istio sidecar
Sidecar CR
- 默认情况下,Istio会配置每一个Sidecar Envoy能够与同一网格内所有的workload实例通信,并且能够在与其代理的workload相关的所有端口上接收流量 ;
- 从实际通信需求来说,网格内的每个workload未必需要同当前网格内的所有其它workload通信,于是,Sidecar CR提供了为Sidecar Envoy微调其用于workload间通信时支持的端口集和协议等配置的方式;
- 另外,转发来自其代理的workload实例的出向流量时,Sidecar CR资源对象还能够限制Sidecar Envoy可以访问的外部服务集;
Sidecar CR的生效机制
-
Sidecar CR通过workloadSelector字段挑选同一名称空间中的一个或多个workload实例来应用其提供的配置
- 对于未提供workloadSelector字段Sidecar资源,其配置将应用于同一名称空间中的所有workload实例
- namespace中同时存在带有workloadSelector字段以及未附带此字段的Sidecar 资源对象时,workload实例将优先应用带有此字段的Sidecar对象
-
每个namespace中仅应该提供一个未附带workloadSelector字段的Sidecar资源,否则其配置结果将难以确定
-
另外,每个workload也应该仅应用一个带有workloadSelector字段的Sidecar资源,否则其行为同样难以明确
Sidecar配置字段
~# kubectl explain sidecar
KIND: Sidecar
VERSION: networking.istio.io/v1beta1
DESCRIPTION:
<empty>
FIELDS:
apiVersion <string>
APIVersion defines the versioned schema of this representation of an
object. Servers should convert recognized schemas to the latest internal
value, and may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind <string>
Kind is a string value representing the REST resource this object
represents. Servers may infer this from the endpoint the client submits
requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata <Object>
Standard object's metadata. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
spec <Object>
Configuration affecting network reachability of a sidecar. See more details
at: https://istio.io/docs/reference/config/networking/sidecar.html
status <>Sidecar配置示例
示例一
-
client可以访问网格内istio-system和default名称空间下的所有Service
-
client仅可以访问网格内的proxy服务,不能直接访问demoapp服务
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: client
namespace: default
spec:
workloadSelector:
labels:
run: client
egress:
- hosts:
- "./*"
- "istio-system/*"apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: client
namespace: default
spec:
workloadSelector:
labels:
app: client
outboundTrafficPolicy:
mode: REGISTRY_ONLY
egress:
- port:
number: 80
protocol: HTTP
name: proxy
hosts:
- "./*"
示例二
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: ratings
namespace: prod-us1
spec:
workloadSelector:
labels:
app: ratings
ingress:
- port:
number: 9080
protocol: HTTP
name: somename
defaultEndpoint: unix:///var/run/someuds.sock
egress:
- port:
number: 9080
protocol: HTTP
name: egresshttp
hosts:
- "prod-us1/*"
- hosts:
- "istio-system/*"apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: no-ip-tables
namespace: prod-us1
spec:
workloadSelector:
labels:
app: productpage
ingress:
- port:
number: 9080 # binds to proxy_instance_ip:9080 (0.0.0.0:9080, if no unicast IP is available for the instance)
protocol: HTTP
name: somename
defaultEndpoint: 127.0.0.1:8080
captureMode: NONE # not needed if metadata is set for entire proxy
egress:
- port:
number: 3306
protocol: MYSQL
name: egressmysql
captureMode: NONE # not needed if metadata is set for entire proxy
bind: 127.0.0.1
hosts:
- "*/mysql.foo.com"参考文档
https://istio.io/latest/zh/docs/reference/config/networking/sidecar/
