Istio DNS 代理
DNS 代理
除了捕获应用流量,Istio 还可以捕获 DNS 请求,以提高网格的性能和可用性。 当 Istio 代理 DNS 时,所有来自应用程序的 DNS 请求将会被重定向到 Sidecar, 因为 Sidecar 存储了域名到 IP 地址的映射。如果请求被 Sidecar 处理, 它将直接给应用返回响应,避免了对上游DNS服务器的往返。 反之,请求将按照标准的 /etc/resolv.conf DNS 配置向上游转发。
虽然 Kubernetes 为 Kubernetes Service 提供了一个开箱即用的 DNS 解析, 但任何自定义的 ServiceEntry 都不会被识别。有了这个功能,ServiceEntry 地址可以被解析,而不需要自定义 DNS 服务配置。对于 Kubernetes Service 来说, 一样的 DNS 响应,但减少了 kube-dns 的负载,并且提高了性能。
此功能默认情况下未启用。要启用该功能,请在安装 Istio 时设置。
启动 DNS 代理
全局启用
cat <<EOF | istioctl install -y -f -
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
meshConfig:
defaultConfig:
proxyMetadata:
# 启用基本 DNS 代理
ISTIO_META_DNS_CAPTURE: "true"
# 启用自动地址分配,可选
ISTIO_META_DNS_AUTO_ALLOCATE: "true"
EOF
or
istioctl install --set profile=default --set values.global.proxy.clusterDomain=cluster.local --set meshConfig.defaultConfig.proxyMetadata.ISTIO_META_DNS_CAPTURE=true --set meshConfig.defaultConfig.proxyMetadata.ISTIO_META_DNS_AUTO_ALLOCATE=true -y
pod 启用
kind: Deployment
metadata:
name: sleep
spec:
...
template:
metadata:
annotations:
proxy.istio.io/config: |
proxyMetadata:
ISTIO_META_DNS_CAPTURE: "true"
ISTIO_META_DNS_AUTO_ALLOCATE: "true"
...
创建 ServiceEntry 服务
serviceentry-gitlab.yaml
apiVersion: networking.istio.io/v1alpha3
kind: WorkloadEntry
metadata:
name: workload-gitlab
spec:
address: "192.168.174.108"
ports:
http: 8080
labels:
app: gitlab
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: gitlab-external
spec:
hosts:
- codo.wgs.com
ports:
- number: 80
name: http
protocol: HTTP
targetPort: 8080
location: MESH_EXTERNAL
resolution: STATIC
workloadSelector:
labels:
app: gitlab
创建 ServiceEntry 资源
# kubectl apply -f serviceentry-gitlab.yaml
workloadentry.networking.istio.io/workload-gitlab created
serviceentry.networking.istio.io/gitlab-external created
查看 ServiceEntry 资源
kubectl get we,se
NAME AGE ADDRESS
workloadentry.networking.istio.io/workload-gitlab 6m5s 192.168.174.108
NAME HOSTS LOCATION RESOLUTION AGE
serviceentry.networking.istio.io/gitlab-external ["codo.wgs.com"] MESH_EXTERNAL STATIC 6m5s
DNS 测试
未启用 DNS
curl -I codo.wgs.com
curl: (6) Could not resolve host: codo.wgs.com
启用 DNS
curl -I codo.wgs.com
HTTP/1.1 302 Found
server: envoy
date: Tue, 14 Nov 2023 06:52:59 GMT
content-type: text/html; charset=utf-8
content-length: 0
cache-control: no-cache
content-security-policy:
location: http://codo.wgs.com/users/sign_in
permissions-policy: interest-cohort=()
x-content-type-options: nosniff
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-gitlab-meta: {"correlation_id":"01HF69NM5P0JJ5N0NDSH5XTSKS","version":"1"}
x-permitted-cross-domain-policies: none
x-request-id: 01HF69NM5P0JJ5N0NDSH5XTSKS
x-runtime: 0.010393
x-ua-compatible: IE=edge
x-xss-protection: 1; mode=block
strict-transport-security: max-age=63072000
referrer-policy: strict-origin-when-cross-origin
x-envoy-upstream-service-time: 13
自动分配地址
curl -sS -v codo.wgs.com
* Trying 240.240.167.201:80...
* TCP_NODELAY set
* Connected to codo.wgs.com (240.240.167.201) port 80 (#0)
> GET / HTTP/1.1
> Host: codo.wgs.com
> User-Agent: curl/7.67.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< server: envoy
< date: Tue, 14 Nov 2023 06:54:45 GMT
< content-type: text/html; charset=utf-8
< content-length: 99
< cache-control: no-cache
< content-security-policy:
< location: http://codo.wgs.com/users/sign_in
< permissions-policy: interest-cohort=()
< x-content-type-options: nosniff
< x-download-options: noopen
< x-frame-options: SAMEORIGIN
< x-gitlab-meta: {"correlation_id":"01HF69RTT4YY0TMBR0SMK39HE4","version":"1"}
< x-permitted-cross-domain-policies: none
< x-request-id: 01HF69RTT4YY0TMBR0SMK39HE4
< x-runtime: 0.038758
< x-ua-compatible: IE=edge
< x-xss-protection: 1; mode=block
< strict-transport-security: max-age=63072000
< referrer-policy: strict-origin-when-cross-origin
< x-envoy-upstream-service-time: 42
<
* Connection #0 to host codo.wgs.com left intact
<html><body>You are being <a href="http://codo.wgs.com/users/sign_in">redirected</a>.</body></html>
参考文档
https://istio.io/latest/zh/docs/ops/configuration/traffic-management/dns-proxy/