sidecar详解

 欢迎关注我的公众号:

 目前刚开始写一个月,一共写了18篇原创文章,文章目录如下:

istio多集群探秘,部署了50次多集群后我得出的结论

istio多集群链路追踪,附实操视频

istio防故障利器,你知道几个,istio新手不要读,太难!

istio业务权限控制,原来可以这么玩

istio实现非侵入压缩,微服务之间如何实现压缩

不懂envoyfilter也敢说精通istio系列-http-rbac-不要只会用AuthorizationPolicy配置权限

不懂envoyfilter也敢说精通istio系列-02-http-corsFilter-不要只会vs

不懂envoyfilter也敢说精通istio系列-03-http-csrf filter-再也不用再代码里写csrf逻辑了

不懂envoyfilter也敢说精通istio系列http-jwt_authn-不要只会RequestAuthorization

不懂envoyfilter也敢说精通istio系列-05-fault-filter-故障注入不止是vs

不懂envoyfilter也敢说精通istio系列-06-http-match-配置路由不只是vs

不懂envoyfilter也敢说精通istio系列-07-负载均衡配置不止是dr

不懂envoyfilter也敢说精通istio系列-08-连接池和断路器

不懂envoyfilter也敢说精通istio系列-09-http-route filter

不懂envoyfilter也敢说精通istio系列-network filter-redis proxy

不懂envoyfilter也敢说精通istio系列-network filter-HttpConnectionManager

不懂envoyfilter也敢说精通istio系列-ratelimit-istio ratelimit完全手册

学习目标

sidecar详解_第1张图片

什么是sidecar

Sidecar描述了sidecar代理的配置,sidecar代理调解与其连接的工作负载的 inbound 和 outbound 通信。 默认情况下,Istio将为网格中的所有Sidecar代理服务,使其具有到达网格中每个工作负载所需的必要配置,并在与工作负载关联的所有端口上接收流量。 Sidecar资源提供了一种的方法,在向工作负载转发流量或从工作负载转发流量时,微调端口集合和代理将接收的协议。 此外,可以限制代理在从工作负载转发 outbound 流量时可以达到的服务集合。

网格中的服务和配置被组织成一个或多个名称空间(例如,Kubernetes名称空间或CF org/space)。 命名空间中的Sidecar资源将应用于同一命名空间中的一个或多个工作负载,由workloadSelector选择。 如果没有workloadSelector,它将应用于同一名称空间中的所有工作负载。 在确定要应用于工作负载的Sidecar资源时,将优先使用通过workloadSelector而选择到此工作负载的的资源,而不是没有任何workloadSelector的资源。

注意:每个命名空间只能有一个没有任何工作负载选择器的Sidecar资源。 如果给定命名空间中存在多个无选择器的Sidecar资源,则系统的行为是不确定的。 如果具有工作负载选择器的两个或多个Sidecar资源选择相同的工作负载,则系统的行为是不确定的。

资源详解

Field Type Description Required
workloadSelector WorkloadSelector Criteria used to select the specific set of pods/VMs on which this Sidecar configuration should be applied. If omitted, the Sidecar configuration will be applied to all workload instances in the same namespace. No
ingress IstioIngressListener[] Ingress specifies the configuration of the sidecar for processing inbound traffic to the attached workload instance. If omitted, Istio will automatically configure the sidecar based on the information about the workload obtained from the orchestration platform (e.g., exposed ports, services, etc.). If specified, inbound ports are configured if and only if the workload instance is associated with a service. No
egress IstioEgressListener[] Egress specifies the configuration of the sidecar for processing outbound traffic from the attached workload instance to other services in the mesh. Yes
outboundTrafficPolicy OutboundTrafficPolicy This allows to configure the outbound traffic policy. If your application uses one or more external services that are not known apriori, setting the policy to ALLOW_ANY will cause the sidecars to route any unknown traffic originating from the application to its requested destination. No

全局有效

sc-default-global.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: default
  namespace: istio-system
spec:
  ingress:
  - port:
      number: 9080
      protocol: HTTP
      name: http
    defaultEndpoint: 127.0.0.1:9080

workloadSelector

没有selector

sc-default-istio-ingress.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: default
spec:
  ingress:
  - port:
      number: 9080
      protocol: HTTP
      name: http
    defaultEndpoint: 127.0.0.1:9080

有selector

sc-productpage-selector.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: productpage
spec:
  workloadSelector:
    labels:
      app: productpage
  ingress:
  - port:
      number: 9081
      protocol: HTTP
      name: http
    defaultEndpoint: 127.0.0.1:9080

监听端口和目标端口不一致,可用于端口转换

此时service需要添加端口

kubectl edit svc productpage -n istio

  - name: http9081
    port: 9081
    protocol: TCP
    targetPort: 9081

修改vs端口

sidecar/vs-bookinfo-hosts-star.yaml

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: bookinfo
spec:
  hosts:
  - "*"
  gateways:
  - bookinfo-gateway
  http:
  - match:
    - uri:
        exact: /productpage
    - uri:
        prefix: /static
    - uri:
        exact: /login
    - uri:
        exact: /logout
    - uri:
        prefix: /api/v1/products
    route:
    - destination:
        host: productpage.istio.svc.cluster.local
        port:
          number: 9081

egress

Field Type Description Required
port Port The port associated with the listener. If using Unix domain socket, use 0 as the port number, with a valid protocol. The port if specified, will be used as the default destination port associated with the imported hosts. If the port is omitted, Istio will infer the listener ports based on the imported hosts. Note that when multiple egress listeners are specified, where one or more listeners have specific ports while others have no port, the hosts exposed on a listener port will be based on the listener with the most specific port. No
bind string The IP or the Unix domain socket to which the listener should be bound to. Port MUST be specified if bind is not empty. Format: x.x.x.x or unix:///path/to/uds or unix://@foobar (Linux abstract namespace). If omitted, Istio will automatically configure the defaults based on imported services, the workload instances to which this configuration is applied to and the captureMode. If captureMode is NONE, bind will default to 127.0.0.1. No
captureMode CaptureMode When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). captureMode must be DEFAULT or NONE for Unix domain socket binds. No
hosts string[] One or more service hosts exposed by the listener in namespace/dnsName format. Services in the specified namespace matching dnsName will be exposed. The corresponding service can be a service in the service registry (e.g., a Kubernetes or cloud foundry service) or a service specified using a ServiceEntry or VirtualService configuration. Any associated DestinationRule in the same namespace will also be used.The dnsName should be specified using FQDN format, optionally including a wildcard character in the left-most component (e.g., prod/*.example.com). Set the dnsName to * to select all services from the specified namespace (e.g., prod/*).The namespace can be set to *, ., or ~, representing any, the current, or no namespace, respectively. For example, */foo.example.com selects the service from any available namespace while ./foo.example.com only selects the service from the namespace of the sidecar. If a host is set to */*, Istio will configure the sidecar to be able to reach every service in the mesh that is exported to the sidecar’s namespace. The value ~/* can be used to completely trim the configuration for sidecars that simply receive traffic and respond, but make no outbound connections of their own.NOTE: Only services and configuration artifacts exported to the sidecar’s namespace (e.g., exportTo value of *) can be referenced. Private configurations (e.g., exportTo set to .) will not be available. Refer to the exportTo setting in VirtualService, DestinationRule, and ServiceEntry configurations for details.WARNING: The list of egress hosts in a Sidecar must also include the Mixer control plane services if they are enabled. Envoy will not be able to reach them otherwise. For example, add host istio-system/istio-telemetry.istio-system.svc.cluster.local if telemetry is enabled, istio-system/istio-policy.istio-system.svc.cluster.local if policy is enabled, or add istio-system/* to allow all services in the istio-system namespace. This requirement is temporary and will be removed in a future Istio release. Yes

port

sc-productpage-egress-port.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: productpage
spec:
  workloadSelector:
    labels:
      app: productpage
  egress:
  - hosts:
    - "./*"
    port:
      number: 9080
      protocol: HTTP
      name: egresshttp

bind

0.0.0.0

sc-productpage-egress-bind.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: productpage
spec:
  workloadSelector:
    labels:
      app: productpage
  egress:
  - hosts:
    - "./*"
    port:
      number: 9080
      protocol: HTTP
      name: egresshttp
    bind: 0.0.0.0

目标svc ip

sc-productpage-egress-bind-svc-ip.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: productpage
spec:
  workloadSelector:
    labels:
      app: productpage
  egress:
  - hosts:
    - "./*"
    port:
      number: 9080
      protocol: HTTP
      name: egresshttp
    bind: 10.68.190.94

captureMode

Name Description
DEFAULT The default capture mode defined by the environment.
IPTABLES Capture traffic using IPtables redirection.
NONE No traffic capture. When used in an egress listener, the application is expected to explicitly communicate with the listener port or Unix domain socket. When used in an ingress listener, care needs to be taken to ensure that the listener port is not in use by other processes on the host.

DEFAULT

sc-productpage-egress-captureMode-DEFAULT.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: productpage
spec:
  workloadSelector:
    labels:
      app: productpage
  egress:
  - hosts:
    - "./*"
    port:
      number: 9080
      protocol: HTTP
      name: egresshttp
    bind: 0.0.0.0
    captureMode: DEFAULT

IPTABLES

sc-productpage-egress-captureMode-IPTABLES.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: productpage
spec:
  workloadSelector:
    labels:
      app: productpage
  egress:
  - hosts:
    - "./*"
    port:
      number: 9080
      protocol: HTTP
      name: egresshttp
    bind: 0.0.0.0
    captureMode: IPTABLES

NONE

sc-productpage-egress-captureMode-NONE.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: productpage
spec:
  workloadSelector:
    labels:
      app: productpage
  egress:
  - hosts:
    - "./*"
    port:
      number: 9080
      protocol: HTTP
      name: egresshttp
    bind: 0.0.0.0
    captureMode: NONE

sc-productpage-ingress-captureMode-NONE.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: productpage
spec:
  workloadSelector:
    labels:
      app: productpage
  ingress:
  - captureMode: NONE
    defaultEndpoint: 127.0.0.1:9080
    port:
      number: 9080
      protocol: HTTP
      name: http
  egress:
  - hosts:
    - "./*"
    port:
      number: 9080
      protocol: HTTP
      name: egresshttp
    bind: 127.0.0.1
    captureMode: NONE

进入和出去流量都不捕获,相当于去掉了sidecar,对这个pod的istio资源将不起作用。

注意mesh配置,允许集群外访问

outboundTrafficPolicy: mode: REGISTRY_ONLY| ALLOW_ANY

hosts

dot

sc-productpage-egress-hosts-dot.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: productpage
spec:
  workloadSelector:
    labels:
      app: productpage
  egress:
  - hosts:
    - "./*"

semi-star

sc-productpage-egress-hosts-semi-star.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: productpage
spec:
  workloadSelector:
    labels:
      app: productpage
  egress:
  - hosts:
    - "istio/*"

double-star

sc-productpage-egress-hosts-double-star.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: productpage
spec:
  workloadSelector:
    labels:
      app: productpage
  egress:
  - hosts:
    - "*/*"

specific

sc-productpage-egress-hosts-specific.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: productpage
spec:
  workloadSelector:
    labels:
      app: productpage
  egress:
  - hosts:
    - "istio/details.istio.svc.cluster.local"

ingress

Field Type Description Required
port Port The port associated with the listener. Yes
bind string The IP to which the listener should be bound. Must be in the format x.x.x.x. Unix domain socket addresses are not allowed in the bind field for ingress listeners. If omitted, Istio will automatically configure the defaults based on imported services and the workload instances to which this configuration is applied to. No
captureMode CaptureMode The captureMode option dictates how traffic to the listener is expected to be captured (or not). No
defaultEndpoint string The loopback IP endpoint or Unix domain socket to which traffic should be forwarded to. This configuration can be used to redirect traffic arriving at the bind IP:Port on the sidecar to a localhost:port or Unix domain socket where the application workload instance is listening for connections. Format should be 127.0.0.1:PORT or unix:///path/to/socket Yes

port

sc-productpage-ingress-port.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: productpage
spec:
  workloadSelector:
    labels:
      app: productpage
  ingress:
  - captureMode: IPTABLES
    defaultEndpoint: 127.0.0.1:9080
    port:
      number: 9080
      protocol: HTTP
      name: http

bind

sc-productpage-ingress-bind.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: productpage
spec:
  workloadSelector:
    labels:
      app: productpage
  ingress:
  - captureMode: IPTABLES
    bind: 0.0.0.0
    defaultEndpoint: 127.0.0.1:9080
    port:
      number: 9080
      protocol: HTTP
      name: http

sc-productpage-ingress-bind-pod-ip.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: productpage
spec:
  workloadSelector:
    labels:
      app: productpage
  ingress:
  - captureMode: IPTABLES
    bind: 172.20.1.174
    defaultEndpoint: 127.0.0.1:9080
    port:
      number: 9080
      protocol: HTTP
      name: http

bind pod ip

captureMode

Name Description
DEFAULT The default capture mode defined by the environment.
IPTABLES Capture traffic using IPtables redirection.
NONE No traffic capture. When used in an egress listener, the application is expected to explicitly communicate with the listener port or Unix domain socket. When used in an ingress listener, care needs to be taken to ensure that the listener port is not in use by other processes on the host.

DEFAULT

sc-productpage-ingress-capture-mode-DEFAULT.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: productpage
spec:
  workloadSelector:
    labels:
      app: productpage
  ingress:
  - captureMode: DEFAULT
    bind: 0.0.0.0
    defaultEndpoint: 127.0.0.1:9080
    port:
      number: 9080
      protocol: HTTP
      name: http

IPTABLES

sc-productpage-ingress-capture-mode-IPTABLES.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: productpage
spec:
  workloadSelector:
    labels:
      app: productpage
  ingress:
  - captureMode: IPTABLES
    bind: 0.0.0.0
    defaultEndpoint: 127.0.0.1:9080
    port:
      number: 9080
      protocol: HTTP
      name: http

NONE

sc-productpage-ingress-capture-mode-NONE.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: productpage
spec:
  workloadSelector:
    labels:
      app: productpage
  ingress:
  - captureMode: NONE
    defaultEndpoint: 127.0.0.1:9080
    port:
      number: 9080
      protocol: HTTP
      name: http

defaultEndpoint

unix socket

1部署mysqlgateway

kubectl apply -f gateway/gateway-mysql.yaml -n istio

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: mysql
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 3306
      name: mysql
      protocol: MYSQL
    hosts:
    - "*"

2部署mysql vs

kubectl apply -f gateway/protocol/vs-mysql.yaml

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: mysql
spec:
  hosts:
  - "*"
  gateways:
  - mysql
  tcp:
  - match:
    - port: 3306
    route:
    - destination:
        host: mysqldb.istio.svc.cluster.local
        port:
          number: 3306

3添加svc 端口

kubectl edit svc istio-ingressgateway -n istio-system

3306端口

4部署sidecar

sc-mysql-defaultEndpoint-unix.yaml

当绑定地址是IP时,captureMode选项指示如何劫持(或不劫持)到监听器的流量。 对于Unix domain socket,captureMode必须为DEFAULT或NONE。

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: mysql
spec:
  workloadSelector:
    labels:
      app: mysqldb
  ingress:
  - bind: 0.0.0.0
    port:
      number: 3306
      protocol: MYSQL
      name: mysql
    defaultEndpoint: unix:///var/run/mysqld/mysqld.sock
    captureMode: NONE

ip -port

sc-productpage-ingerss-defaultEndpoint-ip.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: productpage
spec:
  workloadSelector:
    labels:
      app: productpage
  ingress:
  - captureMode: NONE
    defaultEndpoint: 127.0.0.1:9080
    port:
      number: 9080
      protocol: HTTP
      name: http

outboundTrafficPolicy

egressProxy

egressProxy Destination Specifies the details of the egress proxy to which unknown traffic should be forwarded to from the sidecar. Valid only if the mode is set to ALLOW_ANY. If not specified when the mode is ALLOW_ANY, the sidecar will send the unknown traffic directly to the IP requested by the application. ** NOTE 1: The specified egress host must be imported in the egress section for the traffic forwarding to work. NOTE 2**: An Envoy based egress gateway is unlikely to be able to handle plain text TCP connections forwarded from the sidecar. Envoy's dynamic forward proxy can handle only HTTP and TLS connections. $hide_from_docs
FIELD TYPE LABEL DESCRIPTION
host string The name of a service from the service registry. Service names are looked up from the platform's service registry (e.g., Kubernetes services, Consul services, etc.) and from the hosts declared by ServiceEntry. Traffic forwarded to destinations that are not found in either of the two, will be dropped. Note for Kubernetes users: When short names are used (e.g. “reviews” instead of “reviews.default.svc.cluster.local”), Istio will interpret the short name based on the namespace of the rule, not the service. A rule in the “default” namespace containing a host “reviews will be interpreted as “reviews.default.svc.cluster.local”, irrespective of the actual namespace associated with the reviews service. To avoid potential misconfiguration, it is recommended to always use fully qualified domain names over short names.
subset string The name of a subset within the service. Applicable only to services within the mesh. The subset must be defined in a corresponding DestinationRule.
port PortSelector Specifies the port on the host that is being addressed. If a service exposes only a single port it is not required to explicitly select the port

host

sc-productpage-outboundTrafficPolicy-egressProxy-host.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: productpage
spec:
  workloadSelector:
    labels:
      app: productpage
  outboundTrafficPolicy:
    egressProxy:
      host: "details.istio.svc.cluster.local"
      port:
        number: 9080
    mode: ALLOW_ANY

port

sc-productpage-outboundTrafficPolicy-egressProxy-port.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: productpage
spec:
  workloadSelector:
    labels:
      app: productpage
  outboundTrafficPolicy:
    egressProxy:
      host: "details.istio.svc.cluster.local"
      port:
        number: 9080
    mode: ALLOW_ANY

subset

sc-productpage-outboundTrafficPolicy-egressProxy-subset.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: productpage
spec:
  workloadSelector:
    labels:
      app: productpage
  outboundTrafficPolicy:
    egressProxy:
      host: "details.istio.svc.cluster.local"
      port:
        number: 9080
      subset: v1
    mode: ALLOW_ANY

mode

Name Description
REGISTRY_ONLY Outbound traffic will be restricted to services defined in the service registry as well as those defined through ServiceEntry configurations.
ALLOW_ANY Outbound traffic to unknown destinations will be allowed, in case there are no services or ServiceEntry configurations for the destination port.

REGISTRY_ONLY

sc-productpage-outboundTrafficPolicy-mode-REGISTRY_ONLY.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: productpage
spec:
  workloadSelector:
    labels:
      app: productpage
  outboundTrafficPolicy:
    mode: REGISTRY_ONLY

ALLOW_ANY

sc-productpage-outboundTrafficPolicy-mode-ALLOW_ANY.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: productpage
spec:
  workloadSelector:
    labels:
      app: productpage
  outboundTrafficPolicy:
    mode: ALLOW_ANY

组合应用

sc-productpage-complex.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: productpage
spec:
  workloadSelector:
    labels:
      app: productpage
  ingress:
  - captureMode: NONE
    defaultEndpoint: 127.0.0.1:9080
    port:
      number: 9080
      protocol: HTTP
      name: http
  egress:
  - hosts:
    - "./*"
    port:
      number: 9080
      protocol: HTTP
      name: egresshttp
    bind: 127.0.0.1
    captureMode: NONE
  outboundTrafficPolicy:
    mode: REGISTRY_ONLY

outbound将不能访问

sc-productpage-complex-02.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: productpage
spec:
  workloadSelector:
    labels:
      app: productpage
  ingress:
  - captureMode: NONE
    defaultEndpoint: 127.0.0.1:9080
    port:
      number: 9080
      protocol: HTTP
      name: http
  egress:
  - hosts:
    - "./*"
    port:
      number: 9080
      protocol: HTTP
      name: egresshttp
    bind: 127.0.0.1
    captureMode: NONE
  outboundTrafficPolicy:
    mode: ALLOW_ANY

可以访问outbound

sc-productpage-complex-03.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: productpage
spec:
  workloadSelector:
    labels:
      app: productpage
  ingress:
  - captureMode: NONE
    defaultEndpoint: 127.0.0.1:9080
    port:
      number: 9080
      protocol: HTTP
      name: http
  egress:
  - hosts:
    - "./*"
    port:
      number: 9080
      protocol: HTTP
      name: egresshttp
    bind: 127.0.0.1
    captureMode: NONE
  outboundTrafficPolicy:
    mode: ALLOW_ANY
    egressProxy:
      host: "details.istio.svc.cluster.local"
      port:
        number: 9080
      subset: v1

只有detail outbound能访问

egress_proxy must be set only with ALLOW_ANY outbound_traffic_policy mode

使用ServiceEntry

1进入pod访问www.baidu.com

kubectl exec -it sleep-557747455f-ft9bs -n istio -- /bin/sh

curl www.baidu.com

可以访问

2部署sidecar

sc-sleep-REGISTRY_ONLY.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: sleep
spec:
  workloadSelector:
    labels:
      app: sleep
  outboundTrafficPolicy:
    mode: REGISTRY_ONLY

3在访问www.baidu.com

不能访问

4部署serviceentry

serviceentries/se-baidu.yaml

apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: baidu
spec:
  hosts:
  - "www.baidu.com"
  ports:
  - number: 80
    name: http
    protocol: HTTP
  location: MESH_EXTERNAL
  resolution: DNS

5再访问www.baidu.com

可以访问

你可能感兴趣的:(云原生)