一、 准备
- telepresence 下载:https://www.telepresence.io/docs/latest/install/
- kubectl 下载:https://kubernetes.io/docs/tasks/tools/
二、版本检测
$telepresence version
Client: v2.5.3 (api v3)
Root Daemon: not running
User Daemon: not running
- 如果版本小于 v2.0.3,则需要升级 telepresence(https://www.telepresence.io/docs/latest/install/upgrade/)
三、连接 k8s 集群
$telepresence connect
Launching Telepresence Root Daemon
Need root privileges to run: /usr/local/bin/telepresence daemon-foreground /Users/xxx/Library/Logs/telepresence '/Users/xxx/Library/Application Support/telepresence'
Password:
Launching Telepresence User Daemon
Connected to context kubernetes-admin@kubernetes (https://8.16.0.211:6443)
- 注意:连接的集群为 kubeconfig 中指定的集群,需要能真实可访问。同时,telepresence 会自动打开浏览器,要求登录:
- 该步骤不能省略,否则后续的步骤执行时,都会要求先登录才能继续执行。完成上述步骤后,查看 k8s 集群,能发现在该集群中会创建了名为 traffic-manager 的控制器:
$kubectl get po -n ambassador
NAME READY STATUS RESTARTS AGE
traffic-manager-5bcfc9766f-lbrsz 1/1 Running 0 15m
四、拦截器
- 如下所示,在 k8s 中部署了两个 service,分别是 Users 和 Orders:
- 这里以 service Orders 为例,正常情况下,一个访问 Orders 的请求,会被正常的收发。而 telepresence 的功能,就是拦截发送到 Orders 的请求,并将其转发到用户指定的地址(一般为本地)。因此在开始配置前,需要了解 telepresence 中拦截器的概念:
-
- 全局拦截(Global intercept):将访问 k8s 中某个 service 的流量全部拦截,并转发到本地:如下所示,使用全局拦截,能将访问 Orders 服务的全部流量拦截,全部转发到本地。当然,需要将本地代码运行起来,用于接收转发过来的请求,同时可以使用任意的 debug 的工具在本地进行调试:
-
- 个人拦截(Personal intercept):有选择性地仅拦截某个 service 的部分流量,而不会干扰其余流量,可以通过以下参数设置是否拦截请求的标识:
--http-match=key=value 基于请求头识别请求是否需要拦截转发
--http-path-equal <path> 基于请求路径
--http-path-prefix <prefix> 基于请求路径前缀
--http-path-regex <regex> 基于请求路径是否匹配给定的正则表达式
五、实践
- 在开始前,需要把用来远程调试的服务部署到 k8s 集群:
$kubectl get po,svc -lk8s-app=lsh-mcp-idp-cd-test
NAME READY STATUS RESTARTS AGE
pod/lsh-mcp-idp-cd-6c68876d48-v6c88 1/1 Running 0 30s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/lsh-mcp-idp-cd NodePort 20.102.1.158 <none> 9090:30323/TCP,2345:30886/TCP 30s
- 并在本地 debug 运行 lsh-mcp-idp-cd 代码:
- 接着使用以下命令找到要拦截转发的 service,即 lsh-mcp-idp-cd:
$telepresence list
lsh-mcp-idp-cd: ready to intercept (traffic-agent not yet installed)
- 注意,要指定命名空间时,可以添加 --namespace 参数,如下所示:
$telepresence list --namespace=kube-system
telepresence intercept <service-name> --port <local-port>[:<remote-port>] --http-match=all --env-file <path-to-env-file> [--namespace 可选]
$telepresence intercept lsh-mcp-idp-cd --port 9090:9090 --http-match=all --env-file ~/lsh-mcp-idp-cd-intercept.env
Flag --http-match has been deprecated, use --http-header
Using Deployment lsh-mcp-idp-cd
intercepted
Intercept name : lsh-mcp-idp-cd
State : ACTIVE
Workload kind : Deployment
Destination : 127.0.0.1:9090
Service Port Identifier: 9090
Volume Mount Error : sshfs is not installed on your local machine
Intercepting : matching all HTTP requests
Preview URL : https://sad-thompson-7927.preview.edgestack.me
Layer 5 Hostname : lsh-mcp-idp-cd.default.svc.cluster.local
- 执行完成后,会发现工作负载被注入了一个 sidecar:
$kubectl get po -lk8s-app=lsh-mcp-idp-cd-test -oyaml | grep -A 5 containerID
- containerID: docker://6aea792f32af00b2e71f643ea41630de9bb6b0ebbe91251877fd79f67630efa1
image: registry.cn-beijing.aliyuncs.com/launcher-agent-only-dev/idp:v1
imageID: docker-pullable://registry.cn-beijing.aliyuncs.com/launcher-agent-only-dev/idp@sha256:c3be2545c30eb75fb652d383e9ec5545df9142e40d3b6f7f78633316b0db8103
lastState: {}
name: idp-cd
ready: true
--
- containerID: docker://5acc04048950fdd38be3a8012c4cc0edbfd83079883717e34992f6f31036176f
image: datawire/ambassador-telepresence-agent:1.11.10
imageID: docker-pullable://datawire/ambassador-telepresence-agent@sha256:9008fc1a6a91dd27baf3da9ebd0aee024f0d6d6a3f9c24611476474f6583e7f8
lastState: {}
name: traffic-agent
ready: true
- 增加了一个名为 traffic-agent 的容器,正是该容器,负责拦截发送到该 pod 的流量,并负责转发。在 k8s 集群内执行以下命令,请求 lsh-mcp-idp-cd 服务:
$curl 20.102.1.158:9090/version
- 以上就是全局拦截的实践部分,个人拦截 gan 兴趣的同学自己实践吧,另外关于个人拦截,似乎每个账号存在使用次数限制,超过次数后创建个人拦截器时会报错:
telepresence: error: Failed to establish intercept: intercept in error state AGENT_ERROR: You’ve reached your limit of personal intercepts available for your subscription. See usage and available plans at https://app.getambassador.io/cloud/subscriptions
See logs for details (1 error found): "/Users/xxx/Library/Logs/telepresence/daemon.log"
See logs for details (13609 errors found): "/Users/xxx/Library/Logs/telepresence/connector.log"
If you think you have encountered a bug, please run `telepresence gather-logs` and attach the telepresence_logs.zip to your github issue or create a new one: https://github.com/telepresenceio/telepresence/issues/new?template=Bug_report.md .
六、卸载
- 删除拦截器:执行后,会删除注入工作负载的 sidecar:
$telepresence leave lsh-mcp-idp-cd
- 删除 telepresence agents and manager,执行后清除所有 sidecar,以及 traffic-manager 控制器,并关闭本地 telepresence 的后台进程:
$telepresence uninstall --everything
Telepresence Network quitting...done
Telepresence Traffic Manager quitting...done
