sidecar详解 小灰灰 2022-10-16 08:50 129阅读 0赞 # 欢迎关注我的公众号: # ![watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBAaHhwamF2YTE_size_8_color_FFFFFF_t_70_g_se_x_16][] 目前刚开始写一个月,一共写了18篇原创文章,文章目录如下: [istio多集群探秘,部署了50次多集群后我得出的结论][istio_50] [istio多集群链路追踪,附实操视频][istio] [istio防故障利器,你知道几个,istio新手不要读,太难!][istio_istio] [istio业务权限控制,原来可以这么玩][istio 1] [istio实现非侵入压缩,微服务之间如何实现压缩][istio 2] [不懂envoyfilter也敢说精通istio系列-http-rbac-不要只会用AuthorizationPolicy配置权限][envoyfilter_istio_-http-rbac-_AuthorizationPolicy] [不懂envoyfilter也敢说精通istio系列-02-http-corsFilter-不要只会vs][envoyfilter_istio_-02-http-corsFilter-_vs] [不懂envoyfilter也敢说精通istio系列-03-http-csrf filter-再也不用再代码里写csrf逻辑了][envoyfilter_istio_-03-http-csrf filter-_csrf] [不懂envoyfilter也敢说精通istio系列http-jwt\_authn-不要只会RequestAuthorization][envoyfilter_istio_http-jwt_authn-_RequestAuthorization] [不懂envoyfilter也敢说精通istio系列-05-fault-filter-故障注入不止是vs][envoyfilter_istio_-05-fault-filter-_vs] [不懂envoyfilter也敢说精通istio系列-06-http-match-配置路由不只是vs][envoyfilter_istio_-06-http-match-_vs] [不懂envoyfilter也敢说精通istio系列-07-负载均衡配置不止是dr][envoyfilter_istio_-07-_dr] [不懂envoyfilter也敢说精通istio系列-08-连接池和断路器][envoyfilter_istio_-08-] [不懂envoyfilter也敢说精通istio系列-09-http-route filter][envoyfilter_istio_-09-http-route filter] [不懂envoyfilter也敢说精通istio系列-network filter-redis proxy][envoyfilter_istio_-network filter-redis proxy] [不懂envoyfilter也敢说精通istio系列-network filter-HttpConnectionManager][envoyfilter_istio_-network filter-HttpConnectionManager] [不懂envoyfilter也敢说精通istio系列-ratelimit-istio ratelimit完全手册][envoyfilter_istio_-ratelimit-istio ratelimit] # 学习目标 # ![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2h4cGphdmEx_size_16_color_FFFFFF_t_70][] # 什么是sidecar # Sidecar描述了sidecar代理的配置,sidecar代理调解与其连接的工作负载的 inbound 和 outbound 通信。 默认情况下,Istio将为网格中的所有Sidecar代理服务,使其具有到达网格中每个工作负载所需的必要配置,并在与工作负载关联的所有端口上接收流量。 Sidecar资源提供了一种的方法,在向工作负载转发流量或从工作负载转发流量时,微调端口集合和代理将接收的协议。 此外,可以限制代理在从工作负载转发 outbound 流量时可以达到的服务集合。 网格中的服务和配置被组织成一个或多个名称空间(例如,Kubernetes名称空间或CF org/space)。 命名空间中的Sidecar资源将应用于同一命名空间中的一个或多个工作负载,由workloadSelector选择。 如果没有workloadSelector,它将应用于同一名称空间中的所有工作负载。 在确定要应用于工作负载的Sidecar资源时,将优先使用通过workloadSelector而选择到此工作负载的的资源,而不是没有任何workloadSelector的资源。 > 注意:每个命名空间只能有一个没有任何工作负载选择器的Sidecar资源。 如果给定命名空间中存在多个无选择器的Sidecar资源,则系统的行为是不确定的。 如果具有工作负载选择器的两个或多个Sidecar资源选择相同的工作负载,则系统的行为是不确定的。 # 资源详解 # <table> <thead> <tr> <th>Field</th> <th>Type</th> <th>Description</th> <th>Required</th> </tr> </thead> <tbody> <tr> <td><code>workloadSelector</code></td> <td><code>WorkloadSelector</code></td> <td>Criteria used to select the specific set of pods/VMs on which this <code>Sidecar</code> configuration should be applied. If omitted, the <code>Sidecar</code> configuration will be applied to all workload instances in the same namespace.</td> <td>No</td> </tr> <tr> <td><code>ingress</code></td> <td><code>IstioIngressListener[]</code></td> <td>Ingress specifies the configuration of the sidecar for processing inbound traffic to the attached workload instance. If omitted, Istio will automatically configure the sidecar based on the information about the workload obtained from the orchestration platform (e.g., exposed ports, services, etc.). If specified, inbound ports are configured if and only if the workload instance is associated with a service.</td> <td>No</td> </tr> <tr> <td><code>egress</code></td> <td><code>IstioEgressListener[]</code></td> <td>Egress specifies the configuration of the sidecar for processing outbound traffic from the attached workload instance to other services in the mesh.</td> <td>Yes</td> </tr> <tr> <td><code>outboundTrafficPolicy</code></td> <td><code>OutboundTrafficPolicy</code></td> <td>This allows to configure the outbound traffic policy. If your application uses one or more external services that are not known apriori, setting the policy to <code>ALLOW_ANY</code> will cause the sidecars to route any unknown traffic originating from the application to its requested destination.</td> <td>No</td> </tr> </tbody> </table> ## 全局有效 ## sc-default-global.yaml apiVersion: networking.istio.io/v1beta1 kind: Sidecar metadata: name: default namespace: istio-system spec: ingress: - port: number: 9080 protocol: HTTP name: http defaultEndpoint: 127.0.0.1:9080 ## workloadSelector ## ### 没有selector ### sc-default-istio-ingress.yaml apiVersion: networking.istio.io/v1beta1 kind: Sidecar metadata: name: default spec: ingress: - port: number: 9080 protocol: HTTP name: http defaultEndpoint: 127.0.0.1:9080 ### 有selector ### sc-productpage-selector.yaml apiVersion: networking.istio.io/v1beta1 kind: Sidecar metadata: name: productpage spec: workloadSelector: labels: app: productpage ingress: - port: number: 9081 protocol: HTTP name: http defaultEndpoint: 127.0.0.1:9080 监听端口和目标端口不一致,可用于端口转换 此时service需要添加端口 kubectl edit svc productpage -n istio - name: http9081 port: 9081 protocol: TCP targetPort: 9081 修改vs端口 sidecar/vs-bookinfo-hosts-star.yaml apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: bookinfo spec: hosts: - "*" gateways: - bookinfo-gateway http: - match: - uri: exact: /productpage - uri: prefix: /static - uri: exact: /login - uri: exact: /logout - uri: prefix: /api/v1/products route: - destination: host: productpage.istio.svc.cluster.local port: number: 9081 ## egress ## <table> <thead> <tr> <th>Field</th> <th>Type</th> <th>Description</th> <th>Required</th> </tr> </thead> <tbody> <tr> <td><code>port</code></td> <td><code>Port</code></td> <td>The port associated with the listener. If using Unix domain socket, use 0 as the port number, with a valid protocol. The port if specified, will be used as the default destination port associated with the imported hosts. If the port is omitted, Istio will infer the listener ports based on the imported hosts. Note that when multiple egress listeners are specified, where one or more listeners have specific ports while others have no port, the hosts exposed on a listener port will be based on the listener with the most specific port.</td> <td>No</td> </tr> <tr> <td><code>bind</code></td> <td><code>string</code></td> <td>The IP or the Unix domain socket to which the listener should be bound to. Port MUST be specified if bind is not empty. Format: <code>x.x.x.x</code> or <code>unix:///path/to/uds</code> or <code>unix://@foobar</code> (Linux abstract namespace). If omitted, Istio will automatically configure the defaults based on imported services, the workload instances to which this configuration is applied to and the captureMode. If captureMode is <code>NONE</code>, bind will default to 127.0.0.1.</td> <td>No</td> </tr> <tr> <td><code>captureMode</code></td> <td><code>CaptureMode</code></td> <td>When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). captureMode must be DEFAULT or <code>NONE</code> for Unix domain socket binds.</td> <td>No</td> </tr> <tr> <td><code>hosts</code></td> <td><code>string[]</code></td> <td>One or more service hosts exposed by the listener in <code>namespace/dnsName</code> format. Services in the specified namespace matching <code>dnsName</code> will be exposed. The corresponding service can be a service in the service registry (e.g., a Kubernetes or cloud foundry service) or a service specified using a <code>ServiceEntry</code> or <code>VirtualService</code> configuration. Any associated <code>DestinationRule</code> in the same namespace will also be used.The <code>dnsName</code> should be specified using FQDN format, optionally including a wildcard character in the left-most component (e.g., <code>prod/*.example.com</code>). Set the <code>dnsName</code> to <code>*</code> to select all services from the specified namespace (e.g., <code>prod/*</code>).The <code>namespace</code> can be set to <code>*</code>, <code>.</code>, or <code>~</code>, representing any, the current, or no namespace, respectively. For example, <code>*/foo.example.com</code> selects the service from any available namespace while <code>./foo.example.com</code> only selects the service from the namespace of the sidecar. If a host is set to <code>*/*</code>, Istio will configure the sidecar to be able to reach every service in the mesh that is exported to the sidecar’s namespace. The value <code>~/*</code> can be used to completely trim the configuration for sidecars that simply receive traffic and respond, but make no outbound connections of their own.NOTE: Only services and configuration artifacts exported to the sidecar’s namespace (e.g., <code>exportTo</code> value of <code>*</code>) can be referenced. Private configurations (e.g., <code>exportTo</code> set to <code>.</code>) will not be available. Refer to the <code>exportTo</code> setting in <code>VirtualService</code>, <code>DestinationRule</code>, and <code>ServiceEntry</code> configurations for details.<strong>WARNING:</strong> The list of egress hosts in a <code>Sidecar</code> must also include the Mixer control plane services if they are enabled. Envoy will not be able to reach them otherwise. For example, add host <code>istio-system/istio-telemetry.istio-system.svc.cluster.local</code> if telemetry is enabled, <code>istio-system/istio-policy.istio-system.svc.cluster.local</code> if policy is enabled, or add <code>istio-system/*</code> to allow all services in the <code>istio-system</code> namespace. This requirement is temporary and will be removed in a future Istio release.</td> <td>Yes</td> </tr> </tbody> </table> ### port ### sc-productpage-egress-port.yaml apiVersion: networking.istio.io/v1beta1 kind: Sidecar metadata: name: productpage spec: workloadSelector: labels: app: productpage egress: - hosts: - "./*" port: number: 9080 protocol: HTTP name: egresshttp ### bind ### 0.0.0.0 sc-productpage-egress-bind.yaml apiVersion: networking.istio.io/v1beta1 kind: Sidecar metadata: name: productpage spec: workloadSelector: labels: app: productpage egress: - hosts: - "./*" port: number: 9080 protocol: HTTP name: egresshttp bind: 0.0.0.0 目标svc ip sc-productpage-egress-bind-svc-ip.yaml apiVersion: networking.istio.io/v1beta1 kind: Sidecar metadata: name: productpage spec: workloadSelector: labels: app: productpage egress: - hosts: - "./*" port: number: 9080 protocol: HTTP name: egresshttp bind: 10.68.190.94 ### captureMode ### <table> <thead> <tr> <th>Name</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>DEFAULT</code></td> <td>The default capture mode defined by the environment.</td> </tr> <tr> <td><code>IPTABLES</code></td> <td>Capture traffic using IPtables redirection.</td> </tr> <tr> <td><code>NONE</code></td> <td>No traffic capture. When used in an egress listener, the application is expected to explicitly communicate with the listener port or Unix domain socket. When used in an ingress listener, care needs to be taken to ensure that the listener port is not in use by other processes on the host.</td> </tr> </tbody> </table> DEFAULT sc-productpage-egress-captureMode-DEFAULT.yaml apiVersion: networking.istio.io/v1beta1 kind: Sidecar metadata: name: productpage spec: workloadSelector: labels: app: productpage egress: - hosts: - "./*" port: number: 9080 protocol: HTTP name: egresshttp bind: 0.0.0.0 captureMode: DEFAULT IPTABLES sc-productpage-egress-captureMode-IPTABLES.yaml apiVersion: networking.istio.io/v1beta1 kind: Sidecar metadata: name: productpage spec: workloadSelector: labels: app: productpage egress: - hosts: - "./*" port: number: 9080 protocol: HTTP name: egresshttp bind: 0.0.0.0 captureMode: IPTABLES NONE sc-productpage-egress-captureMode-NONE.yaml apiVersion: networking.istio.io/v1beta1 kind: Sidecar metadata: name: productpage spec: workloadSelector: labels: app: productpage egress: - hosts: - "./*" port: number: 9080 protocol: HTTP name: egresshttp bind: 0.0.0.0 captureMode: NONE sc-productpage-ingress-captureMode-NONE.yaml apiVersion: networking.istio.io/v1beta1 kind: Sidecar metadata: name: productpage spec: workloadSelector: labels: app: productpage ingress: - captureMode: NONE defaultEndpoint: 127.0.0.1:9080 port: number: 9080 protocol: HTTP name: http egress: - hosts: - "./*" port: number: 9080 protocol: HTTP name: egresshttp bind: 127.0.0.1 captureMode: NONE 进入和出去流量都不捕获,相当于去掉了sidecar,对这个pod的istio资源将不起作用。 注意mesh配置,允许集群外访问 outboundTrafficPolicy: mode: REGISTRY\_ONLY| ALLOW\_ANY ### hosts ### dot sc-productpage-egress-hosts-dot.yaml apiVersion: networking.istio.io/v1beta1 kind: Sidecar metadata: name: productpage spec: workloadSelector: labels: app: productpage egress: - hosts: - "./*" semi-star sc-productpage-egress-hosts-semi-star.yaml apiVersion: networking.istio.io/v1beta1 kind: Sidecar metadata: name: productpage spec: workloadSelector: labels: app: productpage egress: - hosts: - "istio/*" double-star sc-productpage-egress-hosts-double-star.yaml apiVersion: networking.istio.io/v1beta1 kind: Sidecar metadata: name: productpage spec: workloadSelector: labels: app: productpage egress: - hosts: - "*/*" specific sc-productpage-egress-hosts-specific.yaml apiVersion: networking.istio.io/v1beta1 kind: Sidecar metadata: name: productpage spec: workloadSelector: labels: app: productpage egress: - hosts: - "istio/details.istio.svc.cluster.local" ## ingress ## <table> <thead> <tr> <th>Field</th> <th>Type</th> <th>Description</th> <th>Required</th> </tr> </thead> <tbody> <tr> <td><code>port</code></td> <td><code>Port</code></td> <td>The port associated with the listener.</td> <td>Yes</td> </tr> <tr> <td><code>bind</code></td> <td><code>string</code></td> <td>The IP to which the listener should be bound. Must be in the format <code>x.x.x.x</code>. Unix domain socket addresses are not allowed in the bind field for ingress listeners. If omitted, Istio will automatically configure the defaults based on imported services and the workload instances to which this configuration is applied to.</td> <td>No</td> </tr> <tr> <td><code>captureMode</code></td> <td><code>CaptureMode</code></td> <td>The captureMode option dictates how traffic to the listener is expected to be captured (or not).</td> <td>No</td> </tr> <tr> <td><code>defaultEndpoint</code></td> <td><code>string</code></td> <td>The loopback IP endpoint or Unix domain socket to which traffic should be forwarded to. This configuration can be used to redirect traffic arriving at the bind <code>IP:Port</code> on the sidecar to a <code>localhost:port</code> or Unix domain socket where the application workload instance is listening for connections. Format should be <code>127.0.0.1:PORT</code> or <code>unix:///path/to/socket</code></td> <td>Yes</td> </tr> </tbody> </table> ### port ### sc-productpage-ingress-port.yaml apiVersion: networking.istio.io/v1beta1 kind: Sidecar metadata: name: productpage spec: workloadSelector: labels: app: productpage ingress: - captureMode: IPTABLES defaultEndpoint: 127.0.0.1:9080 port: number: 9080 protocol: HTTP name: http ### bind ### sc-productpage-ingress-bind.yaml apiVersion: networking.istio.io/v1beta1 kind: Sidecar metadata: name: productpage spec: workloadSelector: labels: app: productpage ingress: - captureMode: IPTABLES bind: 0.0.0.0 defaultEndpoint: 127.0.0.1:9080 port: number: 9080 protocol: HTTP name: http sc-productpage-ingress-bind-pod-ip.yaml apiVersion: networking.istio.io/v1beta1 kind: Sidecar metadata: name: productpage spec: workloadSelector: labels: app: productpage ingress: - captureMode: IPTABLES bind: 172.20.1.174 defaultEndpoint: 127.0.0.1:9080 port: number: 9080 protocol: HTTP name: http bind pod ip ### captureMode ### <table> <thead> <tr> <th>Name</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>DEFAULT</code></td> <td>The default capture mode defined by the environment.</td> </tr> <tr> <td><code>IPTABLES</code></td> <td>Capture traffic using IPtables redirection.</td> </tr> <tr> <td><code>NONE</code></td> <td>No traffic capture. When used in an egress listener, the application is expected to explicitly communicate with the listener port or Unix domain socket. When used in an ingress listener, care needs to be taken to ensure that the listener port is not in use by other processes on the host.</td> </tr> </tbody> </table> DEFAULT sc-productpage-ingress-capture-mode-DEFAULT.yaml apiVersion: networking.istio.io/v1beta1 kind: Sidecar metadata: name: productpage spec: workloadSelector: labels: app: productpage ingress: - captureMode: DEFAULT bind: 0.0.0.0 defaultEndpoint: 127.0.0.1:9080 port: number: 9080 protocol: HTTP name: http IPTABLES sc-productpage-ingress-capture-mode-IPTABLES.yaml apiVersion: networking.istio.io/v1beta1 kind: Sidecar metadata: name: productpage spec: workloadSelector: labels: app: productpage ingress: - captureMode: IPTABLES bind: 0.0.0.0 defaultEndpoint: 127.0.0.1:9080 port: number: 9080 protocol: HTTP name: http NONE sc-productpage-ingress-capture-mode-NONE.yaml apiVersion: networking.istio.io/v1beta1 kind: Sidecar metadata: name: productpage spec: workloadSelector: labels: app: productpage ingress: - captureMode: NONE defaultEndpoint: 127.0.0.1:9080 port: number: 9080 protocol: HTTP name: http ### defaultEndpoint ### unix socket 1部署mysqlgateway kubectl apply -f gateway/gateway-mysql.yaml -n istio apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: mysql spec: selector: istio: ingressgateway servers: - port: number: 3306 name: mysql protocol: MYSQL hosts: - "*" 2部署mysql vs kubectl apply -f gateway/protocol/vs-mysql.yaml apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: mysql spec: hosts: - "*" gateways: - mysql tcp: - match: - port: 3306 route: - destination: host: mysqldb.istio.svc.cluster.local port: number: 3306 3添加svc 端口 kubectl edit svc istio-ingressgateway -n istio-system 3306端口 4部署sidecar sc-mysql-defaultEndpoint-unix.yaml 当绑定地址是IP时,captureMode选项指示如何劫持(或不劫持)到监听器的流量。 对于Unix domain socket,captureMode必须为DEFAULT或NONE。 apiVersion: networking.istio.io/v1beta1 kind: Sidecar metadata: name: mysql spec: workloadSelector: labels: app: mysqldb ingress: - bind: 0.0.0.0 port: number: 3306 protocol: MYSQL name: mysql defaultEndpoint: unix:///var/run/mysqld/mysqld.sock captureMode: NONE ip -port sc-productpage-ingerss-defaultEndpoint-ip.yaml apiVersion: networking.istio.io/v1beta1 kind: Sidecar metadata: name: productpage spec: workloadSelector: labels: app: productpage ingress: - captureMode: NONE defaultEndpoint: 127.0.0.1:9080 port: number: 9080 protocol: HTTP name: http ## outboundTrafficPolicy ## ### egressProxy ### <table> <thead> <tr> <th>egressProxy</th> <th>Destination</th> <th></th> <th>Specifies the details of the egress proxy to which unknown traffic should be forwarded to from the sidecar. Valid only if the mode is set to ALLOW_ANY. If not specified when the mode is ALLOW_ANY, the sidecar will send the unknown traffic directly to the IP requested by the application. ** NOTE 1<strong>: The specified egress host must be imported in the egress section for the traffic forwarding to work. </strong> NOTE 2**: An Envoy based egress gateway is unlikely to be able to handle plain text TCP connections forwarded from the sidecar. Envoy's dynamic forward proxy can handle only HTTP and TLS connections. $hide_from_docs</th> </tr> </thead> <tbody> <tr> <td></td> <td></td> <td></td> <td></td> </tr> </tbody> </table> <table> <thead> <tr> <th>FIELD</th> <th>TYPE</th> <th>LABEL</th> <th>DESCRIPTION</th> </tr> </thead> <tbody> <tr> <td>host</td> <td>string</td> <td></td> <td>The name of a service from the service registry. Service names are looked up from the platform's service registry (e.g., Kubernetes services, Consul services, etc.) and from the hosts declared by <a href="https://istio.io/docs/reference/config/networking/service-entry/#ServiceEntry" title="ServiceEntry" rel="nofollow">ServiceEntry</a>. Traffic forwarded to destinations that are not found in either of the two, will be dropped. <em>Note for Kubernetes users</em>: When short names are used (e.g. “reviews” instead of “reviews.default.svc.cluster.local”), Istio will interpret the short name based on the namespace of the rule, not the service. A rule in the “default” namespace containing a host “reviews will be interpreted as “reviews.default.svc.cluster.local”, irrespective of the actual namespace associated with the reviews service. To avoid potential misconfiguration, it is recommended to always use fully qualified domain names over short names.</td> </tr> <tr> <td>subset</td> <td>string</td> <td></td> <td>The name of a subset within the service. Applicable only to services within the mesh. The subset must be defined in a corresponding DestinationRule.</td> </tr> <tr> <td>port</td> <td>PortSelector</td> <td></td> <td>Specifies the port on the host that is being addressed. If a service exposes only a single port it is not required to explicitly select the port</td> </tr> </tbody> </table> host sc-productpage-outboundTrafficPolicy-egressProxy-host.yaml apiVersion: networking.istio.io/v1beta1 kind: Sidecar metadata: name: productpage spec: workloadSelector: labels: app: productpage outboundTrafficPolicy: egressProxy: host: "details.istio.svc.cluster.local" port: number: 9080 mode: ALLOW_ANY port sc-productpage-outboundTrafficPolicy-egressProxy-port.yaml apiVersion: networking.istio.io/v1beta1 kind: Sidecar metadata: name: productpage spec: workloadSelector: labels: app: productpage outboundTrafficPolicy: egressProxy: host: "details.istio.svc.cluster.local" port: number: 9080 mode: ALLOW_ANY subset sc-productpage-outboundTrafficPolicy-egressProxy-subset.yaml apiVersion: networking.istio.io/v1beta1 kind: Sidecar metadata: name: productpage spec: workloadSelector: labels: app: productpage outboundTrafficPolicy: egressProxy: host: "details.istio.svc.cluster.local" port: number: 9080 subset: v1 mode: ALLOW_ANY ### mode ### <table> <thead> <tr> <th>Name</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>REGISTRY_ONLY</code></td> <td>Outbound traffic will be restricted to services defined in the service registry as well as those defined through <code>ServiceEntry</code> configurations.</td> </tr> <tr> <td><code>ALLOW_ANY</code></td> <td>Outbound traffic to unknown destinations will be allowed, in case there are no services or <code>ServiceEntry</code> configurations for the destination port.</td> </tr> </tbody> </table> REGISTRY\_ONLY sc-productpage-outboundTrafficPolicy-mode-REGISTRY\_ONLY.yaml apiVersion: networking.istio.io/v1beta1 kind: Sidecar metadata: name: productpage spec: workloadSelector: labels: app: productpage outboundTrafficPolicy: mode: REGISTRY_ONLY ALLOW\_ANY sc-productpage-outboundTrafficPolicy-mode-ALLOW\_ANY.yaml apiVersion: networking.istio.io/v1beta1 kind: Sidecar metadata: name: productpage spec: workloadSelector: labels: app: productpage outboundTrafficPolicy: mode: ALLOW_ANY ## 组合应用 ## sc-productpage-complex.yaml apiVersion: networking.istio.io/v1beta1 kind: Sidecar metadata: name: productpage spec: workloadSelector: labels: app: productpage ingress: - captureMode: NONE defaultEndpoint: 127.0.0.1:9080 port: number: 9080 protocol: HTTP name: http egress: - hosts: - "./*" port: number: 9080 protocol: HTTP name: egresshttp bind: 127.0.0.1 captureMode: NONE outboundTrafficPolicy: mode: REGISTRY_ONLY outbound将不能访问 sc-productpage-complex-02.yaml apiVersion: networking.istio.io/v1beta1 kind: Sidecar metadata: name: productpage spec: workloadSelector: labels: app: productpage ingress: - captureMode: NONE defaultEndpoint: 127.0.0.1:9080 port: number: 9080 protocol: HTTP name: http egress: - hosts: - "./*" port: number: 9080 protocol: HTTP name: egresshttp bind: 127.0.0.1 captureMode: NONE outboundTrafficPolicy: mode: ALLOW_ANY 可以访问outbound sc-productpage-complex-03.yaml apiVersion: networking.istio.io/v1beta1 kind: Sidecar metadata: name: productpage spec: workloadSelector: labels: app: productpage ingress: - captureMode: NONE defaultEndpoint: 127.0.0.1:9080 port: number: 9080 protocol: HTTP name: http egress: - hosts: - "./*" port: number: 9080 protocol: HTTP name: egresshttp bind: 127.0.0.1 captureMode: NONE outboundTrafficPolicy: mode: ALLOW_ANY egressProxy: host: "details.istio.svc.cluster.local" port: number: 9080 subset: v1 只有detail outbound能访问 egress\_proxy must be set only with ALLOW\_ANY outbound\_traffic\_policy mode ## 使用ServiceEntry ## 1进入pod访问www.baidu.com kubectl exec -it sleep-557747455f-ft9bs -n istio -- /bin/sh curl www.baidu.com 可以访问 2部署sidecar sc-sleep-REGISTRY\_ONLY.yaml apiVersion: networking.istio.io/v1beta1 kind: Sidecar metadata: name: sleep spec: workloadSelector: labels: app: sleep outboundTrafficPolicy: mode: REGISTRY_ONLY 3在访问www.baidu.com 不能访问 4部署serviceentry serviceentries/se-baidu.yaml apiVersion: networking.istio.io/v1beta1 kind: ServiceEntry metadata: name: baidu spec: hosts: - "www.baidu.com" ports: - number: 80 name: http protocol: HTTP location: MESH_EXTERNAL resolution: DNS 5再访问www.baidu.com 可以访问 [watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBAaHhwamF2YTE_size_8_color_FFFFFF_t_70_g_se_x_16]: /images/20221014/3173a40ab0e743b7870799e012c92a05.png [istio_50]: https://mp.weixin.qq.com/s/_OPMjmWCDSTlmbAxytg33A [istio]: https://mp.weixin.qq.com/s/kjvtno_UzJAGr1joxm3tvw [istio_istio]: https://mp.weixin.qq.com/s/e2-p_NY31Mc5y07S4Bb1JQ [istio 1]: https://mp.weixin.qq.com/s/iTV0SCQLhSOTYncp3PxoHQ [istio 2]: https://mp.weixin.qq.com/s/eINlrT242RlAwfuZu1_PcA [envoyfilter_istio_-http-rbac-_AuthorizationPolicy]: https://mp.weixin.qq.com/s/Q-yTGBNqkjOov49LTXPrPA [envoyfilter_istio_-02-http-corsFilter-_vs]: https://mp.weixin.qq.com/s/bFMdrT7OKSqoWv8pDXOIqQ [envoyfilter_istio_-03-http-csrf filter-_csrf]: https://mp.weixin.qq.com/s/dlG9phV-kMMxs4UPzuRNYg [envoyfilter_istio_http-jwt_authn-_RequestAuthorization]: https://mp.weixin.qq.com/s/IfrJ-FdLYsdhPkDrcO_YXA [envoyfilter_istio_-05-fault-filter-_vs]: https://mp.weixin.qq.com/s/a4gDXqD8uswgglMwkUph2Q [envoyfilter_istio_-06-http-match-_vs]: https://mp.weixin.qq.com/s/TpS3DHdcaJiPivIS_jsIGw [envoyfilter_istio_-07-_dr]: https://mp.weixin.qq.com/s/k-zJm7n7OOKg6MotQJYPAA [envoyfilter_istio_-08-]: https://mp.weixin.qq.com/s/n_bJ3saNeTtXRprIymhwzg [envoyfilter_istio_-09-http-route filter]: https://mp.weixin.qq.com/s/JAeZr0BMVQxIrB3S_7Ru0A [envoyfilter_istio_-network filter-redis proxy]: https://mp.weixin.qq.com/s/B9IPTI8F3q42nVkqbQRlPw [envoyfilter_istio_-network filter-HttpConnectionManager]: https://mp.weixin.qq.com/s/W3OPQWkCVvuHGS49cTNhlg [envoyfilter_istio_-ratelimit-istio ratelimit]: https://mp.weixin.qq.com/s/KgiDsELNol27mgZvDbFsqw [watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2h4cGphdmEx_size_16_color_FFFFFF_t_70]: /images/20221014/84fd19dd38af4efaabc3f602efb80604.png
还没有评论,来说两句吧...