Istio-proxy容器及Listener

istio-proxy即所谓的sidecar容器,它运行两个进程

  pilot-agent

    基于k8s api server为envoy初始化出可用的boostrap配置文件并启动envoy;

    监控并管理envoy的运行状态,包括envoy出错时重启envoy,以及envoy配置变更后将其重载等;

   envoy

    envoy由pilot-agent进程基于生成bootstrap配置进行启动,而后根据配置中指定的pilot地址,通过xDS API获取动态配置信息;
    Sidecar形式的Envoy通过流量拦截机制为应用程序实现入站和出站代理功能;

Listener和Clusters

[root@master ~]# kubectl exec -it sleep-78ff5975c6-75q5z -- /bin/sh
/ $ curl 127.0.0.1:15000/listeners
7b9be401-50b2-4f79-a012-01a9120956a1::0.0.0.0:15090
de31864e-d765-4166-867a-f282fc0890e1::0.0.0.0:15021
10.96.0.1_443::10.96.0.1:443
10.96.0.10_53::10.96.0.10:53
10.211.55.28_10250::10.211.55.28:10250
10.211.55.29_10250::10.211.55.29:10250
10.211.55.30_10250::10.211.55.30:10250
10.100.158.64_15012::10.100.158.64:15012
10.107.50.227_31400::10.107.50.227:31400
10.97.157.5_443::10.97.157.5:443
10.100.158.64_443::10.100.158.64:443
10.107.50.227_15443::10.107.50.227:15443
10.107.50.227_443::10.107.50.227:443
10.211.55.30_4194::10.211.55.30:4194
10.211.55.29_4194::10.211.55.29:4194
0.0.0.0_20001::0.0.0.0:20001
0.0.0.0_9090::0.0.0.0:9090
10.211.55.28_4194::10.211.55.28:4194
0.0.0.0_15010::0.0.0.0:15010
0.0.0.0_15014::0.0.0.0:15014
10.96.0.10_9153::10.96.0.10:9153
10.111.46.147_14268::10.111.46.147:14268
10.111.46.147_14250::10.111.46.147:14250
10.102.103.8_3000::10.102.103.8:3000
0.0.0.0_9411::0.0.0.0:9411
0.0.0.0_16685::0.0.0.0:16685
0.0.0.0_10255::0.0.0.0:10255
0.0.0.0_80::0.0.0.0:80
10.107.50.227_15021::10.107.50.227:15021
virtualOutbound::0.0.0.0:15001
virtualInbound::0.0.0.0:15006
/ $ curl 127.0.0.1:15000/clusters
prometheus_stats::observability_name::prometheus_stats
prometheus_stats::default_priority::max_connections::1024
prometheus_stats::default_priority::max_pending_requests::1024
prometheus_stats::default_priority::max_requests::1024
prometheus_stats::default_priority::max_retries::3
prometheus_stats::high_priority::max_connections::1024
prometheus_stats::high_priority::max_pending_requests::1024
prometheus_stats::high_priority::max_requests::1024
prometheus_stats::high_priority::max_retries::3
prometheus_stats::added_via_api::false
prometheus_stats::127.0.0.1:15000::cx_active::1
prometheus_stats::127.0.0.1:15000::cx_connect_fail::0
prometheus_stats::127.0.0.1:15000::cx_total::1
prometheus_stats::127.0.0.1:15000::rq_active::0
prometheus_stats::127.0.0.1:15000::rq_error::0
prometheus_stats::127.0.0.1:15000::rq_success::16
prometheus_stats::127.0.0.1:15000::rq_timeout::0
prometheus_stats::127.0.0.1:15000::rq_total::16
prometheus_stats::127.0.0.1:15000::hostname::
prometheus_stats::127.0.0.1:15000::health_flags::healthy
prometheus_stats::127.0.0.1:15000::weight::1
prometheus_stats::127.0.0.1:15000::region::
prometheus_stats::127.0.0.1:15000::zone::
prometheus_stats::127.0.0.1:15000::sub_zone::
prometheus_stats::127.0.0.1:15000::canary::false
prometheus_stats::127.0.0.1:15000::priority::0
prometheus_stats::127.0.0.1:15000::success_rate::-1
......

 pilot-agent方法

[root@master ~]# kubectl exec sleep-78ff5975c6-75q5z -c istio-proxy -- pilot-agent request GET /listeners
7b9be401-50b2-4f79-a012-01a9120956a1::0.0.0.0:15090
de31864e-d765-4166-867a-f282fc0890e1::0.0.0.0:15021
10.96.0.1_443::10.96.0.1:443
10.96.0.10_53::10.96.0.10:53
10.211.55.28_10250::10.211.55.28:10250
10.211.55.29_10250::10.211.55.29:10250
10.211.55.30_10250::10.211.55.30:10250
10.100.158.64_15012::10.100.158.64:15012
10.107.50.227_31400::10.107.50.227:31400
10.97.157.5_443::10.97.157.5:443
10.100.158.64_443::10.100.158.64:443
10.107.50.227_15443::10.107.50.227:15443
10.107.50.227_443::10.107.50.227:443
10.211.55.30_4194::10.211.55.30:4194
10.211.55.29_4194::10.211.55.29:4194
0.0.0.0_20001::0.0.0.0:20001
0.0.0.0_9090::0.0.0.0:9090
10.211.55.28_4194::10.211.55.28:4194
0.0.0.0_15010::0.0.0.0:15010
0.0.0.0_15014::0.0.0.0:15014
10.96.0.10_9153::10.96.0.10:9153
10.111.46.147_14268::10.111.46.147:14268
10.111.46.147_14250::10.111.46.147:14250
10.102.103.8_3000::10.102.103.8:3000
0.0.0.0_9411::0.0.0.0:9411
0.0.0.0_16685::0.0.0.0:16685
0.0.0.0_10255::0.0.0.0:10255
0.0.0.0_80::0.0.0.0:80
10.107.50.227_15021::10.107.50.227:15021
virtualOutbound::0.0.0.0:15001
virtualInbound::0.0.0.0:15006

 

  Envoy Listener支持绑定于IP Socket或Unix Domain Socket之上,也可以不予绑定,而是接收由其它的 Listener转发来的数据

    VirtualOutboundListener通过一个端口接收所有的出向流量,而后再按照请求的端口分别转发给相应的Listener 进行处理;

    VirtualInboundListener的功能相似,但它主要用于处理入向流量; 

  VirtualOutbound Listener

    iptables将其所在的Pod中的外发流量拦截后转发至监听于15001的Listener,而该Listener通过在配置中将 use_origin_dest参数设置为true,从而实现将接收到的请求转交给同请求原目标地址关联的Listener之上;

    若不存在可接收转发报文的Listener,则Envoy将根据Istio的全局配置选项outboundTrafficPolicy参数的值决定 如何进行处理

      ALLOW_ANY:允许外发至任何服务的请求,无论目标服务是否存在于Pilot的注册表中;此时,没有匹配的目标 Listener的流量将由该侦听器上tcp_proxy过滤器指向Passthrough Cluster进行透传;

      REGISTRY_ONLY:仅允许外发请求至注册于Polit中的服务;此时,没有匹配的目标Listener的流量将由该侦听器上 tcp_proxy过滤器指向的BlackHoleCluster将流量直接丢弃;

修改outboundTrafficPolicy

默认是ALLOW_ANY

[root@master ~]# istioctl profile dump demo > profile-demo.yaml
[root@master ~]# vim profile-demo.yaml

修改后应用

[root@master ~]# istioctl apply -f profile-demo.yaml

 

posted @ 2022-11-25 11:03  Maniana  阅读(310)  评论(0编辑  收藏  举报