2018-09-17 11:49:14 +08:00
<!DOCTYPE HTML>
< html lang = "zh-hans" >
< head >
< meta charset = "UTF-8" >
< meta content = "text/html; charset=utf-8" http-equiv = "Content-Type" >
< title > 深入理解Istio中的Sidecar注入与流量劫持 · Kubernetes Handbook - Kubernetes中文指南/云原生应用架构实践手册 by Jimmy Song(宋净超)< / title >
< meta http-equiv = "X-UA-Compatible" content = "IE=edge" / >
< meta name = "description" content = "" >
< meta name = "generator" content = "GitBook 3.2.3" >
< meta name = "author" content = "Jimmy Song( 宋净超) " >
< link rel = "stylesheet" href = "../gitbook/style.css" >
< link rel = "stylesheet" href = "../gitbook/gitbook-plugin-splitter/splitter.css" >
< link rel = "stylesheet" href = "../gitbook/gitbook-plugin-page-toc-button/plugin.css" >
< link rel = "stylesheet" href = "../gitbook/gitbook-plugin-image-captions/image-captions.css" >
< link rel = "stylesheet" href = "../gitbook/gitbook-plugin-back-to-top-button/plugin.css" >
< link rel = "stylesheet" href = "../gitbook/gitbook-plugin-search-plus/search.css" >
< link rel = "stylesheet" href = "../gitbook/gitbook-plugin-tbfed-pagefooter/footer.css" >
< link rel = "stylesheet" href = "../gitbook/gitbook-plugin-prism/prism-ghcolors.css" >
2018-09-25 22:13:40 +08:00
< link rel = "stylesheet" href = "../gitbook/gitbook-plugin-lightbox/lightbox.min.css" >
2018-09-17 11:49:14 +08:00
< link rel = "stylesheet" href = "../gitbook/gitbook-plugin-fontsettings/website.css" >
< meta name = "HandheldFriendly" content = "true" / >
< meta name = "viewport" content = "width=device-width, initial-scale=1, user-scalable=no" >
< meta name = "apple-mobile-web-app-capable" content = "yes" >
< meta name = "apple-mobile-web-app-status-bar-style" content = "black" >
< link rel = "apple-touch-icon-precomposed" sizes = "152x152" href = "../gitbook/images/apple-touch-icon-precomposed-152.png" >
< link rel = "shortcut icon" href = "../gitbook/images/favicon.ico" type = "image/x-icon" >
< link rel = "next" href = "linkerd.html" / >
< link rel = "prev" href = "istio-tutorials-collection.html" / >
< link rel = "shortcut icon" href = '../favicon.ico' type = "image/x-icon" >
< link rel = "bookmark" href = '../favicon.ico' type = "image/x-icon" >
< style >
@media only screen and (max-width: 640px) {
.book-header .hidden-mobile {
display: none;
}
}
< / style >
< script >
window["gitbook-plugin-github-buttons"] = {"repo":"rootsongjc/kubernetes-handbook","types":["star"],"size":"small"};
< / script >
< / head >
< body >
< div class = "book" >
< div class = "book-summary" >
< div id = "book-search-input" role = "search" >
< input type = "text" placeholder = "输入并搜索" / >
< / div >
< nav role = "navigation" >
< ul class = "summary" >
< li >
2018-09-27 22:16:53 +08:00
< a href = "https://jimmysong.io/istio-handbok" target = "_blank" class = "custom-link" > Istio handbook - Istio 中文指南/服务网格实践手册< / a >
2018-09-17 11:49:14 +08:00
< / li >
2018-09-27 15:26:19 +08:00
< li >
2018-09-27 22:16:53 +08:00
< a href = "https://jimmysong.io/posts/cloud-native-python" target = "_blank" class = "custom-link" > Cloud Native Python( Python云原生) - 使用Python和React构建云原生应用< / a >
2018-09-27 15:26:19 +08:00
< / li >
2018-09-17 11:49:14 +08:00
< li >
2018-09-26 15:11:22 +08:00
< a href = "http://www.servicemesher.com" target = "_blank" class = "custom-link" > ServiceMesher社区< / a >
< / li >
< li >
< a href = "https://github.com/alipay/sofa-mesh" target = "_blank" class = "custom-link" > SOFAMesh - 基于Istio的大规模服务网格解决方案< / a >
< / li >
< li >
< a href = "https://jimmysong.io/posts/cloud-native-java" target = "_blank" class = "custom-link" > Cloud Native Java( 云原生Java) - Spring Boot、Spring Cloud与Cloud Foundry弹性系统设计< / a >
2018-09-17 11:49:14 +08:00
< / li >
< li >
2018-09-26 15:11:22 +08:00
< a href = "https://github.com/alipay/sofa-mosn" target = "_blank" class = "custom-link" > SOFAMosn - Golang版的高性能Service Mesh Sidecar代理< / a >
2018-09-17 11:49:14 +08:00
< / li >
< li >
< a href = "http://www.servicemesher.com/awesome-servicemesh" target = "_blank" class = "custom-link" > Awesome Service Mesh< / a >
< / li >
< li >
2018-09-26 15:11:22 +08:00
< a href = "https://jimmysong.io" target = "_blank" class = "custom-link" > Jimmy Song< / a >
2018-09-17 11:49:14 +08:00
< / li >
< li >
2018-09-26 15:11:22 +08:00
< a href = "https://jimmysong.io/awesome-cloud-native" target = "_blank" class = "custom-link" > Awesome Cloud Native< / a >
2018-09-17 11:49:14 +08:00
< / li >
< li >
2018-09-26 15:11:22 +08:00
< a href = "https://jimmysong.io/posts/cloud-native-go" target = "_blank" class = "custom-link" > Cloud Native Go - 基于Go和React的web云原生应用构建指南< / a >
2018-09-17 11:49:14 +08:00
< / li >
< li class = "divider" > < / li >
< li class = "header" > 前言< / li >
< li class = "chapter " data-level = "1.1" data-path = "../" >
< a href = "../" >
< b > 1.1.< / b >
序言
< / a >
< / li >
< li class = "header" > 云原生< / li >
< li class = "chapter " data-level = "2.1" data-path = "../cloud-native/cloud-native-definition.html" >
< a href = "../cloud-native/cloud-native-definition.html" >
< b > 2.1.< / b >
云原生的定义
< / a >
< / li >
< li class = "chapter " data-level = "2.2" data-path = "../cloud-native/cncf.html" >
< a href = "../cloud-native/cncf.html" >
< b > 2.2.< / b >
CNCF - 云原生计算基金会简介
< / a >
< / li >
< li class = "chapter " data-level = "2.3" data-path = "../cloud-native/cncf-charter.html" >
< a href = "../cloud-native/cncf-charter.html" >
< b > 2.3.< / b >
CNCF章程
< / a >
< / li >
2018-09-26 22:42:09 +08:00
< li class = "chapter " data-level = "2.4" data-path = "../cloud-native/cloud-native-philosophy.html" >
2018-09-17 11:49:14 +08:00
2018-09-26 22:42:09 +08:00
< a href = "../cloud-native/cloud-native-philosophy.html" >
2018-09-17 11:49:14 +08:00
< b > 2.4.< / b >
2018-09-26 22:42:09 +08:00
云原生的设计哲学
< / a >
< / li >
< li class = "chapter " data-level = "2.5" data-path = "../cloud-native/play-with-kubernetes.html" >
< a href = "../cloud-native/play-with-kubernetes.html" >
< b > 2.5.< / b >
2018-09-17 11:49:14 +08:00
Play with Kubernetes
< / a >
< / li >
2018-09-26 22:42:09 +08:00
< li class = "chapter " data-level = "2.6" data-path = "../cloud-native/cloud-native-local-quick-start.html" >
2018-09-17 11:49:14 +08:00
< a href = "../cloud-native/cloud-native-local-quick-start.html" >
2018-09-26 22:42:09 +08:00
< b > 2.6.< / b >
2018-09-17 11:49:14 +08:00
快速部署一个云原生本地实验环境
< / a >
< / li >
2018-09-26 22:42:09 +08:00
< li class = "chapter " data-level = "2.7" data-path = "../cloud-native/kubernetes-and-cloud-native-app-overview.html" >
2018-09-17 11:49:14 +08:00
< a href = "../cloud-native/kubernetes-and-cloud-native-app-overview.html" >
2018-09-26 22:42:09 +08:00
< b > 2.7.< / b >
2018-09-17 11:49:14 +08:00
Kubernetes与云原生应用概览
< / a >
< / li >
2018-09-26 22:42:09 +08:00
< li class = "chapter " data-level = "2.8" data-path = "../cloud-native/from-kubernetes-to-cloud-native.html" >
2018-09-17 11:49:14 +08:00
< a href = "../cloud-native/from-kubernetes-to-cloud-native.html" >
2018-09-26 22:42:09 +08:00
< b > 2.8.< / b >
2018-09-17 11:49:14 +08:00
云原生应用之路——从Kubernetes到Cloud Native
< / a >
< / li >
2018-09-26 22:42:09 +08:00
< li class = "chapter " data-level = "2.9" data-path = "../cloud-native/cloud-native-programming-languages.html" >
2018-09-17 11:49:14 +08:00
< a href = "../cloud-native/cloud-native-programming-languages.html" >
2018-09-26 22:42:09 +08:00
< b > 2.9.< / b >
2018-09-17 11:49:14 +08:00
云原生编程语言
< / a >
< ul class = "articles" >
2018-09-26 22:42:09 +08:00
< li class = "chapter " data-level = "2.9.1" data-path = "../cloud-native/cloud-native-programming-language-ballerina.html" >
2018-09-17 11:49:14 +08:00
< a href = "../cloud-native/cloud-native-programming-language-ballerina.html" >
2018-09-26 22:42:09 +08:00
< b > 2.9.1.< / b >
2018-09-17 11:49:14 +08:00
云原生编程语言Ballerina
< / a >
< / li >
2018-09-26 22:42:09 +08:00
< li class = "chapter " data-level = "2.9.2" data-path = "../cloud-native/cloud-native-programming-language-pulumi.html" >
2018-09-17 11:49:14 +08:00
< a href = "../cloud-native/cloud-native-programming-language-pulumi.html" >
2018-09-26 22:42:09 +08:00
< b > 2.9.2.< / b >
2018-09-17 11:49:14 +08:00
云原生编程语言Pulumi
< / a >
< / li >
< / ul >
< / li >
2018-09-26 22:42:09 +08:00
< li class = "chapter " data-level = "2.10" data-path = "../cloud-native/the-future-of-cloud-native.html" >
2018-09-17 11:49:14 +08:00
< a href = "../cloud-native/the-future-of-cloud-native.html" >
2018-09-26 22:42:09 +08:00
< b > 2.10.< / b >
2018-09-17 11:49:14 +08:00
云原生的未来
< / a >
< / li >
< li class = "header" > 概念与原理< / li >
< li class = "chapter " data-level = "3.1" data-path = "../concepts/" >
< a href = "../concepts/" >
< b > 3.1.< / b >
Kubernetes架构
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "3.1.1" data-path = "../concepts/concepts.html" >
< a href = "../concepts/concepts.html" >
< b > 3.1.1.< / b >
设计理念
< / a >
< / li >
< li class = "chapter " data-level = "3.1.2" data-path = "../concepts/etcd.html" >
< a href = "../concepts/etcd.html" >
< b > 3.1.2.< / b >
Etcd解析
< / a >
< / li >
< li class = "chapter " data-level = "3.1.3" data-path = "../concepts/open-interfaces.html" >
< a href = "../concepts/open-interfaces.html" >
< b > 3.1.3.< / b >
开放接口
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "3.1.3.1" data-path = "../concepts/cri.html" >
< a href = "../concepts/cri.html" >
< b > 3.1.3.1.< / b >
CRI - Container Runtime Interface( 容器运行时接口)
< / a >
< / li >
< li class = "chapter " data-level = "3.1.3.2" data-path = "../concepts/cni.html" >
< a href = "../concepts/cni.html" >
< b > 3.1.3.2.< / b >
CNI - Container Network Interface( 容器网络接口)
< / a >
< / li >
< li class = "chapter " data-level = "3.1.3.3" data-path = "../concepts/csi.html" >
< a href = "../concepts/csi.html" >
< b > 3.1.3.3.< / b >
CSI - Container Storage Interface( 容器存储接口)
< / a >
< / li >
< / ul >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "3.2" data-path = "../concepts/networking.html" >
< a href = "../concepts/networking.html" >
< b > 3.2.< / b >
Kubernetes中的网络
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "3.2.1" data-path = "../concepts/flannel.html" >
< a href = "../concepts/flannel.html" >
< b > 3.2.1.< / b >
Kubernetes中的网络解析——以flannel为例
< / a >
< / li >
< li class = "chapter " data-level = "3.2.2" data-path = "../concepts/calico.html" >
< a href = "../concepts/calico.html" >
< b > 3.2.2.< / b >
Kubernetes中的网络解析——以calico为例
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "3.3" data-path = "../concepts/objects.html" >
< a href = "../concepts/objects.html" >
< b > 3.3.< / b >
资源对象与基本概念解析
< / a >
< / li >
< li class = "chapter " data-level = "3.4" data-path = "../concepts/pod-state-and-lifecycle.html" >
< a href = "../concepts/pod-state-and-lifecycle.html" >
< b > 3.4.< / b >
Pod状态与生命周期管理
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "3.4.1" data-path = "../concepts/pod-overview.html" >
< a href = "../concepts/pod-overview.html" >
< b > 3.4.1.< / b >
Pod概览
< / a >
< / li >
< li class = "chapter " data-level = "3.4.2" data-path = "../concepts/pod.html" >
< a href = "../concepts/pod.html" >
< b > 3.4.2.< / b >
Pod解析
< / a >
< / li >
< li class = "chapter " data-level = "3.4.3" data-path = "../concepts/init-containers.html" >
< a href = "../concepts/init-containers.html" >
< b > 3.4.3.< / b >
Init容器
< / a >
< / li >
< li class = "chapter " data-level = "3.4.4" data-path = "../concepts/pause-container.html" >
< a href = "../concepts/pause-container.html" >
< b > 3.4.4.< / b >
Pause容器
< / a >
< / li >
< li class = "chapter " data-level = "3.4.5" data-path = "../concepts/pod-security-policy.html" >
< a href = "../concepts/pod-security-policy.html" >
< b > 3.4.5.< / b >
Pod安全策略
< / a >
< / li >
< li class = "chapter " data-level = "3.4.6" data-path = "../concepts/pod-lifecycle.html" >
< a href = "../concepts/pod-lifecycle.html" >
< b > 3.4.6.< / b >
Pod的生命周期
< / a >
< / li >
< li class = "chapter " data-level = "3.4.7" data-path = "../concepts/pod-hook.html" >
< a href = "../concepts/pod-hook.html" >
< b > 3.4.7.< / b >
Pod Hook
< / a >
< / li >
< li class = "chapter " data-level = "3.4.8" data-path = "../concepts/pod-preset.html" >
< a href = "../concepts/pod-preset.html" >
< b > 3.4.8.< / b >
Pod Preset
< / a >
< / li >
< li class = "chapter " data-level = "3.4.9" data-path = "../concepts/pod-disruption-budget.html" >
< a href = "../concepts/pod-disruption-budget.html" >
< b > 3.4.9.< / b >
Pod中断与PDB( Pod中断预算)
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "3.5" data-path = "../concepts/cluster.html" >
< a href = "../concepts/cluster.html" >
< b > 3.5.< / b >
集群资源管理
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "3.5.1" data-path = "../concepts/node.html" >
< a href = "../concepts/node.html" >
< b > 3.5.1.< / b >
Node
< / a >
< / li >
< li class = "chapter " data-level = "3.5.2" data-path = "../concepts/namespace.html" >
< a href = "../concepts/namespace.html" >
< b > 3.5.2.< / b >
Namespace
< / a >
< / li >
< li class = "chapter " data-level = "3.5.3" data-path = "../concepts/label.html" >
< a href = "../concepts/label.html" >
< b > 3.5.3.< / b >
Label
< / a >
< / li >
< li class = "chapter " data-level = "3.5.4" data-path = "../concepts/annotation.html" >
< a href = "../concepts/annotation.html" >
< b > 3.5.4.< / b >
Annotation
< / a >
< / li >
< li class = "chapter " data-level = "3.5.5" data-path = "../concepts/taint-and-toleration.html" >
< a href = "../concepts/taint-and-toleration.html" >
< b > 3.5.5.< / b >
Taint和Toleration( 污点和容忍)
< / a >
< / li >
< li class = "chapter " data-level = "3.5.6" data-path = "../concepts/garbage-collection.html" >
< a href = "../concepts/garbage-collection.html" >
< b > 3.5.6.< / b >
垃圾收集
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "3.6" data-path = "../concepts/controllers.html" >
< a href = "../concepts/controllers.html" >
< b > 3.6.< / b >
控制器
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "3.6.1" data-path = "../concepts/deployment.html" >
< a href = "../concepts/deployment.html" >
< b > 3.6.1.< / b >
Deployment
< / a >
< / li >
< li class = "chapter " data-level = "3.6.2" data-path = "../concepts/statefulset.html" >
< a href = "../concepts/statefulset.html" >
< b > 3.6.2.< / b >
StatefulSet
< / a >
< / li >
< li class = "chapter " data-level = "3.6.3" data-path = "../concepts/daemonset.html" >
< a href = "../concepts/daemonset.html" >
< b > 3.6.3.< / b >
DaemonSet
< / a >
< / li >
< li class = "chapter " data-level = "3.6.4" data-path = "../concepts/replicaset.html" >
< a href = "../concepts/replicaset.html" >
< b > 3.6.4.< / b >
ReplicationController和ReplicaSet
< / a >
< / li >
< li class = "chapter " data-level = "3.6.5" data-path = "../concepts/job.html" >
< a href = "../concepts/job.html" >
< b > 3.6.5.< / b >
Job
< / a >
< / li >
< li class = "chapter " data-level = "3.6.6" data-path = "../concepts/cronjob.html" >
< a href = "../concepts/cronjob.html" >
< b > 3.6.6.< / b >
CronJob
< / a >
< / li >
< li class = "chapter " data-level = "3.6.7" data-path = "../concepts/horizontal-pod-autoscaling.html" >
< a href = "../concepts/horizontal-pod-autoscaling.html" >
< b > 3.6.7.< / b >
Horizontal Pod Autoscaling
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "3.6.7.1" data-path = "../concepts/custom-metrics-hpa.html" >
< a href = "../concepts/custom-metrics-hpa.html" >
< b > 3.6.7.1.< / b >
自定义指标HPA
< / a >
< / li >
< / ul >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "3.7" data-path = "../concepts/service-discovery.html" >
< a href = "../concepts/service-discovery.html" >
< b > 3.7.< / b >
服务发现
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "3.7.1" data-path = "../concepts/service.html" >
< a href = "../concepts/service.html" >
< b > 3.7.1.< / b >
Service
< / a >
< / li >
< li class = "chapter " data-level = "3.7.2" data-path = "../concepts/ingress.html" >
< a href = "../concepts/ingress.html" >
< b > 3.7.2.< / b >
Ingress
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "3.7.2.1" data-path = "../concepts/traefik-ingress-controller.html" >
< a href = "../concepts/traefik-ingress-controller.html" >
< b > 3.7.2.1.< / b >
Traefik Ingress Controller
< / a >
< / li >
< / ul >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "3.8" data-path = "../concepts/authentication-and-permission.html" >
< a href = "../concepts/authentication-and-permission.html" >
< b > 3.8.< / b >
身份与权限控制
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "3.8.1" data-path = "../concepts/serviceaccount.html" >
< a href = "../concepts/serviceaccount.html" >
< b > 3.8.1.< / b >
ServiceAccount
< / a >
< / li >
< li class = "chapter " data-level = "3.8.2" data-path = "../concepts/rbac.html" >
< a href = "../concepts/rbac.html" >
< b > 3.8.2.< / b >
RBAC——基于角色的访问控制
< / a >
< / li >
< li class = "chapter " data-level = "3.8.3" data-path = "../concepts/network-policy.html" >
< a href = "../concepts/network-policy.html" >
< b > 3.8.3.< / b >
NetworkPolicy
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "3.9" data-path = "../concepts/storage.html" >
< a href = "../concepts/storage.html" >
< b > 3.9.< / b >
存储
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "3.9.1" data-path = "../concepts/secret.html" >
< a href = "../concepts/secret.html" >
< b > 3.9.1.< / b >
Secret
< / a >
< / li >
< li class = "chapter " data-level = "3.9.2" data-path = "../concepts/configmap.html" >
< a href = "../concepts/configmap.html" >
< b > 3.9.2.< / b >
ConfigMap
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "3.9.2.1" data-path = "../concepts/configmap-hot-update.html" >
< a href = "../concepts/configmap-hot-update.html" >
< b > 3.9.2.1.< / b >
ConfigMap的热更新
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "3.9.3" data-path = "../concepts/volume.html" >
< a href = "../concepts/volume.html" >
< b > 3.9.3.< / b >
Volume
< / a >
< / li >
< li class = "chapter " data-level = "3.9.4" data-path = "../concepts/persistent-volume.html" >
< a href = "../concepts/persistent-volume.html" >
< b > 3.9.4.< / b >
Persistent Volume( 持久化卷)
< / a >
< / li >
< li class = "chapter " data-level = "3.9.5" data-path = "../concepts/storageclass.html" >
< a href = "../concepts/storageclass.html" >
< b > 3.9.5.< / b >
Storage Class
< / a >
< / li >
< li class = "chapter " data-level = "3.9.6" data-path = "../concepts/local-persistent-storage.html" >
< a href = "../concepts/local-persistent-storage.html" >
< b > 3.9.6.< / b >
本地持久化存储
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "3.10" data-path = "../concepts/extension.html" >
< a href = "../concepts/extension.html" >
< b > 3.10.< / b >
集群扩展
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "3.10.1" data-path = "../concepts/custom-resource.html" >
< a href = "../concepts/custom-resource.html" >
< b > 3.10.1.< / b >
使用自定义资源扩展API
< / a >
< / li >
< li class = "chapter " data-level = "3.10.2" data-path = "../concepts/aggregated-api-server.html" >
< a href = "../concepts/aggregated-api-server.html" >
< b > 3.10.2.< / b >
Aggregated API Server
< / a >
< / li >
< li class = "chapter " data-level = "3.10.3" data-path = "../concepts/apiservice.html" >
< a href = "../concepts/apiservice.html" >
< b > 3.10.3.< / b >
APIService
< / a >
< / li >
< li class = "chapter " data-level = "3.10.4" data-path = "../concepts/service-catalog.html" >
< a href = "../concepts/service-catalog.html" >
< b > 3.10.4.< / b >
Service Catalog
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "3.11" data-path = "../concepts/scheduling.html" >
< a href = "../concepts/scheduling.html" >
< b > 3.11.< / b >
资源调度
< / a >
< / li >
< li class = "header" > 用户指南< / li >
< li class = "chapter " data-level = "4.1" data-path = "../guide/" >
< a href = "../guide/" >
< b > 4.1.< / b >
用户指南
< / a >
< / li >
< li class = "chapter " data-level = "4.2" data-path = "../guide/resource-configuration.html" >
< a href = "../guide/resource-configuration.html" >
< b > 4.2.< / b >
资源对象配置
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "4.2.1" data-path = "../guide/configure-liveness-readiness-probes.html" >
< a href = "../guide/configure-liveness-readiness-probes.html" >
< b > 4.2.1.< / b >
配置Pod的liveness和readiness探针
< / a >
< / li >
< li class = "chapter " data-level = "4.2.2" data-path = "../guide/configure-pod-service-account.html" >
< a href = "../guide/configure-pod-service-account.html" >
< b > 4.2.2.< / b >
配置Pod的Service Account
< / a >
< / li >
< li class = "chapter " data-level = "4.2.3" data-path = "../guide/secret-configuration.html" >
< a href = "../guide/secret-configuration.html" >
< b > 4.2.3.< / b >
Secret配置
< / a >
< / li >
< li class = "chapter " data-level = "4.2.4" data-path = "../guide/resource-quota-management.html" >
< a href = "../guide/resource-quota-management.html" >
< b > 4.2.4.< / b >
管理namespace中的资源配额
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "4.3" data-path = "../guide/command-usage.html" >
< a href = "../guide/command-usage.html" >
< b > 4.3.< / b >
命令使用
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "4.3.1" data-path = "../guide/docker-cli-to-kubectl.html" >
< a href = "../guide/docker-cli-to-kubectl.html" >
< b > 4.3.1.< / b >
docker用户过度到kubectl命令行指南
< / a >
< / li >
< li class = "chapter " data-level = "4.3.2" data-path = "../guide/using-kubectl.html" >
< a href = "../guide/using-kubectl.html" >
< b > 4.3.2.< / b >
kubectl命令概览
< / a >
< / li >
< li class = "chapter " data-level = "4.3.3" data-path = "../guide/kubectl-cheatsheet.html" >
< a href = "../guide/kubectl-cheatsheet.html" >
< b > 4.3.3.< / b >
kubectl命令技巧大全
< / a >
< / li >
< li class = "chapter " data-level = "4.3.4" data-path = "../guide/using-etcdctl-to-access-kubernetes-data.html" >
< a href = "../guide/using-etcdctl-to-access-kubernetes-data.html" >
< b > 4.3.4.< / b >
使用etcdctl访问kubernetes数据
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "4.4" data-path = "../guide/cluster-security-management.html" >
< a href = "../guide/cluster-security-management.html" >
< b > 4.4.< / b >
集群安全性管理
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "4.4.1" data-path = "../guide/managing-tls-in-a-cluster.html" >
< a href = "../guide/managing-tls-in-a-cluster.html" >
< b > 4.4.1.< / b >
管理集群中的TLS
< / a >
< / li >
< li class = "chapter " data-level = "4.4.2" data-path = "../guide/kubelet-authentication-authorization.html" >
< a href = "../guide/kubelet-authentication-authorization.html" >
< b > 4.4.2.< / b >
kubelet的认证授权
< / a >
< / li >
< li class = "chapter " data-level = "4.4.3" data-path = "../guide/tls-bootstrapping.html" >
< a href = "../guide/tls-bootstrapping.html" >
< b > 4.4.3.< / b >
TLS bootstrap
< / a >
< / li >
< li class = "chapter " data-level = "4.4.4" data-path = "../guide/kubectl-user-authentication-authorization.html" >
< a href = "../guide/kubectl-user-authentication-authorization.html" >
< b > 4.4.4.< / b >
创建用户认证授权的kubeconfig文件
< / a >
< / li >
< li class = "chapter " data-level = "4.4.5" data-path = "../guide/ip-masq-agent.html" >
< a href = "../guide/ip-masq-agent.html" >
< b > 4.4.5.< / b >
IP伪装代理
< / a >
< / li >
< li class = "chapter " data-level = "4.4.6" data-path = "../guide/auth-with-kubeconfig-or-token.html" >
< a href = "../guide/auth-with-kubeconfig-or-token.html" >
< b > 4.4.6.< / b >
使用kubeconfig或token进行用户身份认证
< / a >
< / li >
< li class = "chapter " data-level = "4.4.7" data-path = "../guide/authentication.html" >
< a href = "../guide/authentication.html" >
< b > 4.4.7.< / b >
Kubernetes中的用户与身份认证授权
< / a >
< / li >
< li class = "chapter " data-level = "4.4.8" data-path = "../guide/kubernetes-security-best-practice.html" >
< a href = "../guide/kubernetes-security-best-practice.html" >
< b > 4.4.8.< / b >
Kubernetes集群安全性配置最佳实践
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "4.5" data-path = "../guide/access-kubernetes-cluster.html" >
< a href = "../guide/access-kubernetes-cluster.html" >
< b > 4.5.< / b >
访问Kubernetes集群
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "4.5.1" data-path = "../guide/access-cluster.html" >
< a href = "../guide/access-cluster.html" >
< b > 4.5.1.< / b >
访问集群
< / a >
< / li >
< li class = "chapter " data-level = "4.5.2" data-path = "../guide/authenticate-across-clusters-kubeconfig.html" >
< a href = "../guide/authenticate-across-clusters-kubeconfig.html" >
< b > 4.5.2.< / b >
使用kubeconfig文件配置跨集群认证
< / a >
< / li >
< li class = "chapter " data-level = "4.5.3" data-path = "../guide/connecting-to-applications-port-forward.html" >
< a href = "../guide/connecting-to-applications-port-forward.html" >
< b > 4.5.3.< / b >
通过端口转发访问集群中的应用程序
< / a >
< / li >
< li class = "chapter " data-level = "4.5.4" data-path = "../guide/service-access-application-cluster.html" >
< a href = "../guide/service-access-application-cluster.html" >
< b > 4.5.4.< / b >
使用service访问群集中的应用程序
< / a >
< / li >
< li class = "chapter " data-level = "4.5.5" data-path = "../guide/accessing-kubernetes-pods-from-outside-of-the-cluster.html" >
< a href = "../guide/accessing-kubernetes-pods-from-outside-of-the-cluster.html" >
< b > 4.5.5.< / b >
从外部访问Kubernetes中的Pod
< / a >
< / li >
< li class = "chapter " data-level = "4.5.6" data-path = "../guide/cabin-mobile-dashboard-for-kubernetes.html" >
< a href = "../guide/cabin-mobile-dashboard-for-kubernetes.html" >
< b > 4.5.6.< / b >
Cabin - Kubernetes手机客户端
< / a >
< / li >
< li class = "chapter " data-level = "4.5.7" data-path = "../guide/kubernetes-desktop-client.html" >
< a href = "../guide/kubernetes-desktop-client.html" >
< b > 4.5.7.< / b >
Kubernetic - Kubernetes桌面客户端
< / a >
< / li >
< li class = "chapter " data-level = "4.5.8" data-path = "../guide/kubernator-kubernetes-ui.html" >
< a href = "../guide/kubernator-kubernetes-ui.html" >
< b > 4.5.8.< / b >
Kubernator - 更底层的Kubernetes UI
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "4.6" data-path = "../guide/application-development-deployment-flow.html" >
< a href = "../guide/application-development-deployment-flow.html" >
< b > 4.6.< / b >
在Kubernetes中开发部署应用
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "4.6.1" data-path = "../guide/deploy-applications-in-kubernetes.html" >
< a href = "../guide/deploy-applications-in-kubernetes.html" >
< b > 4.6.1.< / b >
适用于kubernetes的应用开发部署流程
< / a >
< / li >
< li class = "chapter " data-level = "4.6.2" data-path = "../guide/migrating-hadoop-yarn-to-kubernetes.html" >
< a href = "../guide/migrating-hadoop-yarn-to-kubernetes.html" >
< b > 4.6.2.< / b >
迁移传统应用到Kubernetes中——以Hadoop YARN为例
< / a >
< / li >
< li class = "chapter " data-level = "4.6.3" data-path = "../guide/using-statefulset.html" >
< a href = "../guide/using-statefulset.html" >
< b > 4.6.3.< / b >
使用StatefulSet部署用状态应用
< / a >
< / li >
< / ul >
< / li >
< li class = "header" > 最佳实践< / li >
< li class = "chapter " data-level = "5.1" data-path = "../practice/" >
< a href = "../practice/" >
< b > 5.1.< / b >
最佳实践概览
< / a >
< / li >
< li class = "chapter " data-level = "5.2" data-path = "../practice/install-kubernetes-on-centos.html" >
< a href = "../practice/install-kubernetes-on-centos.html" >
< b > 5.2.< / b >
在CentOS上部署Kubernetes集群
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "5.2.1" data-path = "../practice/create-tls-and-secret-key.html" >
< a href = "../practice/create-tls-and-secret-key.html" >
< b > 5.2.1.< / b >
创建TLS证书和秘钥
< / a >
< / li >
< li class = "chapter " data-level = "5.2.2" data-path = "../practice/create-kubeconfig.html" >
< a href = "../practice/create-kubeconfig.html" >
< b > 5.2.2.< / b >
创建kubeconfig文件
< / a >
< / li >
< li class = "chapter " data-level = "5.2.3" data-path = "../practice/etcd-cluster-installation.html" >
< a href = "../practice/etcd-cluster-installation.html" >
< b > 5.2.3.< / b >
创建高可用etcd集群
< / a >
< / li >
< li class = "chapter " data-level = "5.2.4" data-path = "../practice/kubectl-installation.html" >
< a href = "../practice/kubectl-installation.html" >
< b > 5.2.4.< / b >
安装kubectl命令行工具
< / a >
< / li >
< li class = "chapter " data-level = "5.2.5" data-path = "../practice/master-installation.html" >
< a href = "../practice/master-installation.html" >
< b > 5.2.5.< / b >
部署master节点
< / a >
< / li >
< li class = "chapter " data-level = "5.2.6" data-path = "../practice/flannel-installation.html" >
< a href = "../practice/flannel-installation.html" >
< b > 5.2.6.< / b >
安装flannel网络插件
< / a >
< / li >
< li class = "chapter " data-level = "5.2.7" data-path = "../practice/node-installation.html" >
< a href = "../practice/node-installation.html" >
< b > 5.2.7.< / b >
部署node节点
< / a >
< / li >
< li class = "chapter " data-level = "5.2.8" data-path = "../practice/kubedns-addon-installation.html" >
< a href = "../practice/kubedns-addon-installation.html" >
< b > 5.2.8.< / b >
安装kubedns插件
< / a >
< / li >
< li class = "chapter " data-level = "5.2.9" data-path = "../practice/dashboard-addon-installation.html" >
< a href = "../practice/dashboard-addon-installation.html" >
< b > 5.2.9.< / b >
安装dashboard插件
< / a >
< / li >
< li class = "chapter " data-level = "5.2.10" data-path = "../practice/heapster-addon-installation.html" >
< a href = "../practice/heapster-addon-installation.html" >
< b > 5.2.10.< / b >
安装heapster插件
< / a >
< / li >
< li class = "chapter " data-level = "5.2.11" data-path = "../practice/efk-addon-installation.html" >
< a href = "../practice/efk-addon-installation.html" >
< b > 5.2.11.< / b >
安装EFK插件
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "5.3" data-path = "../practice/install-kubernetes-with-kubeadm.html" >
< a href = "../practice/install-kubernetes-with-kubeadm.html" >
< b > 5.3.< / b >
使用kubeadm快速构建测试集群
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "5.3.1" data-path = "../practice/install-kubernetes-on-ubuntu-server-16.04-with-kubeadm.html" >
< a href = "../practice/install-kubernetes-on-ubuntu-server-16.04-with-kubeadm.html" >
< b > 5.3.1.< / b >
使用kubeadm在Ubuntu Server 16.04上快速构建测试集群
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "5.4" data-path = "../practice/service-discovery-and-loadbalancing.html" >
< a href = "../practice/service-discovery-and-loadbalancing.html" >
< b > 5.4.< / b >
服务发现与负载均衡
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "5.4.1" data-path = "../practice/traefik-ingress-installation.html" >
< a href = "../practice/traefik-ingress-installation.html" >
< b > 5.4.1.< / b >
安装Traefik ingress
< / a >
< / li >
< li class = "chapter " data-level = "5.4.2" data-path = "../practice/distributed-load-test.html" >
< a href = "../practice/distributed-load-test.html" >
< b > 5.4.2.< / b >
分布式负载测试
< / a >
< / li >
< li class = "chapter " data-level = "5.4.3" data-path = "../practice/network-and-cluster-perfermance-test.html" >
< a href = "../practice/network-and-cluster-perfermance-test.html" >
< b > 5.4.3.< / b >
网络和集群性能测试
< / a >
< / li >
< li class = "chapter " data-level = "5.4.4" data-path = "../practice/edge-node-configuration.html" >
< a href = "../practice/edge-node-configuration.html" >
< b > 5.4.4.< / b >
边缘节点配置
< / a >
< / li >
< li class = "chapter " data-level = "5.4.5" data-path = "../practice/nginx-ingress-installation.html" >
< a href = "../practice/nginx-ingress-installation.html" >
< b > 5.4.5.< / b >
安装Nginx ingress
< / a >
< / li >
< li class = "chapter " data-level = "5.4.6" data-path = "../practice/dns-installation.html" >
< a href = "../practice/dns-installation.html" >
< b > 5.4.6.< / b >
安装配置DNS
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "5.4.6.1" data-path = "../practice/configuring-dns.html" >
< a href = "../practice/configuring-dns.html" >
< b > 5.4.6.1.< / b >
安装配置Kube-dns
< / a >
< / li >
< li class = "chapter " data-level = "5.4.6.2" data-path = "../practice/coredns.html" >
< a href = "../practice/coredns.html" >
< b > 5.4.6.2.< / b >
安装配置CoreDNS
< / a >
< / li >
< / ul >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "5.5" data-path = "../practice/operation.html" >
< a href = "../practice/operation.html" >
< b > 5.5.< / b >
运维管理
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "5.5.1" data-path = "../practice/master-ha.html" >
< a href = "../practice/master-ha.html" >
< b > 5.5.1.< / b >
Master节点高可用
< / a >
< / li >
< li class = "chapter " data-level = "5.5.2" data-path = "../practice/service-rolling-update.html" >
< a href = "../practice/service-rolling-update.html" >
< b > 5.5.2.< / b >
服务滚动升级
< / a >
< / li >
< li class = "chapter " data-level = "5.5.3" data-path = "../practice/app-log-collection.html" >
< a href = "../practice/app-log-collection.html" >
< b > 5.5.3.< / b >
应用日志收集
< / a >
< / li >
< li class = "chapter " data-level = "5.5.4" data-path = "../practice/configuration-best-practice.html" >
< a href = "../practice/configuration-best-practice.html" >
< b > 5.5.4.< / b >
配置最佳实践
< / a >
< / li >
< li class = "chapter " data-level = "5.5.5" data-path = "../practice/monitor.html" >
< a href = "../practice/monitor.html" >
< b > 5.5.5.< / b >
集群及应用监控
< / a >
< / li >
< li class = "chapter " data-level = "5.5.6" data-path = "../practice/data-persistence-problem.html" >
< a href = "../practice/data-persistence-problem.html" >
< b > 5.5.6.< / b >
数据持久化问题
< / a >
< / li >
< li class = "chapter " data-level = "5.5.7" data-path = "../practice/manage-compute-resources-container.html" >
< a href = "../practice/manage-compute-resources-container.html" >
< b > 5.5.7.< / b >
管理容器的计算资源
< / a >
< / li >
< li class = "chapter " data-level = "5.5.8" data-path = "../practice/federation.html" >
< a href = "../practice/federation.html" >
< b > 5.5.8.< / b >
集群联邦
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "5.6" data-path = "../practice/storage.html" >
< a href = "../practice/storage.html" >
< b > 5.6.< / b >
存储管理
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "5.6.1" data-path = "../practice/glusterfs.html" >
< a href = "../practice/glusterfs.html" >
< b > 5.6.1.< / b >
GlusterFS
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "5.6.1.1" data-path = "../practice/using-glusterfs-for-persistent-storage.html" >
< a href = "../practice/using-glusterfs-for-persistent-storage.html" >
< b > 5.6.1.1.< / b >
使用GlusterFS做持久化存储
< / a >
< / li >
< li class = "chapter " data-level = "5.6.1.2" data-path = "../practice/using-heketi-gluster-for-persistent-storage.html" >
< a href = "../practice/using-heketi-gluster-for-persistent-storage.html" >
< b > 5.6.1.2.< / b >
使用Heketi作为kubernetes的持久存储GlusterFS的external provisioner
< / a >
< / li >
< li class = "chapter " data-level = "5.6.1.3" data-path = "../practice/storage-for-containers-using-glusterfs-with-openshift.html" >
< a href = "../practice/storage-for-containers-using-glusterfs-with-openshift.html" >
< b > 5.6.1.3.< / b >
在OpenShift中使用GlusterFS做持久化存储
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "5.6.2" data-path = "../practice/glusterd-2.0.html" >
< a href = "../practice/glusterd-2.0.html" >
< b > 5.6.2.< / b >
GlusterD-2.0
< / a >
< / li >
< li class = "chapter " data-level = "5.6.3" data-path = "../practice/ceph.html" >
< a href = "../practice/ceph.html" >
< b > 5.6.3.< / b >
Ceph
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "5.6.3.1" data-path = "../practice/ceph-helm-install-guide-zh.html" >
< a href = "../practice/ceph-helm-install-guide-zh.html" >
< b > 5.6.3.1.< / b >
用Helm托管安装Ceph集群并提供后端存储
< / a >
< / li >
< li class = "chapter " data-level = "5.6.3.2" data-path = "../practice/using-ceph-for-persistent-storage.html" >
< a href = "../practice/using-ceph-for-persistent-storage.html" >
< b > 5.6.3.2.< / b >
使用Ceph做持久化存储
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "5.6.4" data-path = "../practice/openebs.html" >
< a href = "../practice/openebs.html" >
< b > 5.6.4.< / b >
OpenEBS
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "5.6.4.1" data-path = "../practice/using-openebs-for-persistent-storage.html" >
< a href = "../practice/using-openebs-for-persistent-storage.html" >
< b > 5.6.4.1.< / b >
使用OpenEBS做持久化存储
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "5.6.5" data-path = "../practice/rook.html" >
< a href = "../practice/rook.html" >
< b > 5.6.5.< / b >
Rook
< / a >
< / li >
< li class = "chapter " data-level = "5.6.6" data-path = "../practice/nfs.html" >
< a href = "../practice/nfs.html" >
< b > 5.6.6.< / b >
NFS
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "5.6.6.1" data-path = "../practice/using-nfs-for-persistent-storage.html" >
< a href = "../practice/using-nfs-for-persistent-storage.html" >
< b > 5.6.6.1.< / b >
利用NFS动态提供Kubernetes后端存储卷
< / a >
< / li >
< / ul >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "5.7" data-path = "../practice/monitoring.html" >
< a href = "../practice/monitoring.html" >
< b > 5.7.< / b >
集群与应用监控
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "5.7.1" data-path = "../practice/heapster.html" >
< a href = "../practice/heapster.html" >
< b > 5.7.1.< / b >
Heapster
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "5.7.1.1" data-path = "../practice/using-heapster-to-get-object-metrics.html" >
< a href = "../practice/using-heapster-to-get-object-metrics.html" >
< b > 5.7.1.1.< / b >
使用Heapster获取集群和对象的metric数据
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "5.7.2" data-path = "../practice/prometheus.html" >
< a href = "../practice/prometheus.html" >
< b > 5.7.2.< / b >
Prometheus
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "5.7.2.1" data-path = "../practice/using-prometheus-to-monitor-kuberentes-cluster.html" >
< a href = "../practice/using-prometheus-to-monitor-kuberentes-cluster.html" >
< b > 5.7.2.1.< / b >
使用Prometheus监控kubernetes集群
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "5.7.3" data-path = "../practice/vistio-visualize-your-istio-mesh.html" >
< a href = "../practice/vistio-visualize-your-istio-mesh.html" >
< b > 5.7.3.< / b >
使用Vistio监控Istio服务网格中的流量
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "5.8" data-path = "../practice/services-management-tool.html" >
< a href = "../practice/services-management-tool.html" >
< b > 5.8.< / b >
服务编排管理
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "5.8.1" data-path = "../practice/helm.html" >
< a href = "../practice/helm.html" >
< b > 5.8.1.< / b >
使用Helm管理kubernetes应用
< / a >
< / li >
< li class = "chapter " data-level = "5.8.2" data-path = "../practice/create-private-charts-repo.html" >
< a href = "../practice/create-private-charts-repo.html" >
< b > 5.8.2.< / b >
构建私有Chart仓库
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "5.9" data-path = "../practice/ci-cd.html" >
< a href = "../practice/ci-cd.html" >
< b > 5.9.< / b >
持续集成与发布
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "5.9.1" data-path = "../practice/jenkins-ci-cd.html" >
< a href = "../practice/jenkins-ci-cd.html" >
< b > 5.9.1.< / b >
使用Jenkins进行持续集成与发布
< / a >
< / li >
< li class = "chapter " data-level = "5.9.2" data-path = "../practice/drone-ci-cd.html" >
< a href = "../practice/drone-ci-cd.html" >
< b > 5.9.2.< / b >
使用Drone进行持续集成与发布
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "5.10" data-path = "../practice/update-and-upgrade.html" >
< a href = "../practice/update-and-upgrade.html" >
< b > 5.10.< / b >
更新与升级
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "5.10.1" data-path = "../practice/manually-upgrade.html" >
< a href = "../practice/manually-upgrade.html" >
< b > 5.10.1.< / b >
手动升级Kubernetes集群
< / a >
< / li >
< li class = "chapter " data-level = "5.10.2" data-path = "../practice/dashboard-upgrade.html" >
< a href = "../practice/dashboard-upgrade.html" >
< b > 5.10.2.< / b >
升级dashboard
< / a >
< / li >
< / ul >
< / li >
< li class = "header" > 领域应用< / li >
< li class = "chapter " data-level = "6.1" data-path = "./" >
< a href = "./" >
< b > 6.1.< / b >
领域应用概览
< / a >
< / li >
< li class = "chapter " data-level = "6.2" data-path = "microservices.html" >
< a href = "microservices.html" >
< b > 6.2.< / b >
微服务架构
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "6.2.1" data-path = "service-discovery-in-microservices.html" >
< a href = "service-discovery-in-microservices.html" >
< b > 6.2.1.< / b >
微服务中的服务发现
< / a >
< / li >
< li class = "chapter " data-level = "6.2.2" data-path = "microservices-for-java-developers.html" >
< a href = "microservices-for-java-developers.html" >
< b > 6.2.2.< / b >
使用Java构建微服务并发布到Kubernetes平台
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "6.2.2.1" data-path = "spring-boot-quick-start-guide.html" >
< a href = "spring-boot-quick-start-guide.html" >
< b > 6.2.2.1.< / b >
Spring Boot快速开始指南
< / a >
< / li >
< / ul >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "6.3" data-path = "service-mesh.html" >
< a href = "service-mesh.html" >
< b > 6.3.< / b >
Service Mesh 服务网格
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "6.3.1" data-path = "the-enterprise-path-to-service-mesh-architectures.html" >
< a href = "the-enterprise-path-to-service-mesh-architectures.html" >
< b > 6.3.1.< / b >
企业级服务网格架构
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "6.3.1.1" data-path = "service-mesh-fundamental.html" >
< a href = "service-mesh-fundamental.html" >
< b > 6.3.1.1.< / b >
Service Mesh基础
< / a >
< / li >
< li class = "chapter " data-level = "6.3.1.2" data-path = "comparing-service-mesh-technologies.html" >
< a href = "comparing-service-mesh-technologies.html" >
< b > 6.3.1.2.< / b >
Service Mesh技术对比
< / a >
< / li >
< li class = "chapter " data-level = "6.3.1.3" data-path = "service-mesh-adoption-and-evolution.html" >
< a href = "service-mesh-adoption-and-evolution.html" >
< b > 6.3.1.3.< / b >
采纳和演进
< / a >
< / li >
< li class = "chapter " data-level = "6.3.1.4" data-path = "service-mesh-customization-and-integration.html" >
< a href = "service-mesh-customization-and-integration.html" >
< b > 6.3.1.4.< / b >
定制和集成
< / a >
< / li >
< li class = "chapter " data-level = "6.3.1.5" data-path = "service-mesh-conclusion.html" >
< a href = "service-mesh-conclusion.html" >
< b > 6.3.1.5.< / b >
总结
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "6.3.2" data-path = "istio.html" >
< a href = "istio.html" >
< b > 6.3.2.< / b >
Istio
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "6.3.2.1" data-path = "istio-installation.html" >
< a href = "istio-installation.html" >
< b > 6.3.2.1.< / b >
安装并试用Istio service mesh
< / a >
< / li >
< li class = "chapter " data-level = "6.3.2.2" data-path = "configuring-request-routing.html" >
< a href = "configuring-request-routing.html" >
< b > 6.3.2.2.< / b >
配置请求的路由规则
< / a >
< / li >
< li class = "chapter " data-level = "6.3.2.3" data-path = "install-and-expand-istio-mesh.html" >
< a href = "install-and-expand-istio-mesh.html" >
< b > 6.3.2.3.< / b >
安装和拓展Istio service mesh
< / a >
< / li >
< li class = "chapter " data-level = "6.3.2.4" data-path = "integrating-vms.html" >
< a href = "integrating-vms.html" >
< b > 6.3.2.4.< / b >
集成虚拟机
< / a >
< / li >
< li class = "chapter " data-level = "6.3.2.5" data-path = "sidecar-spec-in-istio.html" >
< a href = "sidecar-spec-in-istio.html" >
< b > 6.3.2.5.< / b >
Istio中sidecar的注入规范及示例
< / a >
< / li >
< li class = "chapter " data-level = "6.3.2.6" data-path = "istio-community-tips.html" >
< a href = "istio-community-tips.html" >
< b > 6.3.2.6.< / b >
如何参与Istio社区及注意事项
< / a >
< / li >
< li class = "chapter " data-level = "6.3.2.7" data-path = "istio-tutorial.html" >
< a href = "istio-tutorial.html" >
< b > 6.3.2.7.< / b >
Istio教程
< / a >
< / li >
< li class = "chapter " data-level = "6.3.2.8" data-path = "istio-tutorials-collection.html" >
< a href = "istio-tutorials-collection.html" >
< b > 6.3.2.8.< / b >
Istio免费学习资源汇总
< / a >
< / li >
< li class = "chapter active" data-level = "6.3.2.9" data-path = "understand-sidecar-injection-and-traffic-hijack-in-istio-service-mesh.html" >
< a href = "understand-sidecar-injection-and-traffic-hijack-in-istio-service-mesh.html" >
< b > 6.3.2.9.< / b >
深入理解Istio中的Sidecar注入与流量劫持
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "6.3.3" data-path = "linkerd.html" >
< a href = "linkerd.html" >
< b > 6.3.3.< / b >
Linkerd
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "6.3.3.1" data-path = "linkerd-user-guide.html" >
< a href = "linkerd-user-guide.html" >
< b > 6.3.3.1.< / b >
Linkerd 使用指南
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "6.3.4" data-path = "conduit.html" >
< a href = "conduit.html" >
< b > 6.3.4.< / b >
Conduit
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "6.3.4.1" data-path = "conduit-overview.html" >
< a href = "conduit-overview.html" >
< b > 6.3.4.1.< / b >
Condiut概览
< / a >
< / li >
< li class = "chapter " data-level = "6.3.4.2" data-path = "conduit-installation.html" >
< a href = "conduit-installation.html" >
< b > 6.3.4.2.< / b >
安装Conduit
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "6.3.5" data-path = "envoy.html" >
< a href = "envoy.html" >
< b > 6.3.5.< / b >
Envoy
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "6.3.5.1" data-path = "envoy-terminology.html" >
< a href = "envoy-terminology.html" >
< b > 6.3.5.1.< / b >
Envoy的架构与基本术语
< / a >
< / li >
< li class = "chapter " data-level = "6.3.5.2" data-path = "envoy-front-proxy.html" >
< a href = "envoy-front-proxy.html" >
< b > 6.3.5.2.< / b >
Envoy作为前端代理
< / a >
< / li >
< li class = "chapter " data-level = "6.3.5.3" data-path = "envoy-mesh-in-kubernetes-tutorial.html" >
< a href = "envoy-mesh-in-kubernetes-tutorial.html" >
< b > 6.3.5.3.< / b >
Envoy mesh教程
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "6.3.6" data-path = "sofamesh.html" >
< a href = "sofamesh.html" >
< b > 6.3.6.< / b >
SOFAMesh
< / a >
2018-09-19 21:42:26 +08:00
< ul class = "articles" >
< li class = "chapter " data-level = "6.3.6.1" data-path = "dubbo-on-x-protocol-in-sofa-mesh.html" >
< a href = "dubbo-on-x-protocol-in-sofa-mesh.html" >
< b > 6.3.6.1.< / b >
SOFAMesh中的Dubbo on x-protocol
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "6.3.7" data-path = "sofamosn.html" >
< a href = "sofamosn.html" >
< b > 6.3.7.< / b >
SOFAMosn
< / a >
2018-09-17 11:49:14 +08:00
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "6.4" data-path = "big-data.html" >
< a href = "big-data.html" >
< b > 6.4.< / b >
大数据
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "6.4.1" data-path = "spark-standalone-on-kubernetes.html" >
< a href = "spark-standalone-on-kubernetes.html" >
< b > 6.4.1.< / b >
Spark standalone on Kubernetes
< / a >
< / li >
< li class = "chapter " data-level = "6.4.2" data-path = "running-spark-with-kubernetes-native-scheduler.html" >
< a href = "running-spark-with-kubernetes-native-scheduler.html" >
< b > 6.4.2.< / b >
运行支持Kubernetes原生调度的Spark程序
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "6.5" data-path = "serverless.html" >
< a href = "serverless.html" >
< b > 6.5.< / b >
Serverless架构
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "6.5.1" data-path = "understanding-serverless.html" >
< a href = "understanding-serverless.html" >
< b > 6.5.1.< / b >
理解Serverless
< / a >
< / li >
< li class = "chapter " data-level = "6.5.2" data-path = "faas.html" >
< a href = "faas.html" >
< b > 6.5.2.< / b >
FaaS-函数即服务
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "6.5.2.1" data-path = "openfaas-quick-start.html" >
< a href = "openfaas-quick-start.html" >
< b > 6.5.2.1.< / b >
OpenFaaS快速入门指南
< / a >
< / li >
< / ul >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "6.6" data-path = "edge-computing.html" >
< a href = "edge-computing.html" >
< b > 6.6.< / b >
边缘计算
< / a >
< / li >
< li class = "chapter " data-level = "6.7" data-path = "ai.html" >
< a href = "ai.html" >
< b > 6.7.< / b >
人工智能
< / a >
< / li >
< li class = "header" > 开发指南< / li >
< li class = "chapter " data-level = "7.1" data-path = "../develop/" >
< a href = "../develop/" >
< b > 7.1.< / b >
开发指南概览
< / a >
< / li >
< li class = "chapter " data-level = "7.2" data-path = "../develop/sigs-and-working-group.html" >
< a href = "../develop/sigs-and-working-group.html" >
< b > 7.2.< / b >
SIG和工作组
< / a >
< / li >
< li class = "chapter " data-level = "7.3" data-path = "../develop/developing-environment.html" >
< a href = "../develop/developing-environment.html" >
< b > 7.3.< / b >
开发环境搭建
< / a >
< / li >
< li class = "chapter " data-level = "7.4" data-path = "../develop/using-vagrant-and-virtualbox-for-development.html" >
< a href = "../develop/using-vagrant-and-virtualbox-for-development.html" >
< b > 7.4.< / b >
本地分布式开发环境搭建( 使用Vagrant和Virtualbox)
< / a >
< / li >
< li class = "chapter " data-level = "7.5" data-path = "../develop/testing.html" >
< a href = "../develop/testing.html" >
< b > 7.5.< / b >
单元测试和集成测试
< / a >
< / li >
< li class = "chapter " data-level = "7.6" data-path = "../develop/client-go-sample.html" >
< a href = "../develop/client-go-sample.html" >
< b > 7.6.< / b >
client-go示例
< / a >
< / li >
< li class = "chapter " data-level = "7.7" data-path = "../develop/operator.html" >
< a href = "../develop/operator.html" >
< b > 7.7.< / b >
Operator
< / a >
< / li >
< li class = "chapter " data-level = "7.8" data-path = "../develop/operator-sdk.html" >
< a href = "../develop/operator-sdk.html" >
< b > 7.8.< / b >
operator-sdk
< / a >
< / li >
< li class = "chapter " data-level = "7.9" data-path = "../develop/advance-developer.html" >
< a href = "../develop/advance-developer.html" >
< b > 7.9.< / b >
高级开发指南
< / a >
< / li >
< li class = "chapter " data-level = "7.10" data-path = "../develop/contribute.html" >
< a href = "../develop/contribute.html" >
< b > 7.10.< / b >
社区贡献
< / a >
< / li >
< li class = "chapter " data-level = "7.11" data-path = "../develop/minikube.html" >
< a href = "../develop/minikube.html" >
< b > 7.11.< / b >
Minikube
< / a >
< / li >
< li class = "header" > 附录< / li >
< li class = "chapter " data-level = "8.1" data-path = "../appendix/" >
< a href = "../appendix/" >
< b > 8.1.< / b >
附录说明
< / a >
< / li >
< li class = "chapter " data-level = "8.2" data-path = "../appendix/debug-kubernetes-services.html" >
< a href = "../appendix/debug-kubernetes-services.html" >
< b > 8.2.< / b >
Kubernetes中的应用故障排查
< / a >
< / li >
< li class = "chapter " data-level = "8.3" data-path = "../appendix/material-share.html" >
< a href = "../appendix/material-share.html" >
< b > 8.3.< / b >
Kubernetes相关资讯和情报链接
< / a >
< / li >
< li class = "chapter " data-level = "8.4" data-path = "../appendix/docker-best-practice.html" >
< a href = "../appendix/docker-best-practice.html" >
< b > 8.4.< / b >
Docker最佳实践
< / a >
< / li >
< li class = "chapter " data-level = "8.5" data-path = "../appendix/tricks.html" >
< a href = "../appendix/tricks.html" >
< b > 8.5.< / b >
使用技巧
< / a >
< / li >
< li class = "chapter " data-level = "8.6" data-path = "../appendix/issues.html" >
< a href = "../appendix/issues.html" >
< b > 8.6.< / b >
问题记录
< / a >
< / li >
< li class = "chapter " data-level = "8.7" data-path = "../appendix/kubernetes-changelog.html" >
< a href = "../appendix/kubernetes-changelog.html" >
< b > 8.7.< / b >
Kubernetes版本更新日志
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "8.7.1" data-path = "../appendix/kubernetes-1.7-changelog.html" >
< a href = "../appendix/kubernetes-1.7-changelog.html" >
< b > 8.7.1.< / b >
Kubernetes1.7更新日志
< / a >
< / li >
< li class = "chapter " data-level = "8.7.2" data-path = "../appendix/kubernetes-1.8-changelog.html" >
< a href = "../appendix/kubernetes-1.8-changelog.html" >
< b > 8.7.2.< / b >
Kubernetes1.8更新日志
< / a >
< / li >
< li class = "chapter " data-level = "8.7.3" data-path = "../appendix/kubernetes-1.9-changelog.html" >
< a href = "../appendix/kubernetes-1.9-changelog.html" >
< b > 8.7.3.< / b >
Kubernetes1.9更新日志
< / a >
< / li >
< li class = "chapter " data-level = "8.7.4" data-path = "../appendix/kubernetes-1.10-changelog.html" >
< a href = "../appendix/kubernetes-1.10-changelog.html" >
< b > 8.7.4.< / b >
Kubernetes1.10更新日志
< / a >
< / li >
< li class = "chapter " data-level = "8.7.5" data-path = "../appendix/kubernetes-1.11-changelog.html" >
< a href = "../appendix/kubernetes-1.11-changelog.html" >
< b > 8.7.5.< / b >
Kubernetes1.11更新日志
< / a >
2018-09-28 10:59:50 +08:00
< / li >
< li class = "chapter " data-level = "8.7.6" data-path = "../appendix/kubernetes-1.12-changelog.html" >
< a href = "../appendix/kubernetes-1.12-changelog.html" >
< b > 8.7.6.< / b >
Kubernetes1.12更新日志
< / a >
2018-09-17 11:49:14 +08:00
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "8.8" data-path = "../appendix/summary-and-outlook.html" >
< a href = "../appendix/summary-and-outlook.html" >
< b > 8.8.< / b >
Kubernetes及云原生年度总结及展望
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "8.8.1" data-path = "../appendix/kubernetes-and-cloud-native-summary-in-2017-and-outlook-for-2018.html" >
< a href = "../appendix/kubernetes-and-cloud-native-summary-in-2017-and-outlook-for-2018.html" >
< b > 8.8.1.< / b >
Kubernetes与云原生2017年年终总结及2018年展望
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "8.9" data-path = "../appendix/about-kcsp.html" >
< a href = "../appendix/about-kcsp.html" >
< b > 8.9.< / b >
Kubernetes认证服务提供商( KCSP) 说明
< / a >
< / li >
< li class = "chapter " data-level = "8.10" data-path = "../appendix/about-cka-candidate.html" >
< a href = "../appendix/about-cka-candidate.html" >
< b > 8.10.< / b >
认证Kubernetes管理员( CKA) 说明
< / a >
< / li >
< li class = "divider" > < / li >
< li >
< a href = "https://www.gitbook.com" target = "blank" class = "gitbook-link" >
本书使用 GitBook 发布
< / a >
< / li >
< / ul >
< / nav >
< / div >
< div class = "book-body" >
< div class = "body-inner" >
< div class = "book-header" role = "navigation" >
<!-- Title -->
< h1 >
< i class = "fa fa-circle-o-notch fa-spin" > < / i >
< a href = ".." > 深入理解Istio中的Sidecar注入与流量劫持< / a >
< / h1 >
< / div >
< div class = "page-wrapper" tabindex = "-1" role = "main" >
< div class = "page-inner" >
< div class = "search-plus" id = "book-search-results" >
< div class = "search-noresults" >
< section class = "normal markdown-section" >
2018-09-25 22:13:40 +08:00
< html > < head > < / head > < body > < h2 id = "深入理解-istio中的sidecar注入与流量劫持" > 深 入 理 解 Istio中 的 Sidecar注 入 与 流 量 劫 持 < / h2 >
2018-09-17 11:49:14 +08:00
< p > 在 讲 解 Istio 如 何 将 Envoy 代 理 注 入 到 应 用 程 序 Pod 中 之 前 , 我 们 需 要 先 了 解 以 下 几 个 概 念 : < / p >
< ul >
< li > Sidecar 模 式 : 容 器 应 用 模 式 之 一 , Service Mesh 架 构 的 一 种 实 现 方 式 。 < / li >
< li > Init 容 器 : Pod 中 的 一 种 专 用 的 容 器 , 在 应 用 程 序 容 器 启 动 之 前 运 行 , 用 来 包 含 一 些 应 用 镜 像 中 不 存 在 的 实 用 工 具 或 安 装 脚 本 。 < / li >
< li > iptables: 流 量 劫 持 是 通 过 iptables 转 发 实 现 的 。 < / li >
< / ul >
< p > 查 看 目 前 < code > productpage-v1-745ffc55b7-2l2lw< / code > Pod 中 运 行 的 容 器 : < / p >
< pre class = "language-" > < code class = "lang-bash" > $ kubectl -n default get pod productpage-v1-745ffc55b7-2l2lw -o< span class = "token operator" > =< / span > jsonpath< span class = "token operator" > =< / span > < span class = "token string" > ' {..spec.containers[*].name}' < / span >
productpage istio-proxy
< / code > < / pre >
< p > < code > productpage< / code > 即 应 用 容 器 , < code > istio-proxy< / code > 即 Envoy 代 理 的 sidecar 容 器 。 另 外 该 Pod 中 实 际 上 还 运 行 过 一 个 Init 容 器 , 因 为 它 执 行 结 束 就 自 动 终 止 了 , 所 以 我 们 看 不 到 该 容 器 的 存 在 。 关 注 < code > jsonpath< / code > 的 用 法 请 参 考 < a href = "https://kubernetes.io/docs/reference/kubectl/jsonpath/" target = "_blank" > JSONPath Support< / a > 。 < / p >
< h2 id = "sidecar-模式" > Sidecar 模 式 < / h2 >
< p > 在 了 解 Istio 使 用 Sidecar 注 入 之 前 , 需 要 先 说 明 下 什 么 是 Sidecar 模 式 。 Sidecar 是 容 器 应 用 模 式 的 一 种 , 也 是 在 Service Mesh 中 发 扬 光 大 的 一 种 模 式 , 详 见 < a href = "http://www.servicemesher.com/blog/service-mesh-architectures/" target = "_blank" > Service Mesh 架 构 解 析 < / a > , 其 中 详 细 描 述 了 < strong > 节 点 代 理 < / strong > 和 < strong > Sidecar< / strong > 模 式 的 Service Mesh 架 构 。 < / p >
< p > 使 用 Sidecar 模 式 部 署 服 务 网 格 时 , 无 需 在 节 点 上 运 行 代 理 ( 因 此 您 不 需 要 基 础 结 构 的 协 作 ) , 但 是 集 群 中 将 运 行 多 个 相 同 的 Sidecar 副 本 。 从 另 一 个 角 度 看 : 我 可 以 为 一 组 微 服 务 部 署 到 一 个 服 务 网 格 中 , 你 也 可 以 部 署 一 个 有 特 定 实 现 的 服 务 网 格 。 在 Sidecar 部 署 方 式 中 , 你 会 为 每 个 应 用 的 容 器 部 署 一 个 伴 生 容 器 。 Sidecar 接 管 进 出 应 用 容 器 的 所 有 流 量 。 在 Kubernetes 的 Pod 中 , 在 原 有 的 应 用 容 器 旁 边 运 行 一 个 Sidecar 容 器 , 可 以 理 解 为 两 个 容 器 共 享 存 储 、 网 络 等 资 源 , 可 以 广 义 的 将 这 个 注 入 了 Sidecar 容 器 的 Pod 理 解 为 一 台 主 机 , 两 个 容 器 共 享 主 机 资 源 。 < / p >
< p > 例 如 下 图 < a href = "https://jimmysong.io/posts/sofamesh-and-mosn-proxy-sidecar-service-mesh-by-ant-financial/" target = "_blank" > SOFAMesh & SOFA MOSN— 基 于 Istio构 建 的 用 于 应 对 大 规 模 流 量 的 Service Mesh解 决 方 案 < / a > 的 架 构 图 中 描 述 的 , MOSN 作 为 Sidecar 的 方 式 和 应 用 运 行 在 同 一 个 Pod 中 , 拦 截 所 有 进 出 应 用 容 器 的 流 量 , < a href = "https://github.com/alipay/sofa-mesh" target = "_blank" > SOFAMesh< / a > 兼 容 Istio, 其 中 使 用 Go 语 言 开 发 的 < a href = "https://github.com/alipay/sofa-mosn" target = "_blank" > SOFAMosn< / a > 替 换 了 Envoy。 < / p >
2018-10-08 21:23:07 +08:00
< figure id = "fig6.3.2.9.1" > < a href = "https://ws4.sinaimg.cn/large/006tNbRwgy1fuyr4vizzwj31kw1biq98.jpg" data-lightbox = "15756c1e-2f6b-4654-8f60-5df24a07643f" data-title = "SOFAMesh架构图" target = "_blank" > < img src = "https://ws4.sinaimg.cn/large/006tNbRwgy1fuyr4vizzwj31kw1biq98.jpg" alt = "SOFAMesh架构图" > < / a > < figcaption > 图 片 - SOFAMesh架 构 图 < / figcaption > < / figure >
2018-09-17 11:49:14 +08:00
< p > < strong > 注 意 < / strong > : 下 文 中 所 指 的 Sidecar 都 是 指 的 Envoy 代 理 容 器 。 < / p >
< h2 id = "init-容器" > Init 容 器 < / h2 >
< p > Init 容 器 是 一 种 专 用 容 器 , 它 在 应 用 程 序 容 器 启 动 之 前 运 行 , 用 来 包 含 一 些 应 用 镜 像 中 不 存 在 的 实 用 工 具 或 安 装 脚 本 。 < / p >
< p > 一 个 Pod 中 可 以 指 定 多 个 Init 容 器 , 如 果 指 定 了 多 个 , 那 么 Init 容 器 将 会 按 顺 序 依 次 运 行 。 只 有 当 前 面 的 Init 容 器 必 须 运 行 成 功 后 , 才 可 以 运 行 下 一 个 Init 容 器 。 当 所 有 的 Init 容 器 运 行 完 成 后 , Kubernetes 才 初 始 化 Pod 和 运 行 应 用 容 器 。 < / p >
< p > Init 容 器 使 用 Linux Namespace, 所 以 相 对 应 用 程 序 容 器 来 说 具 有 不 同 的 文 件 系 统 视 图 。 因 此 , 它 们 能 够 具 有 访 问 Secret 的 权 限 , 而 应 用 程 序 容 器 则 不 能 。 < / p >
< p > 在 Pod 启 动 过 程 中 , Init 容 器 会 按 顺 序 在 网 络 和 数 据 卷 初 始 化 之 后 启 动 。 每 个 容 器 必 须 在 下 一 个 容 器 启 动 之 前 成 功 退 出 。 如 果 由 于 运 行 时 或 失 败 退 出 , 将 导 致 容 器 启 动 失 败 , 它 会 根 据 Pod 的 < code > restartPolicy< / code > 指 定 的 策 略 进 行 重 试 。 然 而 , 如 果 Pod 的 < code > restartPolicy< / code > 设 置 为 Always, Init 容 器 失 败 时 会 使 用 < code > RestartPolicy< / code > 策 略 。 < / p >
< p > 在 所 有 的 Init 容 器 没 有 成 功 之 前 , Pod 将 不 会 变 成 < code > Ready< / code > 状 态 。 Init 容 器 的 端 口 将 不 会 在 Service 中 进 行 聚 集 。 正 在 初 始 化 中 的 Pod 处 于 < code > Pending< / code > 状 态 , 但 应 该 会 将 < code > Initializing< / code > 状 态 设 置 为 true。 Init 容 器 运 行 完 成 以 后 就 会 自 动 终 止 。 < / p >
< p > 关 于 Init 容 器 的 详 细 信 息 请 参 考 < a href = "https://jimmysong.io/kubernetes-handbook/concepts/init-containers.html" target = "_blank" > Init 容 器 - Kubernetes 中 文 指 南 /云 原 生 应 用 架 构 实 践 手 册 < / a > 。 < / p >
< h2 id = "sidecar-注入示例分析" > Sidecar 注 入 示 例 分 析 < / h2 >
< p > 我 们 看 下 Istio 官 方 示 例 < code > bookinfo< / code > 中 < code > productpage< / code > 的 YAML 配 置 , 关 于 < code > bookinfo< / code > 应 用 的 详 细 YAML 配 置 请 参 考 < a href = "https://github.com/rootsongjc/kubernetes-vagrant-centos-cluster/blob/master/yaml/istio-bookinfo/bookinfo.yaml" target = "_blank" > bookinfo.yaml< / a > 。 < / p >
< pre class = "language-" > < code class = "lang-yaml" > < span class = "token key atrule" > apiVersion< / span > < span class = "token punctuation" > :< / span > v1
< span class = "token key atrule" > kind< / span > < span class = "token punctuation" > :< / span > Service
< span class = "token key atrule" > metadata< / span > < span class = "token punctuation" > :< / span >
< span class = "token key atrule" > name< / span > < span class = "token punctuation" > :< / span > productpage
< span class = "token key atrule" > labels< / span > < span class = "token punctuation" > :< / span >
< span class = "token key atrule" > app< / span > < span class = "token punctuation" > :< / span > productpage
< span class = "token key atrule" > spec< / span > < span class = "token punctuation" > :< / span >
< span class = "token key atrule" > ports< / span > < span class = "token punctuation" > :< / span >
< span class = "token punctuation" > -< / span > < span class = "token key atrule" > port< / span > < span class = "token punctuation" > :< / span > < span class = "token number" > 9080< / span >
< span class = "token key atrule" > name< / span > < span class = "token punctuation" > :< / span > http
< span class = "token key atrule" > selector< / span > < span class = "token punctuation" > :< / span >
< span class = "token key atrule" > app< / span > < span class = "token punctuation" > :< / span > productpage
< span class = "token punctuation" > ---< / span >
< span class = "token key atrule" > apiVersion< / span > < span class = "token punctuation" > :< / span > extensions/v1beta1
< span class = "token key atrule" > kind< / span > < span class = "token punctuation" > :< / span > Deployment
< span class = "token key atrule" > metadata< / span > < span class = "token punctuation" > :< / span >
< span class = "token key atrule" > name< / span > < span class = "token punctuation" > :< / span > productpage< span class = "token punctuation" > -< / span > v1
< span class = "token key atrule" > spec< / span > < span class = "token punctuation" > :< / span >
< span class = "token key atrule" > replicas< / span > < span class = "token punctuation" > :< / span > < span class = "token number" > 1< / span >
< span class = "token key atrule" > template< / span > < span class = "token punctuation" > :< / span >
< span class = "token key atrule" > metadata< / span > < span class = "token punctuation" > :< / span >
< span class = "token key atrule" > labels< / span > < span class = "token punctuation" > :< / span >
< span class = "token key atrule" > app< / span > < span class = "token punctuation" > :< / span > productpage
< span class = "token key atrule" > version< / span > < span class = "token punctuation" > :< / span > v1
< span class = "token key atrule" > spec< / span > < span class = "token punctuation" > :< / span >
< span class = "token key atrule" > containers< / span > < span class = "token punctuation" > :< / span >
< span class = "token punctuation" > -< / span > < span class = "token key atrule" > name< / span > < span class = "token punctuation" > :< / span > productpage
< span class = "token key atrule" > image< / span > < span class = "token punctuation" > :< / span > istio/examples< span class = "token punctuation" > -< / span > bookinfo< span class = "token punctuation" > -< / span > productpage< span class = "token punctuation" > -< / span > v1< span class = "token punctuation" > :< / span > 1.8.0
< span class = "token key atrule" > imagePullPolicy< / span > < span class = "token punctuation" > :< / span > IfNotPresent
< span class = "token key atrule" > ports< / span > < span class = "token punctuation" > :< / span >
< span class = "token punctuation" > -< / span > < span class = "token key atrule" > containerPort< / span > < span class = "token punctuation" > :< / span > < span class = "token number" > 9080< / span >
< / code > < / pre >
< p > 再 查 看 下 < code > productpage< / code > 容 器 的 < a href = "https://github.com/istio/istio/blob/master/samples/bookinfo/src/productpage/Dockerfile" target = "_blank" > Dockerfile< / a > 。 < / p >
2018-09-21 00:14:49 +08:00
< pre class = "language-" > < code class = "lang-docker" > < span class = "token keyword" > FROM< / span > python< span class = "token punctuation" > :< / span > 2.7< span class = "token punctuation" > -< / span > slim
2018-09-17 11:49:14 +08:00
2018-09-21 00:14:49 +08:00
< span class = "token keyword" > COPY< / span > requirements.txt ./
< span class = "token keyword" > RUN< / span > pip install < span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > no< span class = "token punctuation" > -< / span > cache< span class = "token punctuation" > -< / span > dir < span class = "token punctuation" > -< / span > r requirements.txt
2018-09-17 11:49:14 +08:00
2018-09-21 00:14:49 +08:00
< span class = "token keyword" > COPY< / span > productpage.py /opt/microservices/
< span class = "token keyword" > COPY< / span > templates /opt/microservices/templates
< span class = "token keyword" > COPY< / span > requirements.txt /opt/microservices/
< span class = "token keyword" > EXPOSE< / span > 9080
< span class = "token keyword" > WORKDIR< / span > /opt/microservices
< span class = "token keyword" > CMD< / span > python productpage.py 9080
2018-09-17 11:49:14 +08:00
< / code > < / pre >
< p > 我 们 看 到 < code > Dockerfile< / code > 中 没 有 配 置 < code > ENTRYPOINT< / code > , 所 以 < code > CMD< / code > 的 配 置 < code > python productpage.py 9080< / code > 将 作 为 默 认 的 < code > ENTRYPOINT< / code > , 记 住 这 一 点 , 再 看 下 注 入 sidecar 之 后 的 配 置 。 < / p >
< pre class = "language-" > < code class = "lang-bash" > $ istioctl kube-inject -f yaml/istio-bookinfo/bookinfo.yaml
< / code > < / pre >
< p > 我 们 只 截 取 其 中 与 < code > productpage< / code > 相 关 的 < code > Service< / code > 和 < code > Deployment< / code > 配 置 部 分 。 < / p >
< pre class = "language-" > < code class = "lang-yaml" > < span class = "token key atrule" > apiVersion< / span > < span class = "token punctuation" > :< / span > v1
< span class = "token key atrule" > kind< / span > < span class = "token punctuation" > :< / span > Service
< span class = "token key atrule" > metadata< / span > < span class = "token punctuation" > :< / span >
< span class = "token key atrule" > name< / span > < span class = "token punctuation" > :< / span > productpage
< span class = "token key atrule" > labels< / span > < span class = "token punctuation" > :< / span >
< span class = "token key atrule" > app< / span > < span class = "token punctuation" > :< / span > productpage
< span class = "token key atrule" > spec< / span > < span class = "token punctuation" > :< / span >
< span class = "token key atrule" > ports< / span > < span class = "token punctuation" > :< / span >
< span class = "token punctuation" > -< / span > < span class = "token key atrule" > port< / span > < span class = "token punctuation" > :< / span > < span class = "token number" > 9080< / span >
< span class = "token key atrule" > name< / span > < span class = "token punctuation" > :< / span > http
< span class = "token key atrule" > selector< / span > < span class = "token punctuation" > :< / span >
< span class = "token key atrule" > app< / span > < span class = "token punctuation" > :< / span > productpage
< span class = "token punctuation" > ---< / span >
< span class = "token key atrule" > apiVersion< / span > < span class = "token punctuation" > :< / span > extensions/v1beta1
< span class = "token key atrule" > kind< / span > < span class = "token punctuation" > :< / span > Deployment
< span class = "token key atrule" > metadata< / span > < span class = "token punctuation" > :< / span >
< span class = "token key atrule" > creationTimestamp< / span > < span class = "token punctuation" > :< / span > < span class = "token null important" > null< / span >
< span class = "token key atrule" > name< / span > < span class = "token punctuation" > :< / span > productpage< span class = "token punctuation" > -< / span > v1
< span class = "token key atrule" > spec< / span > < span class = "token punctuation" > :< / span >
< span class = "token key atrule" > replicas< / span > < span class = "token punctuation" > :< / span > < span class = "token number" > 1< / span >
< span class = "token key atrule" > strategy< / span > < span class = "token punctuation" > :< / span > < span class = "token punctuation" > {< / span > < span class = "token punctuation" > }< / span >
< span class = "token key atrule" > template< / span > < span class = "token punctuation" > :< / span >
< span class = "token key atrule" > metadata< / span > < span class = "token punctuation" > :< / span >
< span class = "token key atrule" > annotations< / span > < span class = "token punctuation" > :< / span >
2018-09-25 22:13:40 +08:00
< span class = "token key atrule" > sidecar.istio.io/status< / span > < span class = "token punctuation" > :< / span > < span class = "token string" > ' {" version" :" fde14299e2ae804b95be08e0f2d171d466f47983391c00519bbf01392d9ad6bb" ," initContainers" :[" istio-init" ]," containers" :[" istio-proxy" ]," volumes" :[" istio-envoy" ," istio-certs" ]," imagePullSecrets" :null}' < / span >
2018-09-17 11:49:14 +08:00
< span class = "token key atrule" > creationTimestamp< / span > < span class = "token punctuation" > :< / span > < span class = "token null important" > null< / span >
< span class = "token key atrule" > labels< / span > < span class = "token punctuation" > :< / span >
< span class = "token key atrule" > app< / span > < span class = "token punctuation" > :< / span > productpage
< span class = "token key atrule" > version< / span > < span class = "token punctuation" > :< / span > v1
< span class = "token key atrule" > spec< / span > < span class = "token punctuation" > :< / span >
< span class = "token key atrule" > containers< / span > < span class = "token punctuation" > :< / span >
< span class = "token punctuation" > -< / span > < span class = "token key atrule" > image< / span > < span class = "token punctuation" > :< / span > istio/examples< span class = "token punctuation" > -< / span > bookinfo< span class = "token punctuation" > -< / span > productpage< span class = "token punctuation" > -< / span > v1< span class = "token punctuation" > :< / span > 1.8.0
< span class = "token key atrule" > imagePullPolicy< / span > < span class = "token punctuation" > :< / span > IfNotPresent
< span class = "token key atrule" > name< / span > < span class = "token punctuation" > :< / span > productpage
< span class = "token key atrule" > ports< / span > < span class = "token punctuation" > :< / span >
< span class = "token punctuation" > -< / span > < span class = "token key atrule" > containerPort< / span > < span class = "token punctuation" > :< / span > < span class = "token number" > 9080< / span >
< span class = "token key atrule" > resources< / span > < span class = "token punctuation" > :< / span > < span class = "token punctuation" > {< / span > < span class = "token punctuation" > }< / span >
< span class = "token punctuation" > -< / span > < span class = "token key atrule" > args< / span > < span class = "token punctuation" > :< / span >
< span class = "token punctuation" > -< / span > proxy
< span class = "token punctuation" > -< / span > sidecar
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > configPath
< span class = "token punctuation" > -< / span > /etc/istio/proxy
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > binaryPath
< span class = "token punctuation" > -< / span > /usr/local/bin/envoy
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > serviceCluster
< span class = "token punctuation" > -< / span > productpage
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > drainDuration
< span class = "token punctuation" > -< / span > 45s
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > parentShutdownDuration
< span class = "token punctuation" > -< / span > 1m0s
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > discoveryAddress
< span class = "token punctuation" > -< / span > istio< span class = "token punctuation" > -< / span > pilot.istio< span class = "token punctuation" > -< / span > system< span class = "token punctuation" > :< / span > < span class = "token number" > 15007< / span >
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > discoveryRefreshDelay
< span class = "token punctuation" > -< / span > 1s
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > zipkinAddress
< span class = "token punctuation" > -< / span > zipkin.istio< span class = "token punctuation" > -< / span > system< span class = "token punctuation" > :< / span > < span class = "token number" > 9411< / span >
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > connectTimeout
< span class = "token punctuation" > -< / span > 10s
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > statsdUdpAddress
< span class = "token punctuation" > -< / span > istio< span class = "token punctuation" > -< / span > statsd< span class = "token punctuation" > -< / span > prom< span class = "token punctuation" > -< / span > bridge.istio< span class = "token punctuation" > -< / span > system< span class = "token punctuation" > :< / span > < span class = "token number" > 9125< / span >
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > proxyAdminPort
< span class = "token punctuation" > -< / span > < span class = "token string" > " 15000" < / span >
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > controlPlaneAuthPolicy
< span class = "token punctuation" > -< / span > NONE
< span class = "token key atrule" > env< / span > < span class = "token punctuation" > :< / span >
< span class = "token punctuation" > -< / span > < span class = "token key atrule" > name< / span > < span class = "token punctuation" > :< / span > POD_NAME
< span class = "token key atrule" > valueFrom< / span > < span class = "token punctuation" > :< / span >
< span class = "token key atrule" > fieldRef< / span > < span class = "token punctuation" > :< / span >
< span class = "token key atrule" > fieldPath< / span > < span class = "token punctuation" > :< / span > metadata.name
< span class = "token punctuation" > -< / span > < span class = "token key atrule" > name< / span > < span class = "token punctuation" > :< / span > POD_NAMESPACE
< span class = "token key atrule" > valueFrom< / span > < span class = "token punctuation" > :< / span >
< span class = "token key atrule" > fieldRef< / span > < span class = "token punctuation" > :< / span >
< span class = "token key atrule" > fieldPath< / span > < span class = "token punctuation" > :< / span > metadata.namespace
< span class = "token punctuation" > -< / span > < span class = "token key atrule" > name< / span > < span class = "token punctuation" > :< / span > INSTANCE_IP
< span class = "token key atrule" > valueFrom< / span > < span class = "token punctuation" > :< / span >
< span class = "token key atrule" > fieldRef< / span > < span class = "token punctuation" > :< / span >
< span class = "token key atrule" > fieldPath< / span > < span class = "token punctuation" > :< / span > status.podIP
< span class = "token punctuation" > -< / span > < span class = "token key atrule" > name< / span > < span class = "token punctuation" > :< / span > ISTIO_META_POD_NAME
< span class = "token key atrule" > valueFrom< / span > < span class = "token punctuation" > :< / span >
< span class = "token key atrule" > fieldRef< / span > < span class = "token punctuation" > :< / span >
< span class = "token key atrule" > fieldPath< / span > < span class = "token punctuation" > :< / span > metadata.name
< span class = "token punctuation" > -< / span > < span class = "token key atrule" > name< / span > < span class = "token punctuation" > :< / span > ISTIO_META_INTERCEPTION_MODE
< span class = "token key atrule" > value< / span > < span class = "token punctuation" > :< / span > REDIRECT
< span class = "token key atrule" > image< / span > < span class = "token punctuation" > :< / span > jimmysong/istio< span class = "token punctuation" > -< / span > release< span class = "token punctuation" > -< / span > proxyv2< span class = "token punctuation" > :< / span > 1.0.0
< span class = "token key atrule" > imagePullPolicy< / span > < span class = "token punctuation" > :< / span > IfNotPresent
< span class = "token key atrule" > name< / span > < span class = "token punctuation" > :< / span > istio< span class = "token punctuation" > -< / span > proxy
< span class = "token key atrule" > resources< / span > < span class = "token punctuation" > :< / span >
< span class = "token key atrule" > requests< / span > < span class = "token punctuation" > :< / span >
< span class = "token key atrule" > cpu< / span > < span class = "token punctuation" > :< / span > 10m
< span class = "token key atrule" > securityContext< / span > < span class = "token punctuation" > :< / span >
< span class = "token key atrule" > privileged< / span > < span class = "token punctuation" > :< / span > < span class = "token boolean important" > false< / span >
< span class = "token key atrule" > readOnlyRootFilesystem< / span > < span class = "token punctuation" > :< / span > < span class = "token boolean important" > true< / span >
< span class = "token key atrule" > runAsUser< / span > < span class = "token punctuation" > :< / span > < span class = "token number" > 1337< / span >
< span class = "token key atrule" > volumeMounts< / span > < span class = "token punctuation" > :< / span >
< span class = "token punctuation" > -< / span > < span class = "token key atrule" > mountPath< / span > < span class = "token punctuation" > :< / span > /etc/istio/proxy
< span class = "token key atrule" > name< / span > < span class = "token punctuation" > :< / span > istio< span class = "token punctuation" > -< / span > envoy
< span class = "token punctuation" > -< / span > < span class = "token key atrule" > mountPath< / span > < span class = "token punctuation" > :< / span > /etc/certs/
< span class = "token key atrule" > name< / span > < span class = "token punctuation" > :< / span > istio< span class = "token punctuation" > -< / span > certs
< span class = "token key atrule" > readOnly< / span > < span class = "token punctuation" > :< / span > < span class = "token boolean important" > true< / span >
< span class = "token key atrule" > initContainers< / span > < span class = "token punctuation" > :< / span >
< span class = "token punctuation" > -< / span > < span class = "token key atrule" > args< / span > < span class = "token punctuation" > :< / span >
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > p
< span class = "token punctuation" > -< / span > < span class = "token string" > " 15001" < / span >
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > u
< span class = "token punctuation" > -< / span > < span class = "token string" > " 1337" < / span >
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > m
< span class = "token punctuation" > -< / span > REDIRECT
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > i
< span class = "token punctuation" > -< / span > < span class = "token string" > ' *' < / span >
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > x
< span class = "token punctuation" > -< / span > < span class = "token string" > " " < / span >
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > b
< span class = "token punctuation" > -< / span > < span class = "token number" > 9080< / span > < span class = "token punctuation" > ,< / span >
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > d
< span class = "token punctuation" > -< / span > < span class = "token string" > " " < / span >
< span class = "token key atrule" > image< / span > < span class = "token punctuation" > :< / span > jimmysong/istio< span class = "token punctuation" > -< / span > release< span class = "token punctuation" > -< / span > proxy_init< span class = "token punctuation" > :< / span > 1.0.0
< span class = "token key atrule" > imagePullPolicy< / span > < span class = "token punctuation" > :< / span > IfNotPresent
< span class = "token key atrule" > name< / span > < span class = "token punctuation" > :< / span > istio< span class = "token punctuation" > -< / span > init
< span class = "token key atrule" > resources< / span > < span class = "token punctuation" > :< / span > < span class = "token punctuation" > {< / span > < span class = "token punctuation" > }< / span >
< span class = "token key atrule" > securityContext< / span > < span class = "token punctuation" > :< / span >
< span class = "token key atrule" > capabilities< / span > < span class = "token punctuation" > :< / span >
< span class = "token key atrule" > add< / span > < span class = "token punctuation" > :< / span >
< span class = "token punctuation" > -< / span > NET_ADMIN
< span class = "token key atrule" > privileged< / span > < span class = "token punctuation" > :< / span > < span class = "token boolean important" > true< / span >
< span class = "token key atrule" > volumes< / span > < span class = "token punctuation" > :< / span >
< span class = "token punctuation" > -< / span > < span class = "token key atrule" > emptyDir< / span > < span class = "token punctuation" > :< / span >
< span class = "token key atrule" > medium< / span > < span class = "token punctuation" > :< / span > Memory
< span class = "token key atrule" > name< / span > < span class = "token punctuation" > :< / span > istio< span class = "token punctuation" > -< / span > envoy
< span class = "token punctuation" > -< / span > < span class = "token key atrule" > name< / span > < span class = "token punctuation" > :< / span > istio< span class = "token punctuation" > -< / span > certs
< span class = "token key atrule" > secret< / span > < span class = "token punctuation" > :< / span >
< span class = "token key atrule" > optional< / span > < span class = "token punctuation" > :< / span > < span class = "token boolean important" > true< / span >
< span class = "token key atrule" > secretName< / span > < span class = "token punctuation" > :< / span > istio.default
< span class = "token key atrule" > status< / span > < span class = "token punctuation" > :< / span > < span class = "token punctuation" > {< / span > < span class = "token punctuation" > }< / span >
< / code > < / pre >
< p > 我 们 看 到 Service 的 配 置 没 有 变 化 , 所 有 的 变 化 都 在 < code > Deployment< / code > 里 , Istio 给 应 用 Pod 注 入 的 配 置 主 要 包 括 : < / p >
< ul >
< li > Init 容 器 < code > istio-init< / code > : 用 于 给 Sidecar 容 器 即 Envoy 代 理 做 初 始 化 , 设 置 iptables 端 口 转 发 < / li >
< li > Envoy sidecar 容 器 < code > istio-proxy< / code > : 运 行 Envoy 代 理 < / li >
< / ul >
< p > 接 下 来 将 分 别 解 析 下 这 两 个 容 器 。 < / p >
< h3 id = "init-容器解析" > Init 容 器 解 析 < / h3 >
< p > Istio 在 Pod 中 注 入 的 Init 容 器 名 为 < code > istio-init< / code > , 我 们 在 上 面 Istio 注 入 完 成 后 的 YAML 文 件 中 看 到 了 该 容 器 的 启 动 参 数 : < / p >
< pre class = "language-" > < code class = "lang-bash" > -p 15001 -u 1337 -m REDIRECT -i < span class = "token string" > ' *' < / span > -x < span class = "token string" > " " < / span > -b 9080 -d < span class = "token string" > " " < / span >
< / code > < / pre >
< p > 我 们 再 检 查 下 该 容 器 的 < a href = "https://github.com/istio/istio/blob/master/pilot/docker/Dockerfile.proxy_init" target = "_blank" > Dockerfile< / a > 看 看 < code > ENTRYPOINT< / code > 是 什 么 以 确 定 启 动 时 执 行 的 命 令 。 < / p >
2018-09-21 00:14:49 +08:00
< pre class = "language-" > < code class = "lang-docker" > < span class = "token keyword" > FROM< / span > ubuntu< span class = "token punctuation" > :< / span > xenial
< span class = "token keyword" > RUN< / span > apt< span class = "token punctuation" > -< / span > get update & & apt< span class = "token punctuation" > -< / span > get install < span class = "token punctuation" > -< / span > y \
2018-09-17 11:49:14 +08:00
iproute2 \
iptables \
2018-09-21 00:14:49 +08:00
& & rm < span class = "token punctuation" > -< / span > rf /var/lib/apt/lists/*
2018-09-17 11:49:14 +08:00
2018-09-21 00:14:49 +08:00
< span class = "token keyword" > ADD< / span > istio< span class = "token punctuation" > -< / span > iptables.sh /usr/local/bin/
< span class = "token keyword" > ENTRYPOINT< / span > < span class = "token punctuation" > [< / span > < span class = "token string" > " /usr/local/bin/istio-iptables.sh" < / span > < span class = "token punctuation" > ]< / span >
2018-09-17 11:49:14 +08:00
< / code > < / pre >
< p > 我 们 看 到 < code > istio-init< / code > 容 器 的 入 口 是 < code > /usr/local/bin/istio-iptables.sh< / code > 脚 本 , 再 按 图 索 骥 看 看 这 个 脚 本 里 到 底 写 的 什 么 , 该 脚 本 的 位 置 在 Istio 源 码 仓 库 的 < a href = "https://github.com/istio/istio/blob/master/tools/deb/istio-iptables.sh" target = "_blank" > tools/deb/istio-iptables.sh< / a > , 一 共 300 多 行 , 就 不 贴 在 这 里 了 。 下 面 我 们 就 来 解 析 下 这 个 启 动 脚 本 。 < / p >
< h3 id = "init-容器启动入口" > Init 容 器 启 动 入 口 < / h3 >
< p > Init 容 器 的 启 动 入 口 是 < code > /usr/local/bin/istio-iptables.sh< / code > 脚 本 , 该 脚 本 的 用 法 如 下 : < / p >
< pre class = "language-" > < code class = "lang-bash" > $ istio-iptables.sh -p PORT -u UID -g GID < span class = "token punctuation" > [< / span > -m mode< span class = "token punctuation" > ]< / span > < span class = "token punctuation" > [< / span > -b ports< span class = "token punctuation" > ]< / span > < span class = "token punctuation" > [< / span > -d ports< span class = "token punctuation" > ]< / span > < span class = "token punctuation" > [< / span > -i CIDR< span class = "token punctuation" > ]< / span > < span class = "token punctuation" > [< / span > -x CIDR< span class = "token punctuation" > ]< / span > < span class = "token punctuation" > [< / span > -h< span class = "token punctuation" > ]< / span >
-p: 指 定 重 定 向 所 有 TCP 流 量 的 Envoy 端 口 ( 默 认 为 < span class = "token variable" > $ENVOY_PORT< / span > < span class = "token operator" > =< / span > 15001)
-u: 指 定 未 应 用 重 定 向 的 用 户 的 UID。 通 常 , 这 是 代 理 容 器 的 UID( 默 认 为 < span class = "token variable" > $ENVOY_USER< / span > 的 uid, istio_proxy 的 uid 或 1337)
-g: 指 定 未 应 用 重 定 向 的 用 户 的 GID。 ( 与 -u param 相 同 的 默 认 值 )
-m: 指 定 入 站 连 接 重 定 向 到 Envoy 的 模 式 , “ REDIRECT” 或 “ TPROXY” ( 默 认 为 < span class = "token variable" > $ISTIO_INBOUND_INTERCEPTION_MODE< / span > < span class = "token punctuation" > )< / span >
-b: 逗 号 分 隔 的 入 站 端 口 列 表 , 其 流 量 将 重 定 向 到 Envoy( 可 选 ) 。 使 用 通 配 符 “ *” 表 示 重 定 向 所 有 端 口 。 为 空 时 表 示 禁 用 所 有 入 站 重 定 向 ( 默 认 为 < span class = "token variable" > $ISTIO_INBOUND_PORTS< / span > )
-d: 指 定 要 从 重 定 向 到 Envoy 中 排 除 ( 可 选 ) 的 入 站 端 口 列 表 , 以 逗 号 格 式 分 隔 。 使 用 通 配 符 “ *” 表 示 重 定 向 所 有 入 站 流 量 ( 默 认 为 < span class = "token variable" > $ISTIO_LOCAL_EXCLUDE_PORTS< / span > )
-i: 指 定 重 定 向 到 Envoy( 可 选 ) 的 IP 地 址 范 围 , 以 逗 号 分 隔 的 CIDR 格 式 列 表 。 使 用 通 配 符 “ *” 表 示 重 定 向 所 有 出 站 流 量 。 空 列 表 将 禁 用 所 有 出 站 重 定 向 ( 默 认 为 < span class = "token variable" > $ISTIO_SERVICE_CIDR< / span > )
-x: 指 定 将 从 重 定 向 中 排 除 的 IP 地 址 范 围 , 以 逗 号 分 隔 的 CIDR 格 式 列 表 。 使 用 通 配 符 “ *” 表 示 重 定 向 所 有 出 站 流 量 ( 默 认 为 < span class = "token variable" > $ISTIO_SERVICE_EXCLUDE_CIDR< / span > ) 。
环 境 变 量 位 于 < span class = "token variable" > $ISTIO_SIDECAR_CONFIG< / span > ( 默 认 在 : /var/lib/istio/envoy/sidecar.env)
< / code > < / pre >
< p > 通 过 查 看 该 脚 本 你 将 看 到 , 以 上 传 入 的 参 数 都 会 重 新 组 装 成 < a href = "https://wangchujiang.com/linux-command/c/iptables.html" target = "_blank" > < code > iptables< / code > 命 令 < / a > 的 参 数 。 < / p >
< p > 再 参 考 < code > istio-init< / code > 容 器 的 启 动 参 数 , 完 整 的 启 动 命 令 如 下 : < / p >
< pre class = "language-" > < code class = "lang-bash" > $ /usr/local/bin/istio-iptables.sh -p 15001 -u 1337 -m REDIRECT -i < span class = "token string" > ' *' < / span > -x < span class = "token string" > " " < / span > -b 9080 -d < span class = "token string" > " " < / span >
< / code > < / pre >
< p > 该 容 器 存 在 的 意 义 就 是 让 Envoy 代 理 可 以 拦 截 所 有 的 进 出 Pod 的 流 量 , 即 将 入 站 流 量 重 定 向 到 Sidecar, 再 拦 截 应 用 容 器 的 出 站 流 量 经 过 Sidecar 处 理 后 再 出 站 。 < / p >
< p > < strong > 命 令 解 析 < / strong > < / p >
< p > 这 条 启 动 命 令 的 作 用 是 : < / p >
< ul >
< li > 将 应 用 容 器 的 所 有 流 量 都 转 发 到 Envoy 的 15001 端 口 。 < / li >
< li > 使 用 < code > istio-proxy< / code > 用 户 身 份 运 行 , UID 为 1337, 即 Envoy 所 处 的 用 户 空 间 , 这 也 是 < code > istio-proxy< / code > 容 器 默 认 使 用 的 用 户 , 见 YAML 配 置 中 的 < code > runAsUser< / code > 字 段 。 < / li >
< li > 使 用 默 认 的 < code > REDIRECT< / code > 模 式 来 重 定 向 流 量 。 < / li >
< li > 将 所 有 出 站 流 量 都 重 定 向 到 Envoy 代 理 。 < / li >
< li > 将 所 有 访 问 9080 端 口 ( 即 应 用 容 器 < code > productpage< / code > 的 端 口 ) 的 流 量 重 定 向 到 Envoy 代 理 。 < / li >
< / ul >
< p > 因 为 Init 容 器 初 始 化 完 毕 后 就 会 自 动 终 止 , 因 为 我 们 无 法 登 陆 到 容 器 中 查 看 iptables 信 息 , 但 是 Init 容 器 初 始 化 结 果 会 保 留 到 应 用 容 器 和 Sidecar 容 器 中 。 < / p >
< h3 id = "istio-proxy-容器解析" > istio-proxy 容 器 解 析 < / h3 >
< p > 为 了 查 看 iptables 配 置 , 我 们 需 要 登 陆 到 Sidecar 容 器 中 使 用 root 用 户 来 查 看 , 因 为 < code > kubectl< / code > 无 法 使 用 特 权 模 式 来 远 程 操 作 docker 容 器 , 所 以 我 们 需 要 登 陆 到 < code > productpage< / code > Pod 所 在 的 主 机 上 使 用 < code > docker< / code > 命 令 登 陆 容 器 中 查 看 。 < / p >
< p > 查 看 < code > productpage< / code > Pod 所 在 的 主 机 。 < / p >
< pre class = "language-" > < code class = "lang-bash" > $ kubectl -n default get pod -l app< span class = "token operator" > =< / span > productpage -o wide
NAME READY STATUS RESTARTS AGE IP NODE
productpage-v1-745ffc55b7-2l2lw 2/2 Running 0 1d 172.33.78.10 node3
< / code > < / pre >
< p > 从 输 出 结 果 中 可 以 看 到 该 Pod 运 行 在 < code > node3< / code > 上 , 使 用 < code > vagrant< / code > 命 令 登 陆 到 < code > node3< / code > 主 机 中 并 切 换 为 root 用 户 。 < / p >
< pre class = "language-" > < code class = "lang-bash" > $ vagrant < span class = "token function" > ssh< / span > node3
$ < span class = "token function" > sudo< / span > -i
< / code > < / pre >
< p > 查 看 iptables 配 置 , 列 出 NAT( 网 络 地 址 转 换 ) 表 的 所 有 规 则 , 因 为 在 Init 容 器 启 动 的 时 候 选 择 给 < code > istio-iptables.sh< / code > 传 递 的 参 数 中 指 定 将 入 站 流 量 重 定 向 到 Envoy 的 模 式 为 “ REDIRECT” , 因 此 在 iptables 中 将 只 有 NAT 表 的 规 格 配 置 , 如 果 选 择 < code > TPROXY< / code > 还 会 有 < code > mangle< / code > 表 配 置 。 < code > iptables< / code > 命 令 的 详 细 用 法 请 参 考 < a href = "https://wangchujiang.com/linux-command/c/iptables.html" target = "_blank" > iptables< / a > , 规 则 配 置 请 参 考 < a href = "http://www.zsythink.net/archives/1517" target = "_blank" > iptables 规 则 配 置 < / a > 。 < / p >
< h2 id = "理解-iptables" > 理 解 iptables< / h2 >
< p > < code > iptables< / code > 是 Linux 内 核 中 的 防 火 墙 软 件 netfilter 的 管 理 工 具 , 位 于 用 户 空 间 , 同 时 也 是 netfilter 的 一 部 分 。 Netfilter 位 于 内 核 空 间 , 不 仅 有 网 络 地 址 转 换 的 功 能 , 也 具 备 数 据 包 内 容 修 改 、 以 及 数 据 包 过 滤 等 防 火 墙 功 能 。 < / p >
< p > 在 了 解 Init 容 器 初 始 化 的 iptables 之 前 , 我 们 先 来 了 解 下 iptables 和 规 则 配 置 。 < / p >
< p > 下 图 展 示 了 iptables 调 用 链 。 < / p >
2018-10-08 21:23:07 +08:00
< figure id = "fig6.3.2.9.2" > < a href = "https://ws4.sinaimg.cn/large/0069RVTdly1fv5hukl647j30k6145gnt.jpg" data-lightbox = "aeaaff10-658a-41a7-b1ce-4d5cc4150164" data-title = "iptables 调用链" target = "_blank" > < img src = "https://ws4.sinaimg.cn/large/0069RVTdly1fv5hukl647j30k6145gnt.jpg" alt = "iptables 调用链" > < / a > < figcaption > 图 片 - iptables 调 用 链 < / figcaption > < / figure >
2018-09-17 11:49:14 +08:00
< h3 id = "iptables-中的表" > iptables 中 的 表 < / h3 >
< p > Init 容 器 中 使 用 的 的 iptables 版 本 是 < code > v1.6.0< / code > , 共 包 含 5 张 表 : < / p >
< ol >
< li > < code > raw< / code > 用 于 配 置 数 据 包 , < code > raw< / code > 中 的 数 据 包 不 会 被 系 统 跟 踪 。 < / li >
< li > < code > filter< / code > 是 用 于 存 放 所 有 与 防 火 墙 相 关 操 作 的 默 认 表 。 < / li >
< li > < code > nat< / code > 用 于 < a href = "https://en.wikipedia.org/wiki/Network_address_translation" target = "_blank" > 网 络 地 址 转 换 < / a > ( 例 如 : 端 口 转 发 ) 。 < / li >
< li > < code > mangle< / code > 用 于 对 特 定 数 据 包 的 修 改 ( 参 考 < a href = "https://en.wikipedia.org/wiki/Mangled_packet" target = "_blank" > 损 坏 数 据 包 < / a > ) 。 < / li >
< li > < code > security< / code > 用 于 < a href = "https://wiki.archlinux.org/index.php/Security#Mandatory_access_control" target = "_blank" > 强 制 访 问 控 制 < / a > 网 络 规 则 。 < / li >
< / ol >
< p > < strong > 注 < / strong > : 在 本 示 例 中 只 用 到 了 < code > nat< / code > 表 。 < / p >
< p > 不 同 的 表 中 的 具 有 的 链 类 型 如 下 表 所 示 : < / p >
< table >
< thead >
< tr >
< th > 规 则 名 称 < / th >
< th > raw< / th >
< th > filter< / th >
< th > nat< / th >
< th > mangle< / th >
< th > security< / th >
< / tr >
< / thead >
< tbody >
< tr >
< td > PREROUTING< / td >
< td > ✓ < / td >
< td > < / td >
< td > ✓ < / td >
< td > ✓ < / td >
< td > < / td >
< / tr >
< tr >
< td > INPUT< / td >
< td > < / td >
< td > ✓ < / td >
< td > ✓ < / td >
< td > ✓ < / td >
< td > ✓ < / td >
< / tr >
< tr >
< td > OUTPUT< / td >
< td > < / td >
< td > ✓ < / td >
< td > ✓ < / td >
< td > ✓ < / td >
< td > ✓ < / td >
< / tr >
< tr >
< td > POSTROUTING< / td >
< td > < / td >
< td > < / td >
< td > ✓ < / td >
< td > ✓ < / td >
< td > < / td >
< / tr >
< tr >
< td > FORWARD< / td >
< td > ✓ < / td >
< td > ✓ < / td >
< td > < / td >
< td > ✓ < / td >
< td > ✓ < / td >
< / tr >
< / tbody >
< / table >
< p > 下 图 是 iptables 的 调 用 链 顺 序 。 < / p >
2018-10-08 21:23:07 +08:00
< figure id = "fig6.3.2.9.3" > < a href = "https://ws1.sinaimg.cn/large/0069RVTdgy1fv5dq2bptdj31110begnl.jpg" data-lightbox = "3f53584e-627e-4130-bb8e-c01872af0d95" data-title = "iptables 调用链" target = "_blank" > < img src = "https://ws1.sinaimg.cn/large/0069RVTdgy1fv5dq2bptdj31110begnl.jpg" alt = "iptables 调用链" > < / a > < figcaption > 图 片 - iptables 调 用 链 < / figcaption > < / figure >
2018-09-17 11:49:14 +08:00
< p > 关 于 iptables 的 详 细 介 绍 请 参 考 < a href = "https://www.aliang.org/Linux/iptables.html" target = "_blank" > 常 见 iptables 使 用 规 则 场 景 整 理 < / a > 。 < / p >
< h3 id = "iptables-命令" > iptables 命 令 < / h3 >
< p > < code > iptables< / code > 命 令 的 主 要 用 途 是 修 改 这 些 表 中 的 规 则 。 < code > iptables< / code > 命 令 格 式 如 下 : < / p >
< pre class = "language-" > < code class = "lang-bash" > $ iptables < span class = "token punctuation" > [< / span > -t 表 名 < span class = "token punctuation" > ]< / span > 命 令 选 项 [ 链 名 < span class = "token punctuation" > ]< / span > [ 条 件 匹 配 ] < span class = "token punctuation" > [< / span > -j 目 标 动 作 或 跳 转 ]
< / code > < / pre >
< p > Init 容 器 中 的 < code > /istio-iptables.sh< / code > 启 动 入 口 脚 本 就 是 执 行 iptables 初 始 化 的 。 < / p >
< h3 id = "理解-iptables-规则" > 理 解 iptables 规 则 < / h3 >
< p > 查 看 < code > istio-proxy< / code > 容 器 中 的 默 认 的 iptables 规 则 , 默 认 查 看 的 是 filter 表 中 的 规 则 。 < / p >
< pre class = "language-" > < code class = "lang-bash" > $ iptables -L -v
Chain INPUT < span class = "token punctuation" > (< / span > policy ACCEPT 350K packets, 63M bytes< span class = "token punctuation" > )< / span >
pkts bytes target prot opt < span class = "token keyword" > in< / span > out < span class = "token function" > source< / span > destination
Chain FORWARD < span class = "token punctuation" > (< / span > policy ACCEPT 0 packets, 0 bytes< span class = "token punctuation" > )< / span >
pkts bytes target prot opt < span class = "token keyword" > in< / span > out < span class = "token function" > source< / span > destination
Chain OUTPUT < span class = "token punctuation" > (< / span > policy ACCEPT 18M packets, 1916M bytes< span class = "token punctuation" > )< / span >
pkts bytes target prot opt < span class = "token keyword" > in< / span > out < span class = "token function" > source< / span > destination
< / code > < / pre >
< p > 我 们 看 到 三 个 默 认 的 链 , 分 别 是 INPUT、 FORWARD 和 OUTPUT, 每 个 链 中 的 第 一 行 输 出 表 示 链 名 称 ( 在 本 例 中 为 INPUT/FORWARD/OUTPUT) , 后 跟 默 认 策 略 ( ACCEPT) 。 < / p >
< p > 下 图 是 iptables 的 建 议 结 构 图 , 流 量 在 经 过 INPUT 链 之 后 就 进 入 了 上 层 协 议 栈 , 比 如 < / p >
2018-10-08 21:23:07 +08:00
< figure id = "fig6.3.2.9.4" > < a href = "https://ws4.sinaimg.cn/large/0069RVTdgy1fv5dm4a9ygj30w50czdi3.jpg" data-lightbox = "74708428-5252-4000-b271-a9dc07afee6d" data-title = "iptables结构图" target = "_blank" > < img src = "https://ws4.sinaimg.cn/large/0069RVTdgy1fv5dm4a9ygj30w50czdi3.jpg" alt = "iptables结构图" > < / a > < figcaption > 图 片 - iptables结 构 图 < / figcaption > < / figure >
2018-09-17 11:49:14 +08:00
< p > 图 片 来 自 < a href = "https://www.aliang.org/Linux/iptables.html" target = "_blank" > 常 见 iptables 使 用 规 则 场 景 整 理 < / a > < / p >
< p > 每 条 链 中 都 可 以 添 加 多 条 规 则 , 规 则 是 按 照 顺 序 从 前 到 后 执 行 的 。 我 们 来 看 下 规 则 的 表 头 定 义 。 < / p >
< ul >
< li > < strong > pkts< / strong > : 处 理 过 的 匹 配 的 报 文 数 量 < / li >
< li > < strong > bytes< / strong > : 累 计 处 理 的 报 文 大 小 ( 字 节 数 ) < / li >
< li > < strong > target< / strong > : 如 果 报 文 与 规 则 匹 配 , 指 定 目 标 就 会 被 执 行 。 < / li >
< li > < strong > prot< / strong > : 协 议 , 例 如 < code > tdp< / code > 、 < code > udp< / code > 、 < code > icmp< / code > 和 < code > all< / code > 。 < / li >
< li > < strong > opt< / strong > : 很 少 使 用 , 这 一 列 用 于 显 示 IP 选 项 。 < / li >
< li > < strong > in< / strong > : 入 站 网 卡 。 < / li >
< li > < strong > out< / strong > : 出 站 网 卡 。 < / li >
< li > < strong > source< / strong > : 流 量 的 源 IP 地 址 或 子 网 , 后 者 是 < code > anywhere< / code > 。 < / li >
< li > < strong > destination< / strong > : 流 量 的 目 的 地 IP 地 址 或 子 网 , 或 者 是 < code > anywhere< / code > 。 < / li >
< / ul >
< p > 还 有 一 列 没 有 表 头 , 显 示 在 最 后 , 表 示 规 则 的 选 项 , 作 为 规 则 的 扩 展 匹 配 条 件 , 用 来 补 充 前 面 的 几 列 中 的 配 置 。 < code > prot< / code > 、 < code > opt< / code > 、 < code > in< / code > 、 < code > out< / code > 、 < code > source< / code > 和 < code > destination< / code > 和 显 示 在 < code > destination< / code > 后 面 的 没 有 表 头 的 一 列 扩 展 条 件 共 同 组 成 匹 配 规 则 。 当 流 量 匹 配 这 些 规 则 后 就 会 执 行 < code > target< / code > 。 < / p >
< p > 关 于 iptables 规 则 请 参 考 < a href = "https://www.aliang.org/Linux/iptables.html" target = "_blank" > 常 见 iptables使 用 规 则 场 景 整 理 < / a > 。 < / p >
< p > < strong > target 支 持 的 类 型 < / strong > < / p >
< p > < code > target< / code > 类 型 包 括 ACCEPT< code > 、 REJECT< / code > 、 < code > DROP< / code > 、 < code > LOG< / code > 、 < code > SNAT< / code > 、 < code > MASQUERADE< / code > 、 < code > DNAT< / code > 、 < code > REDIRECT< / code > 、 < code > RETURN< / code > 或 者 跳 转 到 其 他 规 则 等 。 只 要 执 行 到 某 一 条 链 中 只 有 按 照 顺 序 有 一 条 规 则 匹 配 后 就 可 以 确 定 报 文 的 去 向 了 , 除 了 < code > RETURN< / code > 类 型 , 类 似 编 程 语 言 中 的 < code > return< / code > 语 句 , 返 回 到 它 的 调 用 点 , 继 续 执 行 下 一 条 规 则 。 < code > target< / code > 支 持 的 配 置 详 解 请 参 考 < a href = "http://www.zsythink.net/archives/1199" target = "_blank" > iptables 详 解 ( 1) : iptables 概 念 < / a > 。 < / p >
< p > 从 输 出 结 果 中 可 以 看 到 Init 容 器 没 有 在 iptables 的 默 认 链 路 中 创 建 任 何 规 则 , 而 是 创 建 了 新 的 链 路 。 < / p >
< h2 id = "查看-iptables-nat-表中注入的规则" > 查 看 iptables nat 表 中 注 入 的 规 则 < / h2 >
< p > Init 容 器 通 过 向 iptables nat 表 中 注 入 转 发 规 则 来 劫 持 流 量 的 , 下 图 显 示 的 是 productpage 服 务 中 的 iptables 流 量 劫 持 的 详 细 过 程 。 < / p >
2018-10-08 21:23:07 +08:00
< figure id = "fig6.3.2.9.5" > < a href = "https://ws1.sinaimg.cn/large/0069RVTdgy1fv5doj8fuij31kw0ytn7h.jpg" data-lightbox = "a2be8ede-9757-42d7-adf5-bbe486d0fe9e" data-title = "Envoy sidecar 流量劫持 Istio iptables 宋净超 Jimmy Song 服务网格 Service Mesh" target = "_blank" > < img src = "https://ws1.sinaimg.cn/large/0069RVTdgy1fv5doj8fuij31kw0ytn7h.jpg" alt = "Envoy sidecar 流量劫持 Istio iptables 宋净超 Jimmy Song 服务网格 Service Mesh" > < / a > < figcaption > 图 片 - Envoy sidecar 流 量 劫 持 Istio iptables 宋 净 超 Jimmy Song 服 务 网 格 Service Mesh< / figcaption > < / figure >
2018-09-17 11:49:14 +08:00
< p > Init 容 器 启 动 时 命 令 行 参 数 中 指 定 了 < code > REDIRECT< / code > 模 式 , 因 此 只 创 建 了 NAT 表 规 则 , 接 下 来 我 们 查 看 下 NAT 表 中 创 建 的 规 则 , 这 是 全 文 中 的 < strong > 重 点 部 分 < / strong > , 前 面 讲 了 那 么 多 都 是 为 它 做 铺 垫 的 。 下 面 是 查 看 nat 表 中 的 规 则 , 其 中 链 的 名 字 中 包 含 < code > ISTIO< / code > 前 缀 的 是 由 Init 容 器 注 入 的 , 规 则 匹 配 是 根 据 下 面 显 示 的 顺 序 来 执 行 的 , 其 中 会 有 多 次 跳 转 。 < / p >
2018-09-25 22:13:40 +08:00
< pre class = "language-" > < code class = "lang-bash" > < span class = "token comment" > # 查 看 NAT 表 中 规 则 配 置 的 详 细 信 息 < / span >
2018-09-17 11:49:14 +08:00
$ iptables -t nat -L -v
2018-09-25 22:13:40 +08:00
< span class = "token comment" > # PREROUTING 链 : 用 于 目 标 地 址 转 换 ( DNAT) , 将 所 有 入 站 TCP 流 量 跳 转 到 ISTIO_INBOUND 链 上 < / span >
2018-09-17 11:49:14 +08:00
Chain PREROUTING < span class = "token punctuation" > (< / span > policy ACCEPT 0 packets, 0 bytes< span class = "token punctuation" > )< / span >
pkts bytes target prot opt < span class = "token keyword" > in< / span > out < span class = "token function" > source< / span > destination
2 120 ISTIO_INBOUND tcp -- any any anywhere anywhere
2018-09-25 22:13:40 +08:00
< span class = "token comment" > # INPUT 链 : 处 理 输 入 数 据 包 , 非 TCP 流 量 将 继 续 OUTPUT 链 < / span >
2018-09-17 11:49:14 +08:00
Chain INPUT < span class = "token punctuation" > (< / span > policy ACCEPT 2 packets, 120 bytes< span class = "token punctuation" > )< / span >
pkts bytes target prot opt < span class = "token keyword" > in< / span > out < span class = "token function" > source< / span > destination
2018-09-25 22:13:40 +08:00
< span class = "token comment" > # OUTPUT 链 : 将 所 有 出 站 数 据 包 跳 转 到 ISTIO_OUTPUT 链 上 < / span >
2018-09-17 11:49:14 +08:00
Chain OUTPUT < span class = "token punctuation" > (< / span > policy ACCEPT 41146 packets, 3845K bytes< span class = "token punctuation" > )< / span >
pkts bytes target prot opt < span class = "token keyword" > in< / span > out < span class = "token function" > source< / span > destination
93 5580 ISTIO_OUTPUT tcp -- any any anywhere anywhere
2018-09-25 22:13:40 +08:00
< span class = "token comment" > # POSTROUTING 链 : 所 有 数 据 包 流 出 网 卡 时 都 要 先 进 入 POSTROUTING 链 , 内 核 根 据 数 据 包 目 的 地 判 断 是 否 需 要 转 发 出 去 , 我 们 看 到 此 处 未 做 任 何 处 理 < / span >
2018-09-17 11:49:14 +08:00
Chain POSTROUTING < span class = "token punctuation" > (< / span > policy ACCEPT 41199 packets, 3848K bytes< span class = "token punctuation" > )< / span >
pkts bytes target prot opt < span class = "token keyword" > in< / span > out < span class = "token function" > source< / span > destination
2018-09-25 22:13:40 +08:00
< span class = "token comment" > # ISTIO_INBOUND 链 : 将 所 有 目 的 地 为 9080 端 口 的 入 站 流 量 重 定 向 到 ISTIO_IN_REDIRECT 链 上 < / span >
2018-09-17 11:49:14 +08:00
Chain ISTIO_INBOUND < span class = "token punctuation" > (< / span > 1 references< span class = "token punctuation" > )< / span >
pkts bytes target prot opt < span class = "token keyword" > in< / span > out < span class = "token function" > source< / span > destination
2 120 ISTIO_IN_REDIRECT tcp -- any any anywhere anywhere tcp dpt:9080
2018-09-25 22:13:40 +08:00
< span class = "token comment" > # ISTIO_IN_REDIRECT 链 : 将 所 有 的 入 站 流 量 跳 转 到 本 地 的 15001 端 口 , 至 此 成 功 的 拦 截 了 流 量 到 Envoy < / span >
2018-09-17 11:49:14 +08:00
Chain ISTIO_IN_REDIRECT < span class = "token punctuation" > (< / span > 1 references< span class = "token punctuation" > )< / span >
pkts bytes target prot opt < span class = "token keyword" > in< / span > out < span class = "token function" > source< / span > destination
2 120 REDIRECT tcp -- any any anywhere anywhere redir ports 15001
2018-09-25 22:13:40 +08:00
< span class = "token comment" > # ISTIO_OUTPUT 链 : 选 择 需 要 重 定 向 到 Envoy( 即 本 地 ) 的 出 站 流 量 , 所 有 非 localhost 的 流 量 全 部 转 发 到 ISTIO_REDIRECT。 为 了 避 免 流 量 在 该 Pod 中 无 限 循 环 , 所 有 到 istio-proxy 用 户 空 间 的 流 量 都 返 回 到 它 的 调 用 点 中 的 下 一 条 规 则 , 本 例 中 即 OUTPUT 链 , 因 为 跳 出 ISTIO_OUTPUT 规 则 之 后 就 进 入 下 一 条 链 POSTROUTING。 如 果 目 的 地 非 localhost 就 跳 转 到 ISTIO_REDIRECT; 如 果 流 量 是 来 自 istio-proxy 用 户 空 间 的 , 那 么 就 跳 出 该 链 , 返 回 它 的 调 用 链 继 续 执 行 下 一 条 规 则 ( OUPT 的 下 一 条 规 则 , 无 需 对 流 量 进 行 处 理 ) ; 所 有 的 非 istio-proxy 用 户 空 间 的 目 的 地 是 localhost 的 流 量 就 跳 转 到 ISTIO_REDIRECT< / span >
2018-09-17 11:49:14 +08:00
Chain ISTIO_OUTPUT < span class = "token punctuation" > (< / span > 1 references< span class = "token punctuation" > )< / span >
pkts bytes target prot opt < span class = "token keyword" > in< / span > out < span class = "token function" > source< / span > destination
0 0 ISTIO_REDIRECT all -- any lo anywhere < span class = "token operator" > !< / span > localhost
40 2400 RETURN all -- any any anywhere anywhere owner UID match istio-proxy
0 0 RETURN all -- any any anywhere anywhere owner GID match istio-proxy
0 0 RETURN all -- any any anywhere localhost
53 3180 ISTIO_REDIRECT all -- any any anywhere anywhere
2018-09-25 22:13:40 +08:00
< span class = "token comment" > # ISTIO_REDIRECT 链 : 将 所 有 流 量 重 定 向 到 Envoy( 即 本 地 ) 的 15001 端 口 < / span >
2018-09-17 11:49:14 +08:00
Chain ISTIO_REDIRECT < span class = "token punctuation" > (< / span > 2 references< span class = "token punctuation" > )< / span >
pkts bytes target prot opt < span class = "token keyword" > in< / span > out < span class = "token function" > source< / span > destination
53 3180 REDIRECT tcp -- any any anywhere anywhere redir ports 15001
< / code > < / pre >
< p > < code > iptables< / code > 显 示 的 链 的 顺 序 , 即 流 量 规 则 匹 配 的 顺 序 。 其 中 要 特 别 注 意 < code > ISTIO_OUTPUT< / code > 链 中 的 规 则 配 置 。 为 了 避 免 流 量 一 直 在 Pod 中 无 限 循 环 , 所 有 到 istio-proxy 用 户 空 间 的 流 量 都 返 回 到 它 的 调 用 点 中 的 下 一 条 规 则 , 本 例 中 即 OUTPUT 链 , 因 为 跳 出 < code > ISTIO_OUTPUT< / code > 规 则 之 后 就 进 入 下 一 条 链 < code > POSTROUTING< / code > 。 < / p >
< p > < code > ISTIO_OUTPUT< / code > 链 规 则 匹 配 的 详 细 过 程 如 下 : < / p >
< ul >
< li > 如 果 目 的 地 非 localhost 就 跳 转 到 ISTIO_REDIRECT 链 < / li >
< li > 所 有 来 自 istio-proxy 用 户 空 间 的 流 量 跳 转 到 它 的 调 用 点 < code > OUTPUT< / code > 继 续 执 行 < code > OUTPUT< / code > 链 的 下 一 条 规 则 , 因 为 < code > OUTPUT< / code > 链 中 没 有 下 一 条 规 则 了 , 所 以 会 继 续 执 行 < code > POSTROUTING< / code > 链 然 后 跳 出 iptables, 直 接 访 问 目 的 地 < / li >
< li > 如 果 目 的 地 是 localhost 但 是 流 量 又 不 是 来 自 istio-proxy 用 户 空 间 的 就 跳 转 到 < code > ISTIO_REDIRECT< / code > 链 < / li >
< / ul >
< p > 以 上 iptables 规 则 都 是 Init 容 器 启 动 的 时 使 用 < a href = "https://github.com/istio/istio/blob/master/tools/deb/istio-iptables.sh" target = "_blank" > istio-iptables.sh< / a > 脚 本 生 成 的 , 详 细 过 程 可 以 查 看 该 脚 本 。 < / p >
< h2 id = "查看-envoy-运行状态" > 查 看 Envoy 运 行 状 态 < / h2 >
< p > 首 先 查 看 < code > proxyv2< / code > 镜 像 的 < a href = "https://github.com/istio/istio/blob/master/pilot/docker/Dockerfile.proxyv2" target = "_blank" > Dockerfile< / a > 。 < / p >
2018-09-21 00:14:49 +08:00
< pre class = "language-" > < code class = "lang-docker" > < span class = "token keyword" > FROM< / span > istionightly/base_debug
2018-09-25 22:13:40 +08:00
< span class = "token keyword" > ARG< / span > proxy_version
< span class = "token keyword" > ARG< / span > istio_version
2018-09-17 11:49:14 +08:00
2018-09-25 22:13:40 +08:00
< span class = "token comment" > # 安 装 Envoy< / span >
2018-09-21 00:14:49 +08:00
< span class = "token keyword" > ADD< / span > envoy /usr/local/bin/envoy
2018-09-17 11:49:14 +08:00
2018-09-25 22:13:40 +08:00
< span class = "token comment" > # 使 用 环 境 变 量 的 方 式 明 文 指 定 proxy 的 版 本 /功 能 < / span >
2018-09-21 00:14:49 +08:00
< span class = "token keyword" > ENV< / span > ISTIO_META_ISTIO_PROXY_VERSION < span class = "token string" > " 1.1.0" < / span >
2018-09-25 22:13:40 +08:00
< span class = "token comment" > # 使 用 环 境 变 量 的 方 式 明 文 指 定 proxy 明 确 的 sha, 用 于 指 定 版 本 的 配 置 和 调 试 < / span >
2018-09-21 00:14:49 +08:00
< span class = "token keyword" > ENV< / span > ISTIO_META_ISTIO_PROXY_SHA $proxy_version
2018-09-25 22:13:40 +08:00
< span class = "token comment" > # 环 境 变 量 , 指 定 明 确 的 构 建 号 , 用 于 调 试 < / span >
2018-09-21 00:14:49 +08:00
< span class = "token keyword" > ENV< / span > ISTIO_META_ISTIO_VERSION $istio_version
2018-09-17 11:49:14 +08:00
2018-09-21 00:14:49 +08:00
< span class = "token keyword" > ADD< / span > pilot< span class = "token punctuation" > -< / span > agent /usr/local/bin/pilot< span class = "token punctuation" > -< / span > agent
2018-09-17 11:49:14 +08:00
2018-09-21 00:14:49 +08:00
< span class = "token keyword" > ADD< / span > envoy_pilot.yaml.tmpl /etc/istio/proxy/envoy_pilot.yaml.tmpl
< span class = "token keyword" > ADD< / span > envoy_policy.yaml.tmpl /etc/istio/proxy/envoy_policy.yaml.tmpl
< span class = "token keyword" > ADD< / span > envoy_telemetry.yaml.tmpl /etc/istio/proxy/envoy_telemetry.yaml.tmpl
< span class = "token keyword" > ADD< / span > istio< span class = "token punctuation" > -< / span > iptables.sh /usr/local/bin/istio< span class = "token punctuation" > -< / span > iptables.sh
2018-09-17 11:49:14 +08:00
2018-09-21 00:14:49 +08:00
< span class = "token keyword" > COPY< / span > envoy_bootstrap_v2.json /var/lib/istio/envoy/envoy_bootstrap_tmpl.json
2018-09-17 11:49:14 +08:00
2018-09-21 00:14:49 +08:00
< span class = "token keyword" > RUN< / span > chmod 755 /usr/local/bin/envoy /usr/local/bin/pilot< span class = "token punctuation" > -< / span > agent
2018-09-17 11:49:14 +08:00
2018-09-25 22:13:40 +08:00
< span class = "token comment" > # 将 istio-proxy 用 户 加 入 sudo 权 限 以 允 许 执 行 tcpdump 和 其 他 调 试 命 令 < / span >
2018-09-21 00:14:49 +08:00
< span class = "token keyword" > RUN< / span > useradd < span class = "token punctuation" > -< / span > m < span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > uid 1337 istio< span class = "token punctuation" > -< / span > proxy & & \
echo < span class = "token string" > " istio-proxy ALL=NOPASSWD: ALL" < / span > < span class = "token punctuation" > > < / span > < span class = "token punctuation" > > < / span > /etc/sudoers & & \
chown < span class = "token punctuation" > -< / span > R istio< span class = "token punctuation" > -< / span > proxy /var/lib/istio
2018-09-17 11:49:14 +08:00
2018-09-25 22:13:40 +08:00
< span class = "token comment" > # 使 用 pilot-agent 来 启 动 Envoy< / span >
2018-09-21 00:14:49 +08:00
< span class = "token keyword" > ENTRYPOINT< / span > < span class = "token punctuation" > [< / span > < span class = "token string" > " /usr/local/bin/pilot-agent" < / span > < span class = "token punctuation" > ]< / span >
2018-09-17 11:49:14 +08:00
< / code > < / pre >
< p > 该 容 器 的 启 动 入 口 是 < code > pilot-agent< / code > 命 令 , 根 据 YAML 配 置 中 传 递 的 参 数 , 详 细 的 启 动 命 令 入 下 : < / p >
< pre class = "language-" > < code class = "lang-bash" > /usr/local/bin/pilot-agent proxy sidecar --configPath /etc/istio/proxy --binaryPath /usr/local/bin/envoy --serviceCluster productpage --drainDuration 45s --parentShutdownDuration 1m0s --discoveryAddress istio-pilot.istio-system:15007 --discoveryRefreshDelay 1s --zipkinAddress zipkin.istio-system:9411 --connectTimeout 10s --statsdUdpAddress istio-statsd-prom-bridge.istio-system:9125 --proxyAdminPort 15000 --controlPlaneAuthPolicy NONE
< / code > < / pre >
< p > 主 要 配 置 了 Envoy 二 进 制 文 件 的 位 置 、 服 务 发 现 地 址 、 服 务 集 群 名 、 监 控 指 标 上 报 地 址 、 Envoy 的 管 理 端 口 、 热 重 启 时 间 等 , 详 细 用 法 请 参 考 < a href = "https://istio.io/docs/reference/commands/pilot-agent/" target = "_blank" > Istio官 方 文 档 pilot-agent 的 用 法 < / a > 。 < / p >
< p > < code > pilot-agent< / code > 是 容 器 中 PID 为 1 的 启 动 进 程 , 它 启 动 时 又 创 建 了 一 个 Envoy 进 程 , 如 下 : < / p >
< pre class = "language-" > < code class = "lang-bash" > /usr/local/bin/envoy -c /etc/istio/proxy/envoy-rev0.json --restart-epoch 0 --drain-time-s 45 --parent-shutdown-time-s 60 --service-cluster productpage --service-node sidecar~172.33.78.10~productpage-v1-745ffc55b7-2l2lw.default~default.svc.cluster.local --max-obj-name-len 189 -l warn --v2-config-only
< / code > < / pre >
< p > 我 们 分 别 解 释 下 以 上 配 置 的 意 义 。 < / p >
< ul >
< li > < code > -c /etc/istio/proxy/envoy-rev0.json< / code > : 配 置 文 件 , 支 持 < code > .json< / code > 、 < code > .yaml< / code > 、 < code > .pb< / code > 和 < code > .pb_text< / code > 格 式 , < code > pilot-agent< / code > 启 动 的 时 候 读 取 了 容 器 的 环 境 变 量 后 创 建 的 。 < / li >
< li > < code > --restart-epoch 0< / code > : Envoy 热 重 启 周 期 , 第 一 次 启 动 默 认 为 0, 每 热 重 启 一 次 该 值 加 1。 < / li >
< li > < code > --drain-time-s 45< / code > : 热 重 启 期 间 Envoy 将 耗 尽 连 接 的 时 间 。 < / li >
< li > < code > --parent-shutdown-time-s 60< / code > : Envoy 在 热 重 启 时 关 闭 父 进 程 之 前 等 待 的 时 间 。 < / li >
< li > < code > --service-cluster productpage< / code > : Envoy 运 行 的 本 地 服 务 集 群 的 名 字 。 < / li >
< li > < code > --service-node sidecar~172.33.78.10~productpage-v1-745ffc55b7-2l2lw.default~default.svc.cluster.local< / code > : 定 义 Envoy 运 行 的 本 地 服 务 节 点 名 称 , 其 中 包 含 了 该 Pod 的 名 称 、 IP、 DNS 域 等 信 息 , 根 据 容 器 的 环 境 变 量 拼 出 来 的 。 < / li >
< li > < code > -max-obj-name-len 189< / code > : cluster/route_config/listener 中 名 称 字 段 的 最 大 长 度 ( 以 字 节 为 单 位 ) < / li >
< li > < code > -l warn< / code > : 日 志 级 别 < / li >
< li > < code > --v2-config-only< / code > : 只 解 析 v2 引 导 配 置 文 件 < / li >
< / ul >
< p > 详 细 配 置 请 参 考 < a href = "http://www.servicemesher.com/envoy/operations/cli.html" target = "_blank" > Envoy 的 命 令 行 选 项 < / a > 。 < / p >
< p > 查 看 Envoy 的 配 置 文 件 < code > /etc/istio/proxy/envoy-rev0.json< / code > 。 < / p >
< pre class = "language-" > < code class = "lang-json" > < span class = "token punctuation" > {< / span >
< span class = "token property" > " node" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " id" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " sidecar~172.33.78.10~productpage-v1-745ffc55b7-2l2lw.default~default.svc.cluster.local" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " cluster" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " productpage" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " metadata" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " INTERCEPTION_MODE" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " REDIRECT" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " ISTIO_PROXY_SHA" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " istio-proxy:6166ae7ebac7f630206b2fe4e6767516bf198313" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " ISTIO_PROXY_VERSION" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " 1.0.0" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " ISTIO_VERSION" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " 1.0.0" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " POD_NAME" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " productpage-v1-745ffc55b7-2l2lw" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " istio" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " sidecar" < / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > }< / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " stats_config" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " use_all_default_tags" < / span > < span class = "token operator" > :< / span > < span class = "token boolean" > false< / span >
< span class = "token punctuation" > }< / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " admin" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " access_log_path" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " /dev/stdout" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " address" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " socket_address" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " address" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " 127.0.0.1" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " port_value" < / span > < span class = "token operator" > :< / span > < span class = "token number" > 15000< / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > }< / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " dynamic_resources" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " lds_config" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " ads" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span > < span class = "token punctuation" > }< / span >
< span class = "token punctuation" > }< / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " cds_config" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " ads" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span > < span class = "token punctuation" > }< / span >
< span class = "token punctuation" > }< / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " ads_config" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " api_type" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " GRPC" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " refresh_delay" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span > < span class = "token property" > " seconds" < / span > < span class = "token operator" > :< / span > < span class = "token number" > 1< / span > < span class = "token punctuation" > ,< / span > < span class = "token property" > " nanos" < / span > < span class = "token operator" > :< / span > < span class = "token number" > 0< / span > < span class = "token punctuation" > }< / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " grpc_services" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > [< / span >
< span class = "token punctuation" > {< / span >
< span class = "token property" > " envoy_grpc" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " cluster_name" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " xds-grpc" < / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > ]< / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > }< / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " static_resources" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " clusters" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > [< / span >
< span class = "token punctuation" > {< / span >
< span class = "token property" > " name" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " xds-grpc" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " type" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " STRICT_DNS" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " connect_timeout" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span > < span class = "token property" > " seconds" < / span > < span class = "token operator" > :< / span > < span class = "token number" > 10< / span > < span class = "token punctuation" > ,< / span > < span class = "token property" > " nanos" < / span > < span class = "token operator" > :< / span > < span class = "token number" > 0< / span > < span class = "token punctuation" > }< / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " lb_policy" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " ROUND_ROBIN" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " hosts" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > [< / span >
< span class = "token punctuation" > {< / span >
< span class = "token property" > " socket_address" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span > < span class = "token property" > " address" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " istio-pilot.istio-system" < / span > < span class = "token punctuation" > ,< / span > < span class = "token property" > " port_value" < / span > < span class = "token operator" > :< / span > < span class = "token number" > 15010< / span > < span class = "token punctuation" > }< / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > ]< / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " circuit_breakers" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " thresholds" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > [< / span >
< span class = "token punctuation" > {< / span >
< span class = "token property" > " priority" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " default" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " max_connections" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " 100000" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " max_pending_requests" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " 100000" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " max_requests" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " 100000" < / span >
< span class = "token punctuation" > }< / span > < span class = "token punctuation" > ,< / span >
< span class = "token punctuation" > {< / span >
< span class = "token property" > " priority" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " high" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " max_connections" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " 100000" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " max_pending_requests" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " 100000" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " max_requests" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " 100000" < / span >
< span class = "token punctuation" > }< / span > < span class = "token punctuation" > ]< / span >
< span class = "token punctuation" > }< / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " upstream_connection_options" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " tcp_keepalive" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " keepalive_time" < / span > < span class = "token operator" > :< / span > < span class = "token number" > 300< / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > }< / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " http2_protocol_options" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span > < span class = "token punctuation" > }< / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > ,< / span >
< span class = "token punctuation" > {< / span >
< span class = "token property" > " name" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " zipkin" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " type" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " STRICT_DNS" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " connect_timeout" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " seconds" < / span > < span class = "token operator" > :< / span > < span class = "token number" > 1< / span >
< span class = "token punctuation" > }< / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " lb_policy" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " ROUND_ROBIN" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " hosts" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > [< / span >
< span class = "token punctuation" > {< / span >
< span class = "token property" > " socket_address" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span > < span class = "token property" > " address" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " zipkin.istio-system" < / span > < span class = "token punctuation" > ,< / span > < span class = "token property" > " port_value" < / span > < span class = "token operator" > :< / span > < span class = "token number" > 9411< / span > < span class = "token punctuation" > }< / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > ]< / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > ]< / span >
< span class = "token punctuation" > }< / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " tracing" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " http" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " name" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " envoy.zipkin" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " config" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " collector_cluster" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " zipkin" < / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > }< / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " stats_sinks" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > [< / span >
< span class = "token punctuation" > {< / span >
< span class = "token property" > " name" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " envoy.statsd" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " config" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " address" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " socket_address" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span > < span class = "token property" > " address" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " 10.254.109.175" < / span > < span class = "token punctuation" > ,< / span > < span class = "token property" > " port_value" < / span > < span class = "token operator" > :< / span > < span class = "token number" > 9125< / span > < span class = "token punctuation" > }< / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > ]< / span >
< span class = "token punctuation" > }< / span >
< / code > < / pre >
< p > 下 图 是 使 用 Istio 管 理 的 bookinfo 示 例 的 访 问 请 求 路 径 图 。 < / p >
2018-10-08 21:23:07 +08:00
< figure id = "fig6.3.2.9.6" > < a href = "https://ws3.sinaimg.cn/large/0069RVTdgy1fv5df9lq1aj317o0o6wia.jpg" data-lightbox = "9082d474-8921-4205-9b2f-f3865480d67b" data-title = "Istio bookinfo" target = "_blank" > < img src = "https://ws3.sinaimg.cn/large/0069RVTdgy1fv5df9lq1aj317o0o6wia.jpg" alt = "Istio bookinfo" > < / a > < figcaption > 图 片 - Istio bookinfo< / figcaption > < / figure >
2018-09-17 11:49:14 +08:00
< p > 图 片 来 自 < a href = "https://istio.io/zh/docs/examples/bookinfo/" target = "_blank" > Istio 官 方 网 站 < / a > < / p >
< p > 对 照 bookinfo 示 例 的 productpage 的 查 看 建 立 的 连 接 。 在 < code > productpage-v1-745ffc55b7-2l2lw< / code > Pod 的 < code > istio-proxy< / code > 容 器 中 使 用 root 用 户 查 看 打 开 的 端 口 。 < / p >
< pre class = "language-" > < code class = "lang-bash" > $ < span class = "token function" > lsof< / span > -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
2018-09-25 22:13:40 +08:00
envoy 11 istio-proxy 9u IPv4 73951 0t0 TCP localhost:15000 < span class = "token punctuation" > (< / span > LISTEN< span class = "token punctuation" > )< / span > < span class = "token comment" > # Envoy admin 端 口 < / span >
envoy 11 istio-proxy 17u IPv4 74320 0t0 TCP productpage-v1-745ffc55b7-2l2lw:46862-< span class = "token operator" > > < / span > istio-pilot.istio-system.svc.cluster.local:15010 < span class = "token punctuation" > (< / span > ESTABLISHED< span class = "token punctuation" > )< / span > < span class = "token comment" > # 15010: istio-pilot 的 grcp-xds 端 口 < / span >
envoy 11 istio-proxy 18u IPv4 73986 0t0 UDP productpage-v1-745ffc55b7-2l2lw:44332-< span class = "token operator" > > < / span > istio-statsd-prom-bridge.istio-system.svc.cluster.local:9125 < span class = "token comment" > # 给 Promethues 发 送 metric 的 端 口 < / span >
envoy 11 istio-proxy 52u IPv4 74599 0t0 TCP *:15001 < span class = "token punctuation" > (< / span > LISTEN< span class = "token punctuation" > )< / span > < span class = "token comment" > # Envoy 的 监 听 端 口 < / span >
envoy 11 istio-proxy 53u IPv4 74600 0t0 UDP productpage-v1-745ffc55b7-2l2lw:48011-< span class = "token operator" > > < / span > istio-statsd-prom-bridge.istio-system.svc.cluster.local:9125 < span class = "token comment" > # 给 Promethues 发 送 metric 端 口 < / span >
envoy 11 istio-proxy 54u IPv4 338551 0t0 TCP productpage-v1-745ffc55b7-2l2lw:15001-< span class = "token operator" > > < / span > 172.17.8.102:52670 < span class = "token punctuation" > (< / span > ESTABLISHED< span class = "token punctuation" > )< / span > < span class = "token comment" > # 52670: Ingress gateway 端 口 < / span >
envoy 11 istio-proxy 55u IPv4 338364 0t0 TCP productpage-v1-745ffc55b7-2l2lw:44046-< span class = "token operator" > > < / span > 172.33.78.9:9091 < span class = "token punctuation" > (< / span > ESTABLISHED< span class = "token punctuation" > )< / span > < span class = "token comment" > # 9091: istio-telemetry 服 务 的 grpc-mixer 端 口 < / span >
envoy 11 istio-proxy 56u IPv4 338473 0t0 TCP productpage-v1-745ffc55b7-2l2lw:47210-< span class = "token operator" > > < / span > zipkin.istio-system.svc.cluster.local:9411 < span class = "token punctuation" > (< / span > ESTABLISHED< span class = "token punctuation" > )< / span > < span class = "token comment" > # 9411: zipkin 端 口 < / span >
envoy 11 istio-proxy 58u IPv4 338383 0t0 TCP productpage-v1-745ffc55b7-2l2lw:41564-< span class = "token operator" > > < / span > 172.33.84.8:9080 < span class = "token punctuation" > (< / span > ESTABLISHED< span class = "token punctuation" > )< / span > < span class = "token comment" > # 9080: details-v1 的 http 端 口 < / span >
envoy 11 istio-proxy 59u IPv4 338390 0t0 TCP productpage-v1-745ffc55b7-2l2lw:54410-< span class = "token operator" > > < / span > 172.33.78.5:9080 < span class = "token punctuation" > (< / span > ESTABLISHED< span class = "token punctuation" > )< / span > < span class = "token comment" > # 9080: reivews-v2 的 http 端 口 < / span >
envoy 11 istio-proxy 60u IPv4 338411 0t0 TCP productpage-v1-745ffc55b7-2l2lw:35200-< span class = "token operator" > > < / span > 172.33.84.5:9091 < span class = "token punctuation" > (< / span > ESTABLISHED< span class = "token punctuation" > )< / span > < span class = "token comment" > # 9091:istio-telemetry 服 务 的 grpc-mixer 端 口 < / span >
envoy 11 istio-proxy 62u IPv4 338497 0t0 TCP productpage-v1-745ffc55b7-2l2lw:34402-< span class = "token operator" > > < / span > 172.33.84.9:9080 < span class = "token punctuation" > (< / span > ESTABLISHED< span class = "token punctuation" > )< / span > < span class = "token comment" > # reviews-v1 的 http 端 口 < / span >
envoy 11 istio-proxy 63u IPv4 338525 0t0 TCP productpage-v1-745ffc55b7-2l2lw:50592-< span class = "token operator" > > < / span > 172.33.71.5:9080 < span class = "token punctuation" > (< / span > ESTABLISHED< span class = "token punctuation" > )< / span > < span class = "token comment" > # reviews-v3 的 http 端 口 < / span >
2018-09-17 11:49:14 +08:00
< / code > < / pre >
< p > 从 输 出 级 过 上 可 以 验 证 Sidecar 是 如 何 接 管 流 量 和 与 istio-pilot 通 信 , 及 向 Mixer 做 遥 测 数 据 汇 聚 的 。 感 兴 趣 的 读 者 可 以 再 去 看 看 其 他 几 个 服 务 的 istio-proxy 容 器 中 的 iptables 和 端 口 信 息 。 < / p >
< h2 id = "参考" > 参 考 < / h2 >
< ul >
< li > < a href = "https://jimmysong.io/posts/sofamesh-and-mosn-proxy-sidecar-service-mesh-by-ant-financial/ - jimmysong.io" target = "_blank" > SOFAMesh & SOFA MOSN— 基 于 Istio构 建 的 用 于 应 对 大 规 模 流 量 的 Service Mesh解 决 方 案 - jimmysong.io< / a > < / li >
< li > < a href = "https://jimmysong.io/kubernetes-handbook/concepts/init-containers.html" target = "_blank" > Init 容 器 - Kubernetes 中 文 指 南 /云 原 生 应 用 架 构 实 践 手 册 - jimmysong.io< / a > < / li >
< li > < a href = "https://kubernetes.io/docs/reference/kubectl/jsonpath/" target = "_blank" > JSONPath Support - kubernetes.io< / a > < / li >
< li > < a href = "https://wangchujiang.com/linux-command/c/iptables.html" target = "_blank" > iptables 命 令 使 用 说 明 - wangchujiang.com< / a > < / li >
< li > < a href = "https://www.digitalocean.com/community/tutorials/how-to-list-and-delete-iptables-firewall-rules" target = "_blank" > How To List and Delete Iptables Firewall Rules - digitalocean.com< / a > < / li >
< li > < a href = "https://www.cnblogs.com/fhefh/archive/2011/04/04/2005249.html" target = "_blank" > 一 句 一 句 解 说 iptables的 详 细 中 文 手 册 - cnblog.com< / a > < / li >
< li > < a href = "https://www.aliang.org/Linux/iptables.html" target = "_blank" > 常 见 iptables使 用 规 则 场 景 整 理 - aliang.org< / a > < / li >
< / ul >
2018-09-27 15:26:19 +08:00
< footer class = "page-footer" > < span class = "copyright" > < p > < a href = "https://github.com/alipay/sofa-mesh" target = "_blank" > SOFAMesh - 基 于 Istio 的 大 规 模 服 务 网 格 解 决 方 案 < / a > | < a href = "https://github.com/alipay/sofa-mosn" target = "_blank" > SOFAMosn - Golang 版 的 高 性 能 Service Mesh Sidecar 代 理 < / a > < / p > Copyright © jimmysong.io 2017-2018 all right reserved, powered by Gitbook< / span > < span class = "footer-modification" > Updated at
2018-09-21 00:14:49 +08:00
2018-09-21 00:10:54
2018-09-25 22:13:40 +08:00
< / span > < / footer > < / body > < / html >
2018-09-17 11:49:14 +08:00
< / section >
< / div >
< div class = "search-results" >
< div class = "has-results" >
< h1 class = "search-results-title" > < span class = 'search-results-count' > < / span > results matching "< span class = 'search-query' > < / span > "< / h1 >
< ul class = "search-results-list" > < / ul >
< / div >
< div class = "no-results" >
< h1 class = "search-results-title" > No results matching "< span class = 'search-query' > < / span > "< / h1 >
< / div >
< / div >
< / div >
< / div >
< / div >
< / div >
< a href = "istio-tutorials-collection.html" class = "navigation navigation-prev " aria-label = "Previous page: Istio免费学习资源汇总" >
< i class = "fa fa-angle-left" > < / i >
< / a >
< a href = "linkerd.html" class = "navigation navigation-next " aria-label = "Next page: Linkerd" >
< i class = "fa fa-angle-right" > < / i >
< / a >
< / div >
< script >
var gitbook = gitbook || [];
gitbook.push(function() {
2018-10-08 21:23:07 +08:00
gitbook.page.hasChanged({"page":{"title":"深入理解Istio中的Sidecar注入与流量劫持","level":"6.3.2.9","depth":3,"next":{"title":"Linkerd","level":"6.3.3","depth":2,"path":"usecases/linkerd.md","ref":"usecases/linkerd.md","articles":[{"title":"Linkerd 使用指南","level":"6.3.3.1","depth":3,"path":"usecases/linkerd-user-guide.md","ref":"usecases/linkerd-user-guide.md","articles":[]}]},"previous":{"title":"Istio免费学习资源汇总","level":"6.3.2.8","depth":3,"path":"usecases/istio-tutorials-collection.md","ref":"usecases/istio-tutorials-collection.md","articles":[]},"dir":"ltr"},"config":{"plugins":["github","codesnippet","splitter","page-toc-button","image-captions","editlink","back-to-top-button","-lunr","-search","search-plus","github-buttons@2.1.0","favicon@^0.0.2","tbfed-pagefooter@^0.0.1","3-ba","theme-default","-highlight","prism","prism-themes","sitemap-general","lightbox"],"styles":{"ebook":"styles/ebook.css","epub":"styles/epub.css","mobi":"styles/mobi.css","pdf":"styles/pdf.css","print":"styles/print.css","website":"styles/website.css"},"pluginsConfig":{"tbfed-pagefooter":{"copyright":"< p > < a href = https://github.com/alipay/sofa-mesh > SOFAMesh - 基于 Istio 的大规模服务网格解决方案< / a > | < a href = https://github.com/alipay/sofa-mosn > SOFAMosn - Golang 版的高性能 Service Mesh Sidecar 代理< / a > < / p > Copyright © jimmysong.io 2017-2018","modify_label":" Updated at ","modify_format":"YYYY-MM-DD HH:mm:ss"},"prism":{"css":["prism-themes/themes/prism-ghcolors.css"]},"github":{"url":"https://github.com/rootsongjc/kubernetes-handbook"},"editlink":{"label":"编辑本页","multilingual":false,"base":"https://github.com/rootsongjc/kubernetes-handbook/blob/master/"},"splitter":{},"codesnippet":{},"sitemap-general":{"prefix":"https://jimmysong.io/kubernetes-handbook/"},"fontsettings":{"theme":"white","family":"sans","size":2},"favicon":{"shortcut":"favicon.ico","bookmark":"favicon.ico"},"lightbox":{"jquery":true},"page-toc-button":{},"back-to-top-button":{},"prism-themes":{},"github-buttons":{"repo":"rootsongjc/kubernetes-handbook","types":["star"],"size":"small"},"3-ba":{"configuration":"auto","token":"11f7d254cfa4e0ca44b175c66d379ecc"},"sharing":{"facebook":true,"twitter":true,"google":false,"weibo":false,"instapaper":false,"vk":false,"all":["facebook","google","twitter","weibo","instapaper"]},"theme-default":{"showLevel":true,"styles":{"ebook":"styles/ebook.css","epub":"styles/epub.css","mobi":"styles/mobi.css","pdf":"styles/pdf.css","print":"styles/print.css","website":"styles/website.css"}},"search-plus":{},"image-captions":{"caption":"图片 - _CAPTION_","variable_name":"_pictures"}},"theme":"default","author":"Jimmy Song( 宋净超) ","pdf":{"pageNumbers":true,"fontSize":12,"fontFamily":"Arial","paperSize":"a4","chapterMark":"pagebreak","pageBreaksBefore":"/","margin":{"right":62,"left":62,"top":56,"bottom":56}},"structure":{"langs":"LANGS.md","readme":"README.md","glossary":"GLOSSARY.md","summary":"SUMMARY.md"},"variables":{"_pictures":[{"backlink":"index.html#fig1.1.1","level":"1.1","list_caption":"Figure: Stargazers over time","alt":"Stargazers over time","nro":1,"url":"https://starcharts.herokuapp.com/rootsongjc/kubernetes-handbook.svg","index":1,"caption_template":"图片 - _CAPTION_","label":"Stargazers over time","attributes":{},"skip":false,"key":"1.1.1"},{"backlink":"cloud-native/cncf.html#fig2.2.1","level":"2.2","list_caption":"Figure: CNCF landscape","alt":"CNCF landscape","nro":2,"url":"https://github.com/cncf/landscape/raw/master/landscape/CloudNativeLandscape_latest.png","index":1,"caption_template":"图片 - _CAPTION_","label":"CNCF landscape","attributes":{},"skip":false,"key":"2.2.1"},{"backlink":"cloud-native/cncf.html#fig2.2.2","level":"2.2","list_caption":"Figure: CNCF项目成熟度级别","alt":"CNCF项目成熟度级别","nro":3,"url":"../images/cncf-graduation-criteria-v2.jpg","index":2,"caption_template":"图片 - _CAPTION_","label":"CNCF项目成熟度级别","attributes":{},"skip":false,"key":"2.2.2"},{"backlink":"cloud-native/cncf-charter.html#fig
2018-09-17 11:49:14 +08:00
});
< / script >
< / div >
< script src = "../gitbook/gitbook.js" > < / script >
< script src = "../gitbook/theme.js" > < / script >
< script src = "../gitbook/gitbook-plugin-github/plugin.js" > < / script >
< script src = "../gitbook/gitbook-plugin-splitter/splitter.js" > < / script >
< script src = "../gitbook/gitbook-plugin-page-toc-button/plugin.js" > < / script >
< script src = "../gitbook/gitbook-plugin-editlink/plugin.js" > < / script >
< script src = "../gitbook/gitbook-plugin-back-to-top-button/plugin.js" > < / script >
< script src = "../gitbook/gitbook-plugin-search-plus/jquery.mark.min.js" > < / script >
< script src = "../gitbook/gitbook-plugin-search-plus/search.js" > < / script >
< script src = "../gitbook/gitbook-plugin-github-buttons/plugin.js" > < / script >
< script src = "../gitbook/gitbook-plugin-3-ba/plugin.js" > < / script >
2018-09-25 22:13:40 +08:00
< script src = "../gitbook/gitbook-plugin-lightbox/jquery.min.js" > < / script >
< script src = "../gitbook/gitbook-plugin-lightbox/lightbox.min.js" > < / script >
2018-09-17 11:49:14 +08:00
< script src = "../gitbook/gitbook-plugin-sharing/buttons.js" > < / script >
< script src = "../gitbook/gitbook-plugin-fontsettings/fontsettings.js" > < / script >
< / body >
< / html >