --port 9080
# Retrieve full endpoint with a address (172.17.0.2).
istioctl proxy-config endpoint <pod-name[.namespace]> --address 172.17.0.2 -o json
# Retrieve full endpoint with a cluster name (outbound|9411||zipkin.istio-system.svc.cluster.local).
istioctl proxy-config endpoint <pod-name[.namespace]> --cluster "outbound|9411||zipkin.istio-system.svc.cluster.local" -o json
# Retrieve full endpoint with the status (healthy).
istioctl proxy-config endpoint <pod-name[.namespace]> --status healthy -ojson
# Retrieve endpoint summary without using Kubernetes API
ssh <user@hostname> 'curl localhost:15000/clusters?format=json' > envoy-clusters.json
istioctl proxy-config endpoints --file envoy-clusters.json
Flags:
--address string Filter endpoints by address field
--cluster string Filter endpoints by cluster name field
-f, --file string Envoy config dump JSON file
-h, --help help for endpoint
--port int Filter endpoints by Port field
--status string Filter endpoints by status field
Global Flags:
--context string The name of the kubeconfig context to use
-i, --istioNamespace string Istio system namespace (default "istio-system")
-c, --kubeconfig string Kubernetes configuration file
-n, --namespace string Config namespace
-o, --output string Output format: one of json|yaml|short (default "short")
--vklog Level number for the log level verbosity. Like -v flag. ex: --vklog=9
~# istioctl proxy-config endpoints demo
ENDPOINT STATUS OUTLIER CHECK CLUSTER
10.100.155.241:9411 HEALTHY OK zipkin
127.0.0.1:15000 HEALTHY OK prometheus_stats
127.0.0.1:15020 HEALTHY OK agent
172.20.154.196:8000 HEALTHY OK outbound|8000||dashboard-metrics-scraper.kubernetes-dashboard.svc.cluster.local
172.20.44.207:8080 HEALTHY OK outbound|80||istio-egressgateway.istio-system.svc.cluster.local
172.20.44.207:8443 HEALTHY OK outbound|443||istio-egressgateway.istio-system.svc.cluster.local
172.20.44.208:15010 HEALTHY OK outbound|15010||istiod.istio-system.svc.cluster.local
172.20.44.208:15012 HEALTHY OK outbound|15012||istiod.istio-system.svc.cluster.local
172.20.44.208:15014 HEALTHY OK outbound|15014||istiod.istio-system.svc.cluster.local
172.20.44.208:15017 HEALTHY OK outbound|443||istiod.istio-system.svc.cluster.local
172.20.44.209:3000 HEALTHY OK outbound|3000||grafana.istio-system.svc.cluster.local
172.20.44.210:8080 HEALTHY OK outbound|80||istio-ingressgateway.istio-system.svc.cluster.local
172.20.44.210:8443 HEALTHY OK outbound|443||istio-ingressgateway.istio-system.svc.cluster.local
172.20.44.210:15021 HEALTHY OK outbound|15021||istio-ingressgateway.istio-system.svc.cluster.local
172.20.44.210:15443 HEALTHY OK outbound|15443||istio-ingressgateway.istio-system.svc.cluster.local
172.20.44.210:31400 HEALTHY OK outbound|31400||istio-ingressgateway.istio-system.svc.cluster.local
172.20.44.211:9411 HEALTHY OK outbound|9411||jaeger-collector.istio-system.svc.cluster.local
172.20.44.211:9411 HEALTHY OK outbound|9411||zipkin.istio-system.svc.cluster.local
172.20.44.211:14250 HEALTHY OK outbound|14250||jaeger-collector.istio-system.svc.cluster.local
172.20.44.211:14268 HEALTHY OK outbound|14268||jaeger-collector.istio-system.svc.cluster.local
172.20.44.211:16685 HEALTHY OK outbound|16685||tracing.istio-system.svc.cluster.local
172.20.44.211:16686 HEALTHY OK outbound|80||tracing.istio-system.svc.cluster.local
172.20.89.141:9090 HEALTHY OK outbound|9090||kiali.istio-system.svc.cluster.local
172.20.89.141:20001 HEALTHY OK outbound|20001||kiali.istio-system.svc.cluster.local
172.20.89.142:53 HEALTHY OK outbound|53||kube-dns.kube-system.svc.cluster.local
172.20.89.142:9153 HEALTHY OK outbound|9153||kube-dns.kube-system.svc.cluster.local
172.20.89.143:9090 HEALTHY OK outbound|9090||prometheus.istio-system.svc.cluster.local
172.20.89.144:8443 HEALTHY OK outbound|443||kubernetes-dashboard.kubernetes-dashboard.svc.cluster.local
192.168.174.100:6443 HEALTHY OK outbound|443||kubernetes.default.svc.cluster.local
192.168.174.101:6443 HEALTHY OK outbound|443||kubernetes.default.svc.cluster.local
192.168.174.102:6443 HEALTHY OK outbound|443||kubernetes.default.svc.cluster.local
unix://./etc/istio/proxy/XDS HEALTHY OK xds-grpc
unix://./var/run/secrets/workload-spiffe-uds/socket HEALTHY OK sds-grpc
查看bootstrap
~# istioctl proxy-config bootstrap --help
Retrieve information about bootstrap configuration for the Envoy instance in the specified pod.
Usage:
istioctl proxy-config bootstrap [<type>/]<name>[.<namespace>] [flags]
Aliases:
bootstrap, b
Examples:
# Retrieve full bootstrap configuration for a given pod from Envoy.
istioctl proxy-config bootstrap <pod-name[.namespace]>
# Retrieve full bootstrap without using Kubernetes API
ssh <user@hostname> 'curl localhost:15000/config_dump' > envoy-config.json
istioctl proxy-config bootstrap --file envoy-config.json
# Show a human-readable Istio and Envoy version summary
istioctl proxy-config bootstrap -o short
Flags:
-f, --file string Envoy config dump JSON file
-h, --help help for bootstrap
Global Flags:
--context string The name of the kubeconfig context to use
-i, --istioNamespace string Istio system namespace (default "istio-system")
-c, --kubeconfig string Kubernetes configuration file
-n, --namespace string Config namespace
-o, --output string Output format: one of json|yaml|short (default "short")
--vklog Level number for the log level verbosity. Like -v flag. ex: --vklog=9
