2020-06-19 14:52:56 +08:00
<!DOCTYPE HTML>
< html lang = "zh-hans" >
< head >
< meta charset = "UTF-8" >
< meta content = "text/html; charset=utf-8" http-equiv = "Content-Type" >
< title > Sidecar 的注入与流量劫持 · Kubernetes Handbook - Kubernetes中文指南/云原生应用架构实践手册 by Jimmy Song(宋净超)< / title >
< meta http-equiv = "X-UA-Compatible" content = "IE=edge" / >
< meta name = "description" content = "" >
< meta name = "generator" content = "GitBook 3.2.3" >
< meta name = "author" content = "Jimmy Song( 宋净超) " >
< link rel = "stylesheet" href = "../gitbook/style.css" >
< link rel = "stylesheet" href = "../gitbook/gitbook-plugin-splitter/splitter.css" >
< link rel = "stylesheet" href = "../gitbook/gitbook-plugin-page-toc-button/plugin.css" >
< link rel = "stylesheet" href = "../gitbook/gitbook-plugin-image-captions/image-captions.css" >
< link rel = "stylesheet" href = "../gitbook/gitbook-plugin-back-to-top-button/plugin.css" >
< link rel = "stylesheet" href = "../gitbook/gitbook-plugin-search-plus/search.css" >
< link rel = "stylesheet" href = "../gitbook/gitbook-plugin-tbfed-pagefooter/footer.css" >
< link rel = "stylesheet" href = "../gitbook/gitbook-plugin-prism/prism-ghcolors.css" >
< link rel = "stylesheet" href = "../gitbook/gitbook-plugin-lightbox/css/lightbox.min.css" >
< link rel = "stylesheet" href = "../gitbook/gitbook-plugin-alerts/style.css" >
< link rel = "stylesheet" href = "../gitbook/gitbook-plugin-fontsettings/website.css" >
< meta name = "HandheldFriendly" content = "true" / >
< meta name = "viewport" content = "width=device-width, initial-scale=1, user-scalable=no" >
< meta name = "apple-mobile-web-app-capable" content = "yes" >
< meta name = "apple-mobile-web-app-status-bar-style" content = "black" >
< link rel = "apple-touch-icon-precomposed" sizes = "152x152" href = "../gitbook/images/apple-touch-icon-precomposed-152.png" >
< link rel = "shortcut icon" href = "../gitbook/images/favicon.ico" type = "image/x-icon" >
< link rel = "next" href = "envoy-sidecar-routing-of-istio-service-mesh-deep-dive.html" / >
< link rel = "prev" href = "istio-tutorials-collection.html" / >
< link rel = "shortcut icon" href = '../favicon.ico' type = "image/x-icon" >
< link rel = "bookmark" href = '../favicon.ico' type = "image/x-icon" >
< style >
@media only screen and (max-width: 640px) {
.book-header .hidden-mobile {
display: none;
}
}
< / style >
< script >
window["gitbook-plugin-github-buttons"] = {"repo":"rootsongjc/kubernetes-handbook","types":["star"],"size":"small"};
< / script >
< / head >
< body >
< div class = "book" >
< div class = "book-summary" >
< div id = "book-search-input" role = "search" >
< input type = "text" placeholder = "输入并搜索" / >
< / div >
< nav role = "navigation" >
< ul class = "summary" >
< li >
< a href = "https://jimmysong.io" target = "_blank" class = "custom-link" > 回到主页< / a >
< / li >
< li >
< a href = "https://jimmysong.io/awesome-cloud-native" target = "_blank" class = "custom-link" > Awesome Cloud Native< / a >
< / li >
< li >
< a href = "https://cloudnative.to" target = "_blank" class = "custom-link" > 云原生社区< / a >
< / li >
< li >
< a href = "https://cloudnativeindustryalliance.github.io/whitepaper2020/" target = "_blank" class = "custom-link" > 中国云原生发展白皮书2020< / a >
< / li >
< li >
< a href = "https://jimmysong.io/guide-to-cloud-native-app/" target = "_blank" class = "custom-link" > 云原生应用白皮书< / a >
< / li >
< li class = "divider" > < / li >
< li class = "header" > 前言< / li >
< li class = "chapter " data-level = "1.1" data-path = "../" >
< a href = "../" >
< b > 1.1.< / b >
序言
< / a >
< / li >
< li class = "header" > 云原生< / li >
< li class = "chapter " data-level = "2.1" data-path = "../cloud-native/cloud-native-definition.html" >
< a href = "../cloud-native/cloud-native-definition.html" >
< b > 2.1.< / b >
云原生( Cloud Native) 的定义
< / a >
< / li >
< li class = "chapter " data-level = "2.2" data-path = "../cloud-native/cloud-native-philosophy.html" >
< a href = "../cloud-native/cloud-native-philosophy.html" >
< b > 2.2.< / b >
云原生的设计哲学
< / a >
< / li >
< li class = "chapter " data-level = "2.3" data-path = "../cloud-native/play-with-kubernetes.html" >
< a href = "../cloud-native/play-with-kubernetes.html" >
< b > 2.3.< / b >
Play with Kubernetes
< / a >
< / li >
< li class = "chapter " data-level = "2.4" data-path = "../cloud-native/cloud-native-local-quick-start.html" >
< a href = "../cloud-native/cloud-native-local-quick-start.html" >
< b > 2.4.< / b >
快速部署一个云原生本地实验环境
< / a >
< / li >
< li class = "chapter " data-level = "2.5" data-path = "../cloud-native/setup-kubernetes-with-rancher-and-aliyun.html" >
< a href = "../cloud-native/setup-kubernetes-with-rancher-and-aliyun.html" >
< b > 2.5.< / b >
使用 Rancher 在阿里云上部署 Kubenretes 集群
< / a >
< / li >
< li class = "chapter " data-level = "2.6" data-path = "../cloud-native/kubernetes-and-cloud-native-app-overview.html" >
< a href = "../cloud-native/kubernetes-and-cloud-native-app-overview.html" >
< b > 2.6.< / b >
Kubernetes 与云原生应用概览
< / a >
< / li >
< li class = "chapter " data-level = "2.7" data-path = "../cloud-native/from-kubernetes-to-cloud-native.html" >
< a href = "../cloud-native/from-kubernetes-to-cloud-native.html" >
< b > 2.7.< / b >
云原生应用之路 —— 从 Kubernetes 到 Cloud Native
< / a >
< / li >
2020-06-24 16:47:22 +08:00
< li class = "chapter " data-level = "2.8" data-path = "../cloud-native/define-cloud-native-app.html" >
2020-06-19 14:52:56 +08:00
2020-06-24 16:47:22 +08:00
< a href = "../cloud-native/define-cloud-native-app.html" >
2020-06-19 14:52:56 +08:00
< b > 2.8.< / b >
2020-06-24 16:47:22 +08:00
定义云原生应用
2020-06-19 14:52:56 +08:00
< / a >
< ul class = "articles" >
2020-06-24 16:47:22 +08:00
< li class = "chapter " data-level = "2.8.1" data-path = "../cloud-native/oam.html" >
2020-06-19 14:52:56 +08:00
2020-06-24 16:47:22 +08:00
< a href = "../cloud-native/oam.html" >
2020-06-19 14:52:56 +08:00
< b > 2.8.1.< / b >
2020-06-24 16:47:22 +08:00
OAM
2020-06-19 14:52:56 +08:00
< / a >
2020-06-24 16:47:22 +08:00
< ul class = "articles" >
2020-06-19 14:52:56 +08:00
2020-06-24 16:47:22 +08:00
< li class = "chapter " data-level = "2.8.1.1" data-path = "../cloud-native/workload.html" >
2020-06-19 14:52:56 +08:00
2020-06-24 16:47:22 +08:00
< a href = "../cloud-native/workload.html" >
2020-06-19 14:52:56 +08:00
2020-06-24 16:47:22 +08:00
< b > 2.8.1.1.< / b >
2020-06-19 14:52:56 +08:00
2020-06-24 16:47:22 +08:00
Workload
2020-06-19 14:52:56 +08:00
< / a >
< / li >
2020-06-24 16:47:22 +08:00
< li class = "chapter " data-level = "2.8.1.2" data-path = "../cloud-native/component.html" >
< a href = "../cloud-native/component.html" >
< b > 2.8.1.2.< / b >
Component
< / a >
2020-06-19 14:52:56 +08:00
< / li >
2020-06-24 16:47:22 +08:00
< li class = "chapter " data-level = "2.8.1.3" data-path = "../cloud-native/trait.html" >
2020-06-19 14:52:56 +08:00
2020-06-24 16:47:22 +08:00
< a href = "../cloud-native/trait.html" >
2020-06-19 14:52:56 +08:00
2020-06-24 16:47:22 +08:00
< b > 2.8.1.3.< / b >
2020-06-19 14:52:56 +08:00
2020-06-24 16:47:22 +08:00
Trait
2020-06-19 14:52:56 +08:00
< / a >
< / li >
2020-06-24 16:47:22 +08:00
< li class = "chapter " data-level = "2.8.1.4" data-path = "../cloud-native/application-scope.html" >
2020-06-19 14:52:56 +08:00
2020-06-24 16:47:22 +08:00
< a href = "../cloud-native/application-scope.html" >
2020-06-19 14:52:56 +08:00
2020-06-24 16:47:22 +08:00
< b > 2.8.1.4.< / b >
2020-06-19 14:52:56 +08:00
2020-06-24 16:47:22 +08:00
Application Scope
2020-06-19 14:52:56 +08:00
< / a >
2020-06-24 16:47:22 +08:00
< / li >
2020-06-19 14:52:56 +08:00
2020-06-24 16:47:22 +08:00
< li class = "chapter " data-level = "2.8.1.5" data-path = "../cloud-native/application-configuration.html" >
2020-06-19 14:52:56 +08:00
2020-06-24 16:47:22 +08:00
< a href = "../cloud-native/application-configuration.html" >
2020-06-19 14:52:56 +08:00
2020-06-24 16:47:22 +08:00
< b > 2.8.1.5.< / b >
2020-06-19 14:52:56 +08:00
2020-06-24 16:47:22 +08:00
Application Configuration
2020-06-19 14:52:56 +08:00
< / a >
< / li >
2020-06-24 16:47:22 +08:00
< / ul >
2020-06-19 14:52:56 +08:00
2020-06-24 16:47:22 +08:00
< / li >
< li class = "chapter " data-level = "2.8.2" data-path = "../cloud-native/crossplane.html" >
< a href = "../cloud-native/crossplane.html" >
2020-06-19 14:52:56 +08:00
2020-06-24 16:47:22 +08:00
< b > 2.8.2.< / b >
2020-06-19 14:52:56 +08:00
2020-06-24 16:47:22 +08:00
Crossplane
2020-06-19 14:52:56 +08:00
< / a >
< / li >
2020-06-24 16:47:22 +08:00
< / ul >
2020-06-19 14:52:56 +08:00
2020-06-24 16:47:22 +08:00
< / li >
< li class = "chapter " data-level = "2.9" data-path = "../cloud-native/cloud-native-programming-languages.html" >
< a href = "../cloud-native/cloud-native-programming-languages.html" >
2020-06-19 14:52:56 +08:00
2020-06-24 16:47:22 +08:00
< b > 2.9.< / b >
2020-06-19 14:52:56 +08:00
2020-06-24 16:47:22 +08:00
云原生编程语言
2020-06-19 14:52:56 +08:00
< / a >
2020-06-24 16:47:22 +08:00
< ul class = "articles" >
2020-06-19 14:52:56 +08:00
2020-06-24 16:47:22 +08:00
< li class = "chapter " data-level = "2.9.1" data-path = "../cloud-native/cloud-native-programming-language-ballerina.html" >
2020-06-19 14:52:56 +08:00
2020-06-24 16:47:22 +08:00
< a href = "../cloud-native/cloud-native-programming-language-ballerina.html" >
2020-06-19 14:52:56 +08:00
2020-06-24 16:47:22 +08:00
< b > 2.9.1.< / b >
2020-06-19 14:52:56 +08:00
2020-06-24 16:47:22 +08:00
云原生编程语言 Ballerina
2020-06-19 14:52:56 +08:00
< / a >
< / li >
2020-06-24 16:47:22 +08:00
< li class = "chapter " data-level = "2.9.2" data-path = "../cloud-native/cloud-native-programming-language-pulumi.html" >
2020-06-19 14:52:56 +08:00
2020-06-24 16:47:22 +08:00
< a href = "../cloud-native/cloud-native-programming-language-pulumi.html" >
2020-06-19 14:52:56 +08:00
2020-06-24 16:47:22 +08:00
< b > 2.9.2.< / b >
2020-06-19 14:52:56 +08:00
2020-06-24 16:47:22 +08:00
云原生编程语言 Pulumi
2020-06-19 14:52:56 +08:00
< / a >
< / li >
< / ul >
< / li >
2020-06-24 16:47:22 +08:00
< li class = "chapter " data-level = "2.10" data-path = "../cloud-native/the-future-of-cloud-native.html" >
< a href = "../cloud-native/the-future-of-cloud-native.html" >
< b > 2.10.< / b >
云原生的未来
< / a >
< / li >
2020-06-19 14:52:56 +08:00
< li class = "header" > 概念与原理< / li >
< li class = "chapter " data-level = "3.1" data-path = "../concepts/" >
< a href = "../concepts/" >
< b > 3.1.< / b >
Kubernetes 架构
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "3.1.1" data-path = "../concepts/concepts.html" >
< a href = "../concepts/concepts.html" >
< b > 3.1.1.< / b >
设计理念
< / a >
< / li >
< li class = "chapter " data-level = "3.1.2" data-path = "../concepts/etcd.html" >
< a href = "../concepts/etcd.html" >
< b > 3.1.2.< / b >
Etcd 解析
< / a >
< / li >
< li class = "chapter " data-level = "3.1.3" data-path = "../concepts/open-interfaces.html" >
< a href = "../concepts/open-interfaces.html" >
< b > 3.1.3.< / b >
开放接口
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "3.1.3.1" data-path = "../concepts/cri.html" >
< a href = "../concepts/cri.html" >
< b > 3.1.3.1.< / b >
CRI - Container Runtime Interface( 容器运行时接口)
< / a >
< / li >
< li class = "chapter " data-level = "3.1.3.2" data-path = "../concepts/cni.html" >
< a href = "../concepts/cni.html" >
< b > 3.1.3.2.< / b >
CNI - Container Network Interface( 容器网络接口)
< / a >
< / li >
< li class = "chapter " data-level = "3.1.3.3" data-path = "../concepts/csi.html" >
< a href = "../concepts/csi.html" >
< b > 3.1.3.3.< / b >
CSI - Container Storage Interface( 容器存储接口)
< / a >
< / li >
< / ul >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "3.2" data-path = "../concepts/networking.html" >
< a href = "../concepts/networking.html" >
< b > 3.2.< / b >
Kubernetes 中的网络
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "3.2.1" data-path = "../concepts/flannel.html" >
< a href = "../concepts/flannel.html" >
< b > 3.2.1.< / b >
Kubernetes 中的网络解析 —— 以 flannel 为例
< / a >
< / li >
< li class = "chapter " data-level = "3.2.2" data-path = "../concepts/calico.html" >
< a href = "../concepts/calico.html" >
< b > 3.2.2.< / b >
Kubernetes 中的网络解析 —— 以 calico 为例
< / a >
< / li >
< li class = "chapter " data-level = "3.2.3" data-path = "../concepts/cilium.html" >
< a href = "../concepts/cilium.html" >
< b > 3.2.3.< / b >
具备 API 感知的网络和安全性管理开源软件 Cilium
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "3.2.3.1" data-path = "../concepts/cilium-concepts.html" >
< a href = "../concepts/cilium-concepts.html" >
< b > 3.2.3.1.< / b >
Cilium 架构设计与概念解析
< / a >
< / li >
< / ul >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "3.3" data-path = "../concepts/objects.html" >
< a href = "../concepts/objects.html" >
< b > 3.3.< / b >
资源对象与基本概念解析
< / a >
< / li >
< li class = "chapter " data-level = "3.4" data-path = "../concepts/pod-state-and-lifecycle.html" >
< a href = "../concepts/pod-state-and-lifecycle.html" >
< b > 3.4.< / b >
Pod 状态与生命周期管理
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "3.4.1" data-path = "../concepts/pod-overview.html" >
< a href = "../concepts/pod-overview.html" >
< b > 3.4.1.< / b >
Pod 概览
< / a >
< / li >
< li class = "chapter " data-level = "3.4.2" data-path = "../concepts/pod.html" >
< a href = "../concepts/pod.html" >
< b > 3.4.2.< / b >
Pod 解析
< / a >
< / li >
< li class = "chapter " data-level = "3.4.3" data-path = "../concepts/init-containers.html" >
< a href = "../concepts/init-containers.html" >
< b > 3.4.3.< / b >
Init 容器
< / a >
< / li >
< li class = "chapter " data-level = "3.4.4" data-path = "../concepts/pause-container.html" >
< a href = "../concepts/pause-container.html" >
< b > 3.4.4.< / b >
Pause 容器
< / a >
< / li >
< li class = "chapter " data-level = "3.4.5" data-path = "../concepts/pod-security-policy.html" >
< a href = "../concepts/pod-security-policy.html" >
< b > 3.4.5.< / b >
Pod 安全策略
< / a >
< / li >
< li class = "chapter " data-level = "3.4.6" data-path = "../concepts/pod-lifecycle.html" >
< a href = "../concepts/pod-lifecycle.html" >
< b > 3.4.6.< / b >
Pod 的生命周期
< / a >
< / li >
< li class = "chapter " data-level = "3.4.7" data-path = "../concepts/pod-hook.html" >
< a href = "../concepts/pod-hook.html" >
< b > 3.4.7.< / b >
Pod Hook
< / a >
< / li >
< li class = "chapter " data-level = "3.4.8" data-path = "../concepts/pod-preset.html" >
< a href = "../concepts/pod-preset.html" >
< b > 3.4.8.< / b >
Pod Preset
< / a >
< / li >
< li class = "chapter " data-level = "3.4.9" data-path = "../concepts/pod-disruption-budget.html" >
< a href = "../concepts/pod-disruption-budget.html" >
< b > 3.4.9.< / b >
Pod 中断与 PDB( Pod 中断预算)
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "3.5" data-path = "../concepts/cluster.html" >
< a href = "../concepts/cluster.html" >
< b > 3.5.< / b >
集群资源管理
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "3.5.1" data-path = "../concepts/node.html" >
< a href = "../concepts/node.html" >
< b > 3.5.1.< / b >
Node
< / a >
< / li >
< li class = "chapter " data-level = "3.5.2" data-path = "../concepts/namespace.html" >
< a href = "../concepts/namespace.html" >
< b > 3.5.2.< / b >
Namespace
< / a >
< / li >
< li class = "chapter " data-level = "3.5.3" data-path = "../concepts/label.html" >
< a href = "../concepts/label.html" >
< b > 3.5.3.< / b >
Label
< / a >
< / li >
< li class = "chapter " data-level = "3.5.4" data-path = "../concepts/annotation.html" >
< a href = "../concepts/annotation.html" >
< b > 3.5.4.< / b >
Annotation
< / a >
< / li >
< li class = "chapter " data-level = "3.5.5" data-path = "../concepts/taint-and-toleration.html" >
< a href = "../concepts/taint-and-toleration.html" >
< b > 3.5.5.< / b >
Taint 和 Toleration( 污点和容忍)
< / a >
< / li >
< li class = "chapter " data-level = "3.5.6" data-path = "../concepts/garbage-collection.html" >
< a href = "../concepts/garbage-collection.html" >
< b > 3.5.6.< / b >
垃圾收集
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "3.6" data-path = "../concepts/controllers.html" >
< a href = "../concepts/controllers.html" >
< b > 3.6.< / b >
控制器
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "3.6.1" data-path = "../concepts/deployment.html" >
< a href = "../concepts/deployment.html" >
< b > 3.6.1.< / b >
Deployment
< / a >
< / li >
< li class = "chapter " data-level = "3.6.2" data-path = "../concepts/statefulset.html" >
< a href = "../concepts/statefulset.html" >
< b > 3.6.2.< / b >
StatefulSet
< / a >
< / li >
< li class = "chapter " data-level = "3.6.3" data-path = "../concepts/daemonset.html" >
< a href = "../concepts/daemonset.html" >
< b > 3.6.3.< / b >
DaemonSet
< / a >
< / li >
< li class = "chapter " data-level = "3.6.4" data-path = "../concepts/replicaset.html" >
< a href = "../concepts/replicaset.html" >
< b > 3.6.4.< / b >
ReplicationController 和 ReplicaSet
< / a >
< / li >
< li class = "chapter " data-level = "3.6.5" data-path = "../concepts/job.html" >
< a href = "../concepts/job.html" >
< b > 3.6.5.< / b >
Job
< / a >
< / li >
< li class = "chapter " data-level = "3.6.6" data-path = "../concepts/cronjob.html" >
< a href = "../concepts/cronjob.html" >
< b > 3.6.6.< / b >
CronJob
< / a >
< / li >
< li class = "chapter " data-level = "3.6.7" data-path = "../concepts/horizontal-pod-autoscaling.html" >
< a href = "../concepts/horizontal-pod-autoscaling.html" >
< b > 3.6.7.< / b >
Horizontal Pod Autoscaling
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "3.6.7.1" data-path = "../concepts/custom-metrics-hpa.html" >
< a href = "../concepts/custom-metrics-hpa.html" >
< b > 3.6.7.1.< / b >
自定义指标 HPA
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "3.6.8" data-path = "../concepts/admission-controller.html" >
< a href = "../concepts/admission-controller.html" >
< b > 3.6.8.< / b >
准入控制器( Admission Controller)
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "3.7" data-path = "../concepts/service-discovery.html" >
< a href = "../concepts/service-discovery.html" >
< b > 3.7.< / b >
服务发现
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "3.7.1" data-path = "../concepts/service.html" >
< a href = "../concepts/service.html" >
< b > 3.7.1.< / b >
Service
< / a >
< / li >
< li class = "chapter " data-level = "3.7.2" data-path = "../concepts/ingress.html" >
< a href = "../concepts/ingress.html" >
< b > 3.7.2.< / b >
Ingress
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "3.7.2.1" data-path = "../concepts/traefik-ingress-controller.html" >
< a href = "../concepts/traefik-ingress-controller.html" >
< b > 3.7.2.1.< / b >
Traefik Ingress Controller
< / a >
< / li >
< / ul >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "3.8" data-path = "../concepts/authentication-and-permission.html" >
< a href = "../concepts/authentication-and-permission.html" >
< b > 3.8.< / b >
身份与权限控制
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "3.8.1" data-path = "../concepts/serviceaccount.html" >
< a href = "../concepts/serviceaccount.html" >
< b > 3.8.1.< / b >
ServiceAccount
< / a >
< / li >
< li class = "chapter " data-level = "3.8.2" data-path = "../concepts/rbac.html" >
< a href = "../concepts/rbac.html" >
< b > 3.8.2.< / b >
RBAC—— 基于角色的访问控制
< / a >
< / li >
< li class = "chapter " data-level = "3.8.3" data-path = "../concepts/network-policy.html" >
< a href = "../concepts/network-policy.html" >
< b > 3.8.3.< / b >
NetworkPolicy
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "3.9" data-path = "../concepts/storage.html" >
< a href = "../concepts/storage.html" >
< b > 3.9.< / b >
存储
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "3.9.1" data-path = "../concepts/secret.html" >
< a href = "../concepts/secret.html" >
< b > 3.9.1.< / b >
Secret
< / a >
< / li >
< li class = "chapter " data-level = "3.9.2" data-path = "../concepts/configmap.html" >
< a href = "../concepts/configmap.html" >
< b > 3.9.2.< / b >
ConfigMap
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "3.9.2.1" data-path = "../concepts/configmap-hot-update.html" >
< a href = "../concepts/configmap-hot-update.html" >
< b > 3.9.2.1.< / b >
ConfigMap 的热更新
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "3.9.3" data-path = "../concepts/volume.html" >
< a href = "../concepts/volume.html" >
< b > 3.9.3.< / b >
Volume
< / a >
< / li >
< li class = "chapter " data-level = "3.9.4" data-path = "../concepts/persistent-volume.html" >
< a href = "../concepts/persistent-volume.html" >
< b > 3.9.4.< / b >
Persistent Volume( 持久化卷)
< / a >
< / li >
< li class = "chapter " data-level = "3.9.5" data-path = "../concepts/storageclass.html" >
< a href = "../concepts/storageclass.html" >
< b > 3.9.5.< / b >
Storage Class
< / a >
< / li >
< li class = "chapter " data-level = "3.9.6" data-path = "../concepts/local-persistent-storage.html" >
< a href = "../concepts/local-persistent-storage.html" >
< b > 3.9.6.< / b >
本地持久化存储
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "3.10" data-path = "../concepts/extension.html" >
< a href = "../concepts/extension.html" >
< b > 3.10.< / b >
集群扩展
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "3.10.1" data-path = "../concepts/custom-resource.html" >
< a href = "../concepts/custom-resource.html" >
< b > 3.10.1.< / b >
使用自定义资源扩展 API
< / a >
< / li >
< li class = "chapter " data-level = "3.10.2" data-path = "../concepts/crd.html" >
< a href = "../concepts/crd.html" >
< b > 3.10.2.< / b >
使用 CRD 扩展 Kubernetes API
< / a >
< / li >
< li class = "chapter " data-level = "3.10.3" data-path = "../concepts/aggregated-api-server.html" >
< a href = "../concepts/aggregated-api-server.html" >
< b > 3.10.3.< / b >
Aggregated API Server
< / a >
< / li >
< li class = "chapter " data-level = "3.10.4" data-path = "../concepts/apiservice.html" >
< a href = "../concepts/apiservice.html" >
< b > 3.10.4.< / b >
APIService
< / a >
< / li >
< li class = "chapter " data-level = "3.10.5" data-path = "../concepts/service-catalog.html" >
< a href = "../concepts/service-catalog.html" >
< b > 3.10.5.< / b >
Service Catalog
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "3.11" data-path = "../concepts/scheduling.html" >
< a href = "../concepts/scheduling.html" >
< b > 3.11.< / b >
资源调度
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "3.11.1" data-path = "../concepts/qos.html" >
< a href = "../concepts/qos.html" >
< b > 3.11.1.< / b >
QoS( 服务质量等级)
< / a >
< / li >
< / ul >
< / li >
< li class = "header" > 用户指南< / li >
< li class = "chapter " data-level = "4.1" data-path = "../guide/" >
< a href = "../guide/" >
< b > 4.1.< / b >
用户指南
< / a >
< / li >
< li class = "chapter " data-level = "4.2" data-path = "../guide/resource-configuration.html" >
< a href = "../guide/resource-configuration.html" >
< b > 4.2.< / b >
资源对象配置
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "4.2.1" data-path = "../guide/configure-liveness-readiness-probes.html" >
< a href = "../guide/configure-liveness-readiness-probes.html" >
< b > 4.2.1.< / b >
配置 Pod 的 liveness 和 readiness 探针
< / a >
< / li >
< li class = "chapter " data-level = "4.2.2" data-path = "../guide/configure-pod-service-account.html" >
< a href = "../guide/configure-pod-service-account.html" >
< b > 4.2.2.< / b >
配置 Pod 的 Service Account
< / a >
< / li >
< li class = "chapter " data-level = "4.2.3" data-path = "../guide/secret-configuration.html" >
< a href = "../guide/secret-configuration.html" >
< b > 4.2.3.< / b >
Secret 配置
< / a >
< / li >
< li class = "chapter " data-level = "4.2.4" data-path = "../guide/resource-quota-management.html" >
< a href = "../guide/resource-quota-management.html" >
< b > 4.2.4.< / b >
管理 namespace 中的资源配额
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "4.3" data-path = "../guide/command-usage.html" >
< a href = "../guide/command-usage.html" >
< b > 4.3.< / b >
命令使用
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "4.3.1" data-path = "../guide/docker-cli-to-kubectl.html" >
< a href = "../guide/docker-cli-to-kubectl.html" >
< b > 4.3.1.< / b >
Docker 用户过渡到 kubectl 命令行指南
< / a >
< / li >
< li class = "chapter " data-level = "4.3.2" data-path = "../guide/using-kubectl.html" >
< a href = "../guide/using-kubectl.html" >
< b > 4.3.2.< / b >
kubectl 命令概览
< / a >
< / li >
< li class = "chapter " data-level = "4.3.3" data-path = "../guide/kubectl-cheatsheet.html" >
< a href = "../guide/kubectl-cheatsheet.html" >
< b > 4.3.3.< / b >
kubectl 命令技巧大全
< / a >
< / li >
< li class = "chapter " data-level = "4.3.4" data-path = "../guide/using-etcdctl-to-access-kubernetes-data.html" >
< a href = "../guide/using-etcdctl-to-access-kubernetes-data.html" >
< b > 4.3.4.< / b >
使用 etcdctl 访问 kubernetes 数据
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "4.4" data-path = "../guide/cluster-security-management.html" >
< a href = "../guide/cluster-security-management.html" >
< b > 4.4.< / b >
集群安全性管理
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "4.4.1" data-path = "../guide/managing-tls-in-a-cluster.html" >
< a href = "../guide/managing-tls-in-a-cluster.html" >
< b > 4.4.1.< / b >
管理集群中的 TLS
< / a >
< / li >
< li class = "chapter " data-level = "4.4.2" data-path = "../guide/kubelet-authentication-authorization.html" >
< a href = "../guide/kubelet-authentication-authorization.html" >
< b > 4.4.2.< / b >
kubelet 的认证授权
< / a >
< / li >
< li class = "chapter " data-level = "4.4.3" data-path = "../guide/tls-bootstrapping.html" >
< a href = "../guide/tls-bootstrapping.html" >
< b > 4.4.3.< / b >
2020-07-17 11:08:23 +08:00
TLS Bootstrap
2020-06-19 14:52:56 +08:00
< / a >
< / li >
< li class = "chapter " data-level = "4.4.4" data-path = "../guide/kubectl-user-authentication-authorization.html" >
< a href = "../guide/kubectl-user-authentication-authorization.html" >
< b > 4.4.4.< / b >
创建用户认证授权的 kubeconfig 文件
< / a >
< / li >
< li class = "chapter " data-level = "4.4.5" data-path = "../guide/ip-masq-agent.html" >
< a href = "../guide/ip-masq-agent.html" >
< b > 4.4.5.< / b >
IP 伪装代理
< / a >
< / li >
< li class = "chapter " data-level = "4.4.6" data-path = "../guide/auth-with-kubeconfig-or-token.html" >
< a href = "../guide/auth-with-kubeconfig-or-token.html" >
< b > 4.4.6.< / b >
使用 kubeconfig 或 token 进行用户身份认证
< / a >
< / li >
< li class = "chapter " data-level = "4.4.7" data-path = "../guide/authentication.html" >
< a href = "../guide/authentication.html" >
< b > 4.4.7.< / b >
Kubernetes 中的用户与身份认证授权
< / a >
< / li >
< li class = "chapter " data-level = "4.4.8" data-path = "../guide/kubernetes-security-best-practice.html" >
< a href = "../guide/kubernetes-security-best-practice.html" >
< b > 4.4.8.< / b >
Kubernetes 集群安全性配置最佳实践
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "4.5" data-path = "../guide/access-kubernetes-cluster.html" >
< a href = "../guide/access-kubernetes-cluster.html" >
< b > 4.5.< / b >
访问 Kubernetes 集群
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "4.5.1" data-path = "../guide/access-cluster.html" >
< a href = "../guide/access-cluster.html" >
< b > 4.5.1.< / b >
访问集群
< / a >
< / li >
< li class = "chapter " data-level = "4.5.2" data-path = "../guide/authenticate-across-clusters-kubeconfig.html" >
< a href = "../guide/authenticate-across-clusters-kubeconfig.html" >
< b > 4.5.2.< / b >
使用 kubeconfig 文件配置跨集群认证
< / a >
< / li >
< li class = "chapter " data-level = "4.5.3" data-path = "../guide/connecting-to-applications-port-forward.html" >
< a href = "../guide/connecting-to-applications-port-forward.html" >
< b > 4.5.3.< / b >
通过端口转发访问集群中的应用程序
< / a >
< / li >
< li class = "chapter " data-level = "4.5.4" data-path = "../guide/service-access-application-cluster.html" >
< a href = "../guide/service-access-application-cluster.html" >
< b > 4.5.4.< / b >
使用 service 访问群集中的应用程序
< / a >
< / li >
< li class = "chapter " data-level = "4.5.5" data-path = "../guide/accessing-kubernetes-pods-from-outside-of-the-cluster.html" >
< a href = "../guide/accessing-kubernetes-pods-from-outside-of-the-cluster.html" >
< b > 4.5.5.< / b >
从外部访问 Kubernetes 中的 Pod
< / a >
< / li >
< li class = "chapter " data-level = "4.5.6" data-path = "../guide/cabin-mobile-dashboard-for-kubernetes.html" >
< a href = "../guide/cabin-mobile-dashboard-for-kubernetes.html" >
< b > 4.5.6.< / b >
Cabin - Kubernetes 手机客户端
< / a >
< / li >
< li class = "chapter " data-level = "4.5.7" data-path = "../guide/kubernetes-desktop-client.html" >
< a href = "../guide/kubernetes-desktop-client.html" >
< b > 4.5.7.< / b >
2020-06-29 12:32:43 +08:00
Lens - Kubernetes IDE/桌面客户端
2020-06-19 14:52:56 +08:00
< / a >
< / li >
< li class = "chapter " data-level = "4.5.8" data-path = "../guide/kubernator-kubernetes-ui.html" >
< a href = "../guide/kubernator-kubernetes-ui.html" >
< b > 4.5.8.< / b >
Kubernator - 更底层的 Kubernetes UI
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "4.6" data-path = "../guide/application-development-deployment-flow.html" >
< a href = "../guide/application-development-deployment-flow.html" >
< b > 4.6.< / b >
在 Kubernetes 中开发部署应用
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "4.6.1" data-path = "../guide/deploy-applications-in-kubernetes.html" >
< a href = "../guide/deploy-applications-in-kubernetes.html" >
< b > 4.6.1.< / b >
适用于 kubernetes 的应用开发部署流程
< / a >
< / li >
< li class = "chapter " data-level = "4.6.2" data-path = "../guide/migrating-hadoop-yarn-to-kubernetes.html" >
< a href = "../guide/migrating-hadoop-yarn-to-kubernetes.html" >
< b > 4.6.2.< / b >
迁移传统应用到 Kubernetes 中 —— 以 Hadoop YARN 为例
< / a >
< / li >
< li class = "chapter " data-level = "4.6.3" data-path = "../guide/using-statefulset.html" >
< a href = "../guide/using-statefulset.html" >
< b > 4.6.3.< / b >
使用 StatefulSet 部署用状态应用
< / a >
< / li >
< / ul >
< / li >
< li class = "header" > 最佳实践< / li >
< li class = "chapter " data-level = "5.1" data-path = "../practice/" >
< a href = "../practice/" >
< b > 5.1.< / b >
最佳实践概览
< / a >
< / li >
< li class = "chapter " data-level = "5.2" data-path = "../practice/install-kubernetes-on-centos.html" >
< a href = "../practice/install-kubernetes-on-centos.html" >
< b > 5.2.< / b >
在 CentOS 上部署 Kubernetes 集群
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "5.2.1" data-path = "../practice/create-tls-and-secret-key.html" >
< a href = "../practice/create-tls-and-secret-key.html" >
< b > 5.2.1.< / b >
创建 TLS 证书和秘钥
< / a >
< / li >
< li class = "chapter " data-level = "5.2.2" data-path = "../practice/create-kubeconfig.html" >
< a href = "../practice/create-kubeconfig.html" >
< b > 5.2.2.< / b >
创建 kubeconfig 文件
< / a >
< / li >
< li class = "chapter " data-level = "5.2.3" data-path = "../practice/etcd-cluster-installation.html" >
< a href = "../practice/etcd-cluster-installation.html" >
< b > 5.2.3.< / b >
创建高可用 etcd 集群
< / a >
< / li >
< li class = "chapter " data-level = "5.2.4" data-path = "../practice/kubectl-installation.html" >
< a href = "../practice/kubectl-installation.html" >
< b > 5.2.4.< / b >
安装 kubectl 命令行工具
< / a >
< / li >
< li class = "chapter " data-level = "5.2.5" data-path = "../practice/master-installation.html" >
< a href = "../practice/master-installation.html" >
< b > 5.2.5.< / b >
部署 master 节点
< / a >
< / li >
< li class = "chapter " data-level = "5.2.6" data-path = "../practice/flannel-installation.html" >
< a href = "../practice/flannel-installation.html" >
< b > 5.2.6.< / b >
安装 flannel 网络插件
< / a >
< / li >
< li class = "chapter " data-level = "5.2.7" data-path = "../practice/node-installation.html" >
< a href = "../practice/node-installation.html" >
< b > 5.2.7.< / b >
部署 node 节点
< / a >
< / li >
< li class = "chapter " data-level = "5.2.8" data-path = "../practice/kubedns-addon-installation.html" >
< a href = "../practice/kubedns-addon-installation.html" >
< b > 5.2.8.< / b >
安装 kubedns 插件
< / a >
< / li >
< li class = "chapter " data-level = "5.2.9" data-path = "../practice/dashboard-addon-installation.html" >
< a href = "../practice/dashboard-addon-installation.html" >
< b > 5.2.9.< / b >
安装 dashboard 插件
< / a >
< / li >
< li class = "chapter " data-level = "5.2.10" data-path = "../practice/heapster-addon-installation.html" >
< a href = "../practice/heapster-addon-installation.html" >
< b > 5.2.10.< / b >
安装 heapster 插件
< / a >
< / li >
< li class = "chapter " data-level = "5.2.11" data-path = "../practice/efk-addon-installation.html" >
< a href = "../practice/efk-addon-installation.html" >
< b > 5.2.11.< / b >
安装 EFK 插件
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "5.3" data-path = "../practice/install-kubernetes-with-kubeadm.html" >
< a href = "../practice/install-kubernetes-with-kubeadm.html" >
< b > 5.3.< / b >
生产级的 Kubernetes 简化管理工具 kubeadm
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "5.3.1" data-path = "../practice/install-kubernetes-on-ubuntu-server-16.04-with-kubeadm.html" >
< a href = "../practice/install-kubernetes-on-ubuntu-server-16.04-with-kubeadm.html" >
< b > 5.3.1.< / b >
使用 kubeadm 在 Ubuntu Server 16.04 上快速构建测试集群
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "5.4" data-path = "../practice/service-discovery-and-loadbalancing.html" >
< a href = "../practice/service-discovery-and-loadbalancing.html" >
< b > 5.4.< / b >
服务发现与负载均衡
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "5.4.1" data-path = "../practice/traefik-ingress-installation.html" >
< a href = "../practice/traefik-ingress-installation.html" >
< b > 5.4.1.< / b >
安装 Traefik ingress
< / a >
< / li >
< li class = "chapter " data-level = "5.4.2" data-path = "../practice/distributed-load-test.html" >
< a href = "../practice/distributed-load-test.html" >
< b > 5.4.2.< / b >
分布式负载测试
< / a >
< / li >
< li class = "chapter " data-level = "5.4.3" data-path = "../practice/network-and-cluster-perfermance-test.html" >
< a href = "../practice/network-and-cluster-perfermance-test.html" >
< b > 5.4.3.< / b >
网络和集群性能测试
< / a >
< / li >
< li class = "chapter " data-level = "5.4.4" data-path = "../practice/edge-node-configuration.html" >
< a href = "../practice/edge-node-configuration.html" >
< b > 5.4.4.< / b >
边缘节点配置
< / a >
< / li >
< li class = "chapter " data-level = "5.4.5" data-path = "../practice/nginx-ingress-installation.html" >
< a href = "../practice/nginx-ingress-installation.html" >
< b > 5.4.5.< / b >
安装 Nginx ingress
< / a >
< / li >
< li class = "chapter " data-level = "5.4.6" data-path = "../practice/dns-installation.html" >
< a href = "../practice/dns-installation.html" >
< b > 5.4.6.< / b >
安装配置 DNS
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "5.4.6.1" data-path = "../practice/configuring-dns.html" >
< a href = "../practice/configuring-dns.html" >
< b > 5.4.6.1.< / b >
安装配置 Kube-dns
< / a >
< / li >
< li class = "chapter " data-level = "5.4.6.2" data-path = "../practice/coredns.html" >
< a href = "../practice/coredns.html" >
< b > 5.4.6.2.< / b >
安装配置 CoreDNS
< / a >
< / li >
< / ul >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "5.5" data-path = "../practice/operation.html" >
< a href = "../practice/operation.html" >
< b > 5.5.< / b >
运维管理
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "5.5.1" data-path = "../practice/master-ha.html" >
< a href = "../practice/master-ha.html" >
< b > 5.5.1.< / b >
Master 节点高可用
< / a >
< / li >
< li class = "chapter " data-level = "5.5.2" data-path = "../practice/service-rolling-update.html" >
< a href = "../practice/service-rolling-update.html" >
< b > 5.5.2.< / b >
服务滚动升级
< / a >
< / li >
< li class = "chapter " data-level = "5.5.3" data-path = "../practice/app-log-collection.html" >
< a href = "../practice/app-log-collection.html" >
< b > 5.5.3.< / b >
应用日志收集
< / a >
< / li >
< li class = "chapter " data-level = "5.5.4" data-path = "../practice/configuration-best-practice.html" >
< a href = "../practice/configuration-best-practice.html" >
< b > 5.5.4.< / b >
配置最佳实践
< / a >
< / li >
< li class = "chapter " data-level = "5.5.5" data-path = "../practice/monitor.html" >
< a href = "../practice/monitor.html" >
< b > 5.5.5.< / b >
集群及应用监控
< / a >
< / li >
< li class = "chapter " data-level = "5.5.6" data-path = "../practice/data-persistence-problem.html" >
< a href = "../practice/data-persistence-problem.html" >
< b > 5.5.6.< / b >
数据持久化问题
< / a >
< / li >
< li class = "chapter " data-level = "5.5.7" data-path = "../practice/manage-compute-resources-container.html" >
< a href = "../practice/manage-compute-resources-container.html" >
< b > 5.5.7.< / b >
管理容器的计算资源
< / a >
< / li >
< li class = "chapter " data-level = "5.5.8" data-path = "../practice/federation.html" >
< a href = "../practice/federation.html" >
< b > 5.5.8.< / b >
集群联邦
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "5.6" data-path = "../practice/storage.html" >
< a href = "../practice/storage.html" >
< b > 5.6.< / b >
存储管理
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "5.6.1" data-path = "../practice/glusterfs.html" >
< a href = "../practice/glusterfs.html" >
< b > 5.6.1.< / b >
GlusterFS
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "5.6.1.1" data-path = "../practice/using-glusterfs-for-persistent-storage.html" >
< a href = "../practice/using-glusterfs-for-persistent-storage.html" >
< b > 5.6.1.1.< / b >
使用 GlusterFS 做持久化存储
< / a >
< / li >
< li class = "chapter " data-level = "5.6.1.2" data-path = "../practice/using-heketi-gluster-for-persistent-storage.html" >
< a href = "../practice/using-heketi-gluster-for-persistent-storage.html" >
< b > 5.6.1.2.< / b >
使用 Heketi 作为 Kubernetes 的持久存储 GlusterFS 的 external provisioner
< / a >
< / li >
< li class = "chapter " data-level = "5.6.1.3" data-path = "../practice/storage-for-containers-using-glusterfs-with-openshift.html" >
< a href = "../practice/storage-for-containers-using-glusterfs-with-openshift.html" >
< b > 5.6.1.3.< / b >
在 OpenShift 中使用 GlusterFS 做持久化存储
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "5.6.2" data-path = "../practice/glusterd-2.0.html" >
< a href = "../practice/glusterd-2.0.html" >
< b > 5.6.2.< / b >
GlusterD-2.0
< / a >
< / li >
< li class = "chapter " data-level = "5.6.3" data-path = "../practice/ceph.html" >
< a href = "../practice/ceph.html" >
< b > 5.6.3.< / b >
Ceph
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "5.6.3.1" data-path = "../practice/ceph-helm-install-guide-zh.html" >
< a href = "../practice/ceph-helm-install-guide-zh.html" >
< b > 5.6.3.1.< / b >
用 Helm 托管安装 Ceph 集群并提供后端存储
< / a >
< / li >
< li class = "chapter " data-level = "5.6.3.2" data-path = "../practice/using-ceph-for-persistent-storage.html" >
< a href = "../practice/using-ceph-for-persistent-storage.html" >
< b > 5.6.3.2.< / b >
使用 Ceph 做持久化存储
< / a >
< / li >
< li class = "chapter " data-level = "5.6.3.3" data-path = "../practice/rbd-provisioner.html" >
< a href = "../practice/rbd-provisioner.html" >
< b > 5.6.3.3.< / b >
使用 rbd-provisioner 提供 rbd 持久化存储
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "5.6.4" data-path = "../practice/openebs.html" >
< a href = "../practice/openebs.html" >
< b > 5.6.4.< / b >
OpenEBS
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "5.6.4.1" data-path = "../practice/using-openebs-for-persistent-storage.html" >
< a href = "../practice/using-openebs-for-persistent-storage.html" >
< b > 5.6.4.1.< / b >
使用 OpenEBS 做持久化存储
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "5.6.5" data-path = "../practice/rook.html" >
< a href = "../practice/rook.html" >
< b > 5.6.5.< / b >
Rook
< / a >
< / li >
< li class = "chapter " data-level = "5.6.6" data-path = "../practice/nfs.html" >
< a href = "../practice/nfs.html" >
< b > 5.6.6.< / b >
NFS
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "5.6.6.1" data-path = "../practice/using-nfs-for-persistent-storage.html" >
< a href = "../practice/using-nfs-for-persistent-storage.html" >
< b > 5.6.6.1.< / b >
利用 NFS 动态提供 Kubernetes 后端存储卷
< / a >
< / li >
< / ul >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "5.7" data-path = "../practice/monitoring.html" >
< a href = "../practice/monitoring.html" >
< b > 5.7.< / b >
集群与应用监控
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "5.7.1" data-path = "../practice/heapster.html" >
< a href = "../practice/heapster.html" >
< b > 5.7.1.< / b >
Heapster
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "5.7.1.1" data-path = "../practice/using-heapster-to-get-object-metrics.html" >
< a href = "../practice/using-heapster-to-get-object-metrics.html" >
< b > 5.7.1.1.< / b >
使用 Heapster 获取集群和对象的 metric 数据
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "5.7.2" data-path = "../practice/prometheus.html" >
< a href = "../practice/prometheus.html" >
< b > 5.7.2.< / b >
Prometheus
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "5.7.2.1" data-path = "../practice/using-prometheus-to-monitor-kuberentes-cluster.html" >
< a href = "../practice/using-prometheus-to-monitor-kuberentes-cluster.html" >
< b > 5.7.2.1.< / b >
使用 Prometheus 监控 kubernetes 集群
< / a >
< / li >
< li class = "chapter " data-level = "5.7.2.2" data-path = "../practice/promql.html" >
< a href = "../practice/promql.html" >
< b > 5.7.2.2.< / b >
Prometheus 查询语言 PromQL 使用说明
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "5.7.3" data-path = "../practice/vistio-visualize-your-istio-mesh.html" >
< a href = "../practice/vistio-visualize-your-istio-mesh.html" >
< b > 5.7.3.< / b >
使用 Vistio 监控 Istio 服务网格中的流量
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "5.8" data-path = "../practice/distributed-tracing.html" >
< a href = "../practice/distributed-tracing.html" >
< b > 5.8.< / b >
分布式跟踪
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "5.8.1" data-path = "../practice/opentracing.html" >
< a href = "../practice/opentracing.html" >
< b > 5.8.1.< / b >
OpenTracing
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "5.9" data-path = "../practice/services-management-tool.html" >
< a href = "../practice/services-management-tool.html" >
< b > 5.9.< / b >
服务编排管理
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "5.9.1" data-path = "../practice/helm.html" >
< a href = "../practice/helm.html" >
< b > 5.9.1.< / b >
使用 Helm 管理 Kubernetes 应用
< / a >
< / li >
< li class = "chapter " data-level = "5.9.2" data-path = "../practice/create-private-charts-repo.html" >
< a href = "../practice/create-private-charts-repo.html" >
< b > 5.9.2.< / b >
构建私有 Chart 仓库
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "5.10" data-path = "../practice/ci-cd.html" >
< a href = "../practice/ci-cd.html" >
< b > 5.10.< / b >
持续集成与发布
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "5.10.1" data-path = "../practice/jenkins-ci-cd.html" >
< a href = "../practice/jenkins-ci-cd.html" >
< b > 5.10.1.< / b >
使用 Jenkins 进行持续集成与发布
< / a >
< / li >
< li class = "chapter " data-level = "5.10.2" data-path = "../practice/drone-ci-cd.html" >
< a href = "../practice/drone-ci-cd.html" >
< b > 5.10.2.< / b >
使用 Drone 进行持续集成与发布
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "5.11" data-path = "../practice/update-and-upgrade.html" >
< a href = "../practice/update-and-upgrade.html" >
< b > 5.11.< / b >
更新与升级
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "5.11.1" data-path = "../practice/manually-upgrade.html" >
< a href = "../practice/manually-upgrade.html" >
< b > 5.11.1.< / b >
手动升级 Kubernetes 集群
< / a >
< / li >
< li class = "chapter " data-level = "5.11.2" data-path = "../practice/dashboard-upgrade.html" >
< a href = "../practice/dashboard-upgrade.html" >
< b > 5.11.2.< / b >
升级 dashboard
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "5.12" data-path = "../practice/controller-extended.html" >
< a href = "../practice/controller-extended.html" >
< b > 5.12.< / b >
扩展控制器
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "5.12.1" data-path = "../practice/openkruise.html" >
< a href = "../practice/openkruise.html" >
< b > 5.12.1.< / b >
OpenKruise
< / a >
2020-06-22 17:07:42 +08:00
< ul class = "articles" >
< li class = "chapter " data-level = "5.12.1.1" data-path = "../practice/in-place-update.html" >
< a href = "../practice/in-place-update.html" >
< b > 5.12.1.1.< / b >
原地升级
< / a >
< / li >
< / ul >
2020-06-19 14:52:56 +08:00
< / li >
< / ul >
< / li >
< li class = "header" > 领域应用< / li >
< li class = "chapter " data-level = "6.1" data-path = "./" >
< a href = "./" >
< b > 6.1.< / b >
领域应用概览
< / a >
< / li >
< li class = "chapter " data-level = "6.2" data-path = "microservices.html" >
< a href = "microservices.html" >
< b > 6.2.< / b >
微服务架构
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "6.2.1" data-path = "service-discovery-in-microservices.html" >
< a href = "service-discovery-in-microservices.html" >
< b > 6.2.1.< / b >
微服务中的服务发现
< / a >
< / li >
< li class = "chapter " data-level = "6.2.2" data-path = "microservices-for-java-developers.html" >
< a href = "microservices-for-java-developers.html" >
< b > 6.2.2.< / b >
使用 Java 构建微服务并发布到 Kubernetes 平台
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "6.2.2.1" data-path = "spring-boot-quick-start-guide.html" >
< a href = "spring-boot-quick-start-guide.html" >
< b > 6.2.2.1.< / b >
Spring Boot 快速开始指南
< / a >
< / li >
< / ul >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "6.3" data-path = "service-mesh.html" >
< a href = "service-mesh.html" >
< b > 6.3.< / b >
Service Mesh 服务网格
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "6.3.1" data-path = "the-enterprise-path-to-service-mesh-architectures.html" >
< a href = "the-enterprise-path-to-service-mesh-architectures.html" >
< b > 6.3.1.< / b >
企业级服务网格架构
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "6.3.1.1" data-path = "service-mesh-fundamental.html" >
< a href = "service-mesh-fundamental.html" >
< b > 6.3.1.1.< / b >
Service Mesh 基础
< / a >
< / li >
< li class = "chapter " data-level = "6.3.1.2" data-path = "comparing-service-mesh-technologies.html" >
< a href = "comparing-service-mesh-technologies.html" >
< b > 6.3.1.2.< / b >
Service Mesh 技术对比
< / a >
< / li >
< li class = "chapter " data-level = "6.3.1.3" data-path = "service-mesh-adoption-and-evolution.html" >
< a href = "service-mesh-adoption-and-evolution.html" >
< b > 6.3.1.3.< / b >
采纳和演进
< / a >
< / li >
< li class = "chapter " data-level = "6.3.1.4" data-path = "service-mesh-customization-and-integration.html" >
< a href = "service-mesh-customization-and-integration.html" >
< b > 6.3.1.4.< / b >
定制和集成
< / a >
< / li >
< li class = "chapter " data-level = "6.3.1.5" data-path = "service-mesh-conclusion.html" >
< a href = "service-mesh-conclusion.html" >
< b > 6.3.1.5.< / b >
总结
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "6.3.2" data-path = "istio.html" >
< a href = "istio.html" >
< b > 6.3.2.< / b >
Istio
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "6.3.2.1" data-path = "istio-installation.html" >
< a href = "istio-installation.html" >
< b > 6.3.2.1.< / b >
安装并试用 Istio service mesh
< / a >
< / li >
< li class = "chapter " data-level = "6.3.2.2" data-path = "sidecar-spec-in-istio.html" >
< a href = "sidecar-spec-in-istio.html" >
< b > 6.3.2.2.< / b >
Istio 中 sidecar 的注入规范及示例
< / a >
< / li >
< li class = "chapter " data-level = "6.3.2.3" data-path = "istio-community-tips.html" >
< a href = "istio-community-tips.html" >
< b > 6.3.2.3.< / b >
如何参与 Istio 社区及注意事项
< / a >
< / li >
< li class = "chapter " data-level = "6.3.2.4" data-path = "istio-tutorials-collection.html" >
< a href = "istio-tutorials-collection.html" >
< b > 6.3.2.4.< / b >
Istio 免费学习资源汇总
< / a >
< / li >
< li class = "chapter active" data-level = "6.3.2.5" data-path = "understand-sidecar-injection-and-traffic-hijack-in-istio-service-mesh.html" >
< a href = "understand-sidecar-injection-and-traffic-hijack-in-istio-service-mesh.html" >
< b > 6.3.2.5.< / b >
Sidecar 的注入与流量劫持
< / a >
< / li >
< li class = "chapter " data-level = "6.3.2.6" data-path = "envoy-sidecar-routing-of-istio-service-mesh-deep-dive.html" >
< a href = "envoy-sidecar-routing-of-istio-service-mesh-deep-dive.html" >
< b > 6.3.2.6.< / b >
Envoy Sidecar 代理的路由转发
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "6.3.3" data-path = "linkerd.html" >
< a href = "linkerd.html" >
< b > 6.3.3.< / b >
Linkerd
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "6.3.3.1" data-path = "linkerd-user-guide.html" >
< a href = "linkerd-user-guide.html" >
< b > 6.3.3.1.< / b >
Linkerd 使用指南
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "6.3.4" data-path = "conduit.html" >
< a href = "conduit.html" >
< b > 6.3.4.< / b >
Conduit
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "6.3.4.1" data-path = "conduit-overview.html" >
< a href = "conduit-overview.html" >
< b > 6.3.4.1.< / b >
Condiut 概览
< / a >
< / li >
< li class = "chapter " data-level = "6.3.4.2" data-path = "conduit-installation.html" >
< a href = "conduit-installation.html" >
< b > 6.3.4.2.< / b >
安装 Conduit
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "6.3.5" data-path = "envoy.html" >
< a href = "envoy.html" >
< b > 6.3.5.< / b >
Envoy
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "6.3.5.1" data-path = "envoy-terminology.html" >
< a href = "envoy-terminology.html" >
< b > 6.3.5.1.< / b >
Envoy 的架构与基本术语
< / a >
< / li >
< li class = "chapter " data-level = "6.3.5.2" data-path = "envoy-front-proxy.html" >
< a href = "envoy-front-proxy.html" >
< b > 6.3.5.2.< / b >
Envoy 作为前端代理
< / a >
< / li >
< li class = "chapter " data-level = "6.3.5.3" data-path = "envoy-mesh-in-kubernetes-tutorial.html" >
< a href = "envoy-mesh-in-kubernetes-tutorial.html" >
< b > 6.3.5.3.< / b >
Envoy mesh 教程
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "6.3.6" data-path = "mosn.html" >
< a href = "mosn.html" >
< b > 6.3.6.< / b >
MOSN
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "6.4" data-path = "big-data.html" >
< a href = "big-data.html" >
< b > 6.4.< / b >
大数据
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "6.4.1" data-path = "spark-standalone-on-kubernetes.html" >
< a href = "spark-standalone-on-kubernetes.html" >
< b > 6.4.1.< / b >
Spark standalone on Kubernetes
< / a >
< / li >
< li class = "chapter " data-level = "6.4.2" data-path = "running-spark-with-kubernetes-native-scheduler.html" >
< a href = "running-spark-with-kubernetes-native-scheduler.html" >
< b > 6.4.2.< / b >
运行支持 Kubernetes 原生调度的 Spark 程序
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "6.5" data-path = "serverless.html" >
< a href = "serverless.html" >
< b > 6.5.< / b >
Serverless 架构
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "6.5.1" data-path = "understanding-serverless.html" >
< a href = "understanding-serverless.html" >
< b > 6.5.1.< / b >
理解 Serverless
< / a >
< / li >
< li class = "chapter " data-level = "6.5.2" data-path = "faas.html" >
< a href = "faas.html" >
< b > 6.5.2.< / b >
FaaS( 函数即服务)
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "6.5.2.1" data-path = "openfaas-quick-start.html" >
< a href = "openfaas-quick-start.html" >
< b > 6.5.2.1.< / b >
OpenFaaS 快速入门指南
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "6.5.3" data-path = "knative.html" >
< a href = "knative.html" >
< b > 6.5.3.< / b >
Knative
< / a >
< / li >
< / ul >
< / li >
2020-06-24 16:47:22 +08:00
< li class = "chapter " data-level = "6.6" data-path = "edge-computing.html" >
2020-06-19 14:52:56 +08:00
< a href = "edge-computing.html" >
2020-06-24 16:47:22 +08:00
< b > 6.6.< / b >
2020-06-19 14:52:56 +08:00
边缘计算
< / a >
< / li >
2020-06-24 16:47:22 +08:00
< li class = "chapter " data-level = "6.7" data-path = "ai.html" >
2020-06-19 14:52:56 +08:00
< a href = "ai.html" >
2020-06-24 16:47:22 +08:00
< b > 6.7.< / b >
2020-06-19 14:52:56 +08:00
人工智能
< / a >
< / li >
< li class = "header" > 开发指南< / li >
< li class = "chapter " data-level = "7.1" data-path = "../develop/" >
< a href = "../develop/" >
< b > 7.1.< / b >
开发指南概览
< / a >
< / li >
< li class = "chapter " data-level = "7.2" data-path = "../develop/sigs-and-working-group.html" >
< a href = "../develop/sigs-and-working-group.html" >
< b > 7.2.< / b >
SIG 和工作组
< / a >
< / li >
< li class = "chapter " data-level = "7.3" data-path = "../develop/developing-environment.html" >
< a href = "../develop/developing-environment.html" >
< b > 7.3.< / b >
开发环境搭建
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "7.3.1" data-path = "../develop/using-vagrant-and-virtualbox-for-development.html" >
< a href = "../develop/using-vagrant-and-virtualbox-for-development.html" >
< b > 7.3.1.< / b >
本地分布式开发环境搭建(使用 Vagrant 和 Virtualbox)
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "7.4" data-path = "../develop/testing.html" >
< a href = "../develop/testing.html" >
< b > 7.4.< / b >
单元测试和集成测试
< / a >
< / li >
< li class = "chapter " data-level = "7.5" data-path = "../develop/client-go-sample.html" >
< a href = "../develop/client-go-sample.html" >
< b > 7.5.< / b >
client-go 示例
< / a >
< / li >
< li class = "chapter " data-level = "7.6" data-path = "../develop/operator.html" >
< a href = "../develop/operator.html" >
< b > 7.6.< / b >
Operator
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "7.6.1" data-path = "../develop/operator-sdk.html" >
< a href = "../develop/operator-sdk.html" >
< b > 7.6.1.< / b >
operator-sdk
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "7.7" data-path = "../develop/kubebuilder.html" >
< a href = "../develop/kubebuilder.html" >
< b > 7.7.< / b >
kubebuilder
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "7.7.1" data-path = "../develop/kubebuilder-example.html" >
< a href = "../develop/kubebuilder-example.html" >
< b > 7.7.1.< / b >
使用 kubebuilder 创建 operator 示例
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "7.8" data-path = "../develop/advance-developer.html" >
< a href = "../develop/advance-developer.html" >
< b > 7.8.< / b >
高级开发指南
< / a >
< / li >
< li class = "chapter " data-level = "7.9" data-path = "../develop/contribute.html" >
< a href = "../develop/contribute.html" >
< b > 7.9.< / b >
社区贡献
< / a >
< / li >
< li class = "chapter " data-level = "7.10" data-path = "../develop/minikube.html" >
< a href = "../develop/minikube.html" >
< b > 7.10.< / b >
Minikube
< / a >
< / li >
< li class = "header" > CNCF( 云原生计算基金会) < / li >
< li class = "chapter " data-level = "8.1" data-path = "../cloud-native/cncf.html" >
< a href = "../cloud-native/cncf.html" >
< b > 8.1.< / b >
CNCF - 云原生计算基金会简介
< / a >
< / li >
< li class = "chapter " data-level = "8.2" data-path = "../cloud-native/cncf-charter.html" >
< a href = "../cloud-native/cncf-charter.html" >
< b > 8.2.< / b >
CNCF 章程
< / a >
< / li >
< li class = "chapter " data-level = "8.3" data-path = "../cloud-native/cncf-sig.html" >
< a href = "../cloud-native/cncf-sig.html" >
< b > 8.3.< / b >
CNCF 特别兴趣小组( SIG) 说明
< / a >
< / li >
< li class = "chapter " data-level = "8.4" data-path = "../cloud-native/cncf-sandbox-criteria.html" >
< a href = "../cloud-native/cncf-sandbox-criteria.html" >
< b > 8.4.< / b >
开源项目加入 CNCF Sandbox 的要求
< / a >
< / li >
< li class = "chapter " data-level = "8.5" data-path = "../cloud-native/cncf-project-governing.html" >
< a href = "../cloud-native/cncf-project-governing.html" >
< b > 8.5.< / b >
CNCF 中的项目治理
< / a >
< / li >
< li class = "chapter " data-level = "8.6" data-path = "../cloud-native/cncf-ambassador.html" >
< a href = "../cloud-native/cncf-ambassador.html" >
< b > 8.6.< / b >
CNCF Ambassador
< / a >
< / li >
< li class = "header" > 附录< / li >
< li class = "chapter " data-level = "9.1" data-path = "../appendix/" >
< a href = "../appendix/" >
< b > 9.1.< / b >
附录说明
< / a >
< / li >
< li class = "chapter " data-level = "9.2" data-path = "../appendix/debug-kubernetes-services.html" >
< a href = "../appendix/debug-kubernetes-services.html" >
< b > 9.2.< / b >
Kubernetes 中的应用故障排查
< / a >
< / li >
< li class = "chapter " data-level = "9.3" data-path = "../appendix/material-share.html" >
< a href = "../appendix/material-share.html" >
< b > 9.3.< / b >
Kubernetes 相关资讯和情报链接
< / a >
< / li >
< li class = "chapter " data-level = "9.4" data-path = "../appendix/docker-best-practice.html" >
< a href = "../appendix/docker-best-practice.html" >
< b > 9.4.< / b >
Docker 最佳实践
< / a >
< / li >
< li class = "chapter " data-level = "9.5" data-path = "../appendix/tricks.html" >
< a href = "../appendix/tricks.html" >
< b > 9.5.< / b >
使用技巧
< / a >
< / li >
< li class = "chapter " data-level = "9.6" data-path = "../appendix/issues.html" >
< a href = "../appendix/issues.html" >
< b > 9.6.< / b >
问题记录
< / a >
< / li >
< li class = "chapter " data-level = "9.7" data-path = "../appendix/kubernetes-changelog.html" >
< a href = "../appendix/kubernetes-changelog.html" >
< b > 9.7.< / b >
Kubernetes 版本更新日志
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "9.7.1" data-path = "../appendix/kubernetes-1.7-changelog.html" >
< a href = "../appendix/kubernetes-1.7-changelog.html" >
< b > 9.7.1.< / b >
Kubernetes1.7 更新日志
< / a >
< / li >
< li class = "chapter " data-level = "9.7.2" data-path = "../appendix/kubernetes-1.8-changelog.html" >
< a href = "../appendix/kubernetes-1.8-changelog.html" >
< b > 9.7.2.< / b >
Kubernetes1.8 更新日志
< / a >
< / li >
< li class = "chapter " data-level = "9.7.3" data-path = "../appendix/kubernetes-1.9-changelog.html" >
< a href = "../appendix/kubernetes-1.9-changelog.html" >
< b > 9.7.3.< / b >
Kubernetes1.9 更新日志
< / a >
< / li >
< li class = "chapter " data-level = "9.7.4" data-path = "../appendix/kubernetes-1.10-changelog.html" >
< a href = "../appendix/kubernetes-1.10-changelog.html" >
< b > 9.7.4.< / b >
Kubernetes1.10 更新日志
< / a >
< / li >
< li class = "chapter " data-level = "9.7.5" data-path = "../appendix/kubernetes-1.11-changelog.html" >
< a href = "../appendix/kubernetes-1.11-changelog.html" >
< b > 9.7.5.< / b >
Kubernetes1.11 更新日志
< / a >
< / li >
< li class = "chapter " data-level = "9.7.6" data-path = "../appendix/kubernetes-1.12-changelog.html" >
< a href = "../appendix/kubernetes-1.12-changelog.html" >
< b > 9.7.6.< / b >
Kubernetes1.12 更新日志
< / a >
< / li >
< li class = "chapter " data-level = "9.7.7" data-path = "../appendix/kubernetes-1.13-changelog.html" >
< a href = "../appendix/kubernetes-1.13-changelog.html" >
< b > 9.7.7.< / b >
Kubernetes1.13 更新日志
< / a >
< / li >
< li class = "chapter " data-level = "9.7.8" data-path = "../appendix/kubernetes-1.14-changelog.html" >
< a href = "../appendix/kubernetes-1.14-changelog.html" >
< b > 9.7.8.< / b >
Kubernetes1.14 更新日志
< / a >
< / li >
< li class = "chapter " data-level = "9.7.9" data-path = "../appendix/kubernetes-1.15-changelog.html" >
< a href = "../appendix/kubernetes-1.15-changelog.html" >
< b > 9.7.9.< / b >
Kubernetes1.15 更新日志
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "9.8" data-path = "../appendix/summary-and-outlook.html" >
< a href = "../appendix/summary-and-outlook.html" >
< b > 9.8.< / b >
Kubernetes 及云原生年度总结及展望
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "9.8.1" data-path = "../appendix/kubernetes-and-cloud-native-summary-in-2017-and-outlook-for-2018.html" >
< a href = "../appendix/kubernetes-and-cloud-native-summary-in-2017-and-outlook-for-2018.html" >
< b > 9.8.1.< / b >
Kubernetes 与云原生 2017 年年终总结及 2018 年展望
< / a >
< / li >
< li class = "chapter " data-level = "9.8.2" data-path = "../appendix/kubernetes-and-cloud-native-summary-in-2018-and-outlook-for-2019.html" >
< a href = "../appendix/kubernetes-and-cloud-native-summary-in-2018-and-outlook-for-2019.html" >
< b > 9.8.2.< / b >
Kubernetes 与云原生 2018 年年终总结及 2019 年展望
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "9.9" data-path = "../appendix/cncf-annual-report.html" >
< a href = "../appendix/cncf-annual-report.html" >
< b > 9.9.< / b >
CNCF 年度报告解读
< / a >
< ul class = "articles" >
< li class = "chapter " data-level = "9.9.1" data-path = "../appendix/cncf-annual-report-2018.html" >
< a href = "../appendix/cncf-annual-report-2018.html" >
< b > 9.9.1.< / b >
CNCF 2018 年年度报告解读
< / a >
< / li >
< / ul >
< / li >
< li class = "chapter " data-level = "9.10" data-path = "../appendix/about-kcsp.html" >
< a href = "../appendix/about-kcsp.html" >
< b > 9.10.< / b >
Kubernetes 认证服务提供商( KCSP) 说明
< / a >
< / li >
< li class = "chapter " data-level = "9.11" data-path = "../appendix/about-cka-candidate.html" >
< a href = "../appendix/about-cka-candidate.html" >
< b > 9.11.< / b >
认证 Kubernetes 管理员( CKA) 说明
< / a >
< / li >
< li class = "divider" > < / li >
< li >
< a href = "https://www.gitbook.com" target = "blank" class = "gitbook-link" >
本书使用 GitBook 发布
< / a >
< / li >
< / ul >
< / nav >
< / div >
< div class = "book-body" >
< div class = "body-inner" >
< div class = "book-header" role = "navigation" >
<!-- Title -->
< h1 >
< i class = "fa fa-circle-o-notch fa-spin" > < / i >
< a href = ".." > Sidecar 的注入与流量劫持< / a >
< / h1 >
< / div >
< div class = "page-wrapper" tabindex = "-1" role = "main" >
< div class = "page-inner" >
< div class = "search-plus" id = "book-search-results" >
< div class = "search-noresults" >
< section class = "normal markdown-section" >
< h1 id = "深入理解istio-service-mesh中的envoy-sidecar注入与流量劫持" > 深 入 理 解 Istio Service Mesh中 的 Envoy Sidecar注 入 与 流 量 劫 持 < / h1 >
< p > < strong > 本 文 基 于 Istio 1.5。 < / strong > < / p >
< p > 本 文 基 于 Istio 1.5.1 版 本 , 将 为 大 家 介 绍 以 下 内 容 : < / p >
< ul >
< li > 什 么 是 sidecar 模 式 和 它 的 优 势 在 哪 里 。 < / li >
< li > Istio 中 是 如 何 做 sidecar 注 入 的 ? < / li >
< li > Sidecar proxy 是 如 何 做 透 明 流 量 劫 持 的 ? < / li >
< li > 流 量 是 如 何 路 由 到 upstream 的 ? < / li >
< / ul >
< p > 在 此 之 前 我 曾 写 过 基 于 Istio 1.1 版 本 的 < a href = "../blog/envoy-sidecar-injection-in-istio-service-mesh-deep-dive" > 理 解 Istio Service Mesh 中 Envoy 代 理 Sidecar 注 入 及 流 量 劫 持 < / a > , Istio 1.5 与 Istio 1.1 中 的 sidecar 注 入 和 流 量 劫 持 环 节 最 大 的 变 化 是 : < / p >
< ul >
< li > iptables 改 用 命 令 行 工 具 , 不 再 使 用 shell 脚 本 。 < / li >
< li > sidecar inbound 和 outbound 分 别 指 定 了 端 口 , 而 之 前 是 使 用 同 一 个 端 口 ( 15001) 。 < / li >
< / ul >
< p > 注 : 本 文 中 部 分 内 容 收 录 于 ServiceMesher 社 区 出 品 的 < a href = "https://www.servicemesher.com/istio-handbook/" target = "_blank" > Istio Handbook< / a > 。 < / p >
< h2 id = "sidecar-模式" > Sidecar 模 式 < / h2 >
< p > 将 应 用 程 序 的 功 能 划 分 为 单 独 的 进 程 运 行 在 同 一 个 最 小 调 度 单 元 中 ( 例 如 Kubernetes 中 的 Pod) 可 以 被 视 为 < strong > sidecar 模 式 < / strong > 。 如 下 图 所 示 , sidecar 模 式 允 许 您 在 应 用 程 序 旁 边 添 加 更 多 功 能 , 而 无 需 额 外 第 三 方 组 件 配 置 或 修 改 应 用 程 序 代 码 。 < / p >
2020-07-24 10:10:37 +08:00
< figure id = "fig6.3.2.5.1" > < a href = "../images/sidecar-pattern.jpg" data-lightbox = "7449c6a8-3b77-4c85-ba46-e5cfe0ad4a0b" data-title = "Sidecar 模式示意图" > < img src = "../images/sidecar-pattern.jpg" alt = "Sidecar 模式示意图" > < / a > < figcaption > 图 6.3.2.5.1: Sidecar 模 式 示 意 图 < / figcaption > < / figure >
2020-06-19 14:52:56 +08:00
< p > 就 像 连 接 了 Sidecar 的 三 轮 摩 托 车 一 样 , 在 软 件 架 构 中 , Sidecar 连 接 到 父 应 用 并 且 为 其 添 加 扩 展 或 者 增 强 功 能 。 Sidecar 应 用 与 主 应 用 程 序 松 散 耦 合 。 它 可 以 屏 蔽 不 同 编 程 语 言 的 差 异 , 统 一 实 现 微 服 务 的 可 观 察 性 、 监 控 、 日 志 记 录 、 配 置 、 断 路 器 等 功 能 。 < / p >
< h3 id = "使用-sidecar-模式的优势" > 使 用 Sidecar 模 式 的 优 势 < / h3 >
< p > 使 用 sidecar 模 式 部 署 服 务 网 格 时 , 无 需 在 节 点 上 运 行 代 理 , 但 是 集 群 中 将 运 行 多 个 相 同 的 sidecar 副 本 。 在 sidecar 部 署 方 式 中 , 每 个 应 用 的 容 器 旁 都 会 部 署 一 个 伴 生 容 器 ( 如 < a href = "https://www.servicemesher.com/istio-handbook/GLOSSARY.html#envoy" target = "_blank" > Envoy< / a > 或 < a href = "https://www.servicemesher.com/istio-handbook/GLOSSARY.html#mosn" target = "_blank" > MOSN< / a > ) , 这 个 容 器 称 之 为 sidecar 容 器 。 Sidecar 接 管 进 出 应 用 容 器 的 所 有 流 量 。 在 Kubernetes 的 Pod 中 , 在 原 有 的 应 用 容 器 旁 边 注 入 一 个 Sidecar 容 器 , 两 个 容 器 共 享 存 储 、 网 络 等 资 源 , 可 以 广 义 的 将 这 个 包 含 了 sidecar 容 器 的 Pod 理 解 为 一 台 主 机 , 两 个 容 器 共 享 主 机 资 源 。 < / p >
< p > 因 其 独 特 的 部 署 结 构 , 使 得 sidecar 模 式 具 有 以 下 优 势 : < / p >
< ul >
< li > 将 与 应 用 业 务 逻 辑 无 关 的 功 能 抽 象 到 共 同 基 础 设 施 , 降 低 了 微 服 务 代 码 的 复 杂 度 。 < / li >
< li > 因 为 不 再 需 要 编 写 相 同 的 第 三 方 组 件 配 置 文 件 和 代 码 , 所 以 能 够 降 低 微 服 务 架 构 中 的 代 码 重 复 度 。 < / li >
< li > Sidecar 可 独 立 升 级 , 降 低 应 用 程 序 代 码 和 底 层 平 台 的 耦 合 度 。 < / li >
< / ul >
< h2 id = "istio-中的-sidecar-注入" > Istio 中 的 sidecar 注 入 < / h2 >
< p > Istio 中 提 供 了 以 下 两 种 sidecar 注 入 方 式 : < / p >
< ul >
< li > 使 用 < code > istioctl< / code > 手 动 注 入 。 < / li >
< li > 基 于 Kubernetes 的 < a href = "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/" target = "_blank" > 突 变 webhook 入 驻 控 制 器 ( mutating webhook addmission controller< / a > 的 自 动 sidecar 注 入 方 式 。 < / li >
< / ul >
< p > 不 论 是 手 动 注 入 还 是 自 动 注 入 , sidecar 的 注 入 过 程 都 需 要 遵 循 如 下 步 骤 : < / p >
< ol >
< li > Kubernetes 需 要 了 解 待 注 入 的 sidecar 所 连 接 的 Istio 集 群 及 其 配 置 ; < / li >
< li > Kubernetes 需 要 了 解 待 注 入 的 sidecar 容 器 本 身 的 配 置 , 如 镜 像 地 址 、 启 动 参 数 等 ; < / li >
< li > Kubernetes 根 据 sidecar 注 入 模 板 和 以 上 配 置 填 充 sidecar 的 配 置 参 数 , 将 以 上 配 置 注 入 到 应 用 容 器 的 一 侧 ; < / li >
< / ol >
< p > 使 用 下 面 的 命 令 可 以 手 动 注 入 sidecar。 < / p >
< pre class = "language-" > < code class = "lang-bash" > istioctl kube-inject -f < span class = "token variable" > ${YAML_FILE}< / span > < span class = "token operator" > |< / span > kuebectl apply -f -
< / code > < / pre >
< p > 该 命 令 会 使 用 Istio 内 置 的 sidecar 配 置 来 注 入 , 下 面 使 用 Istio详 细 配 置 请 参 考 < a href = "https://istio.io/docs/setup/additional-setup/sidecar-injection/#manual-sidecar-injection" target = "_blank" > Istio 官 网 < / a > 。 < / p >
< p > 注 入 完 成 后 您 将 看 到 Istio 为 原 有 pod template 注 入 了 < code > initContainer< / code > 及 sidecar proxy相 关 的 配 置 。 < / p >
< h3 id = "init-容器" > Init 容 器 < / h3 >
< p > Init 容 器 是 一 种 专 用 容 器 , 它 在 应 用 程 序 容 器 启 动 之 前 运 行 , 用 来 包 含 一 些 应 用 镜 像 中 不 存 在 的 实 用 工 具 或 安 装 脚 本 。 < / p >
< p > 一 个 Pod 中 可 以 指 定 多 个 Init 容 器 , 如 果 指 定 了 多 个 , 那 么 Init 容 器 将 会 按 顺 序 依 次 运 行 。 只 有 当 前 面 的 Init 容 器 必 须 运 行 成 功 后 , 才 可 以 运 行 下 一 个 Init 容 器 。 当 所 有 的 Init 容 器 运 行 完 成 后 , Kubernetes 才 初 始 化 Pod 和 运 行 应 用 容 器 。 < / p >
< p > Init 容 器 使 用 Linux Namespace, 所 以 相 对 应 用 程 序 容 器 来 说 具 有 不 同 的 文 件 系 统 视 图 。 因 此 , 它 们 能 够 具 有 访 问 Secret 的 权 限 , 而 应 用 程 序 容 器 则 不 能 。 < / p >
< p > 在 Pod 启 动 过 程 中 , Init 容 器 会 按 顺 序 在 网 络 和 数 据 卷 初 始 化 之 后 启 动 。 每 个 容 器 必 须 在 下 一 个 容 器 启 动 之 前 成 功 退 出 。 如 果 由 于 运 行 时 或 失 败 退 出 , 将 导 致 容 器 启 动 失 败 , 它 会 根 据 Pod 的 < code > restartPolicy< / code > 指 定 的 策 略 进 行 重 试 。 然 而 , 如 果 Pod 的 < code > restartPolicy< / code > 设 置 为 Always, Init 容 器 失 败 时 会 使 用 < code > RestartPolicy< / code > 策 略 。 < / p >
< p > 在 所 有 的 Init 容 器 没 有 成 功 之 前 , Pod 将 不 会 变 成 < code > Ready< / code > 状 态 。 Init 容 器 的 端 口 将 不 会 在 Service中 进 行 聚 集 。 正 在 初 始 化 中 的 Pod 处 于 < code > Pending< / code > 状 态 , 但 应 该 会 将 < code > Initializing< / code > 状 态 设 置 为 true。 Init 容 器 运 行 完 成 以 后 就 会 自 动 终 止 。 < / p >
< p > 关 于 Init 容 器 的 详 细 信 息 请 参 考 < a href = "https://jimmysong.io/kubernetes-handbook/concepts/init-containers.html" target = "_blank" > Init 容 器 - Kubernetes 中 文 指 南 /云 原 生 应 用 架 构 实 践 手 册 < / a > 。 < / p >
< h2 id = "sidecar-注入示例分析" > Sidecar 注 入 示 例 分 析 < / h2 >
< p > 以 Istio 官 方 提 供 的 < code > bookinfo< / code > 中 < code > productpage< / code > 的 YAML 为 例 , 关 于 < code > bookinfo< / code > 应 用 的 详 细 YAML 配 置 请 参 考 < a href = "https://github.com/istio/istio/blob/master/samples/bookinfo/platform/kube/bookinfo.yaml" target = "_blank" > bookinfo.yaml< / a > 。 < / p >
< p > 下 文 将 从 以 下 几 个 方 面 讲 解 : < / p >
< ul >
< li > Sidecar 容 器 的 注 入 < / li >
< li > iptables 规 则 的 创 建 < / li >
< li > 路 由 的 详 细 过 程 < / li >
< / ul >
< pre class = "language-" > < code class = "lang-yaml" > < span class = "token key atrule" > apiVersion< / span > < span class = "token punctuation" > :< / span > apps/v1
< span class = "token key atrule" > kind< / span > < span class = "token punctuation" > :< / span > Deployment
< span class = "token key atrule" > metadata< / span > < span class = "token punctuation" > :< / span >
< span class = "token key atrule" > name< / span > < span class = "token punctuation" > :< / span > productpage< span class = "token punctuation" > -< / span > v1
< span class = "token key atrule" > labels< / span > < span class = "token punctuation" > :< / span >
< span class = "token key atrule" > app< / span > < span class = "token punctuation" > :< / span > productpage
< span class = "token key atrule" > version< / span > < span class = "token punctuation" > :< / span > v1
< span class = "token key atrule" > spec< / span > < span class = "token punctuation" > :< / span >
< span class = "token key atrule" > replicas< / span > < span class = "token punctuation" > :< / span > < span class = "token number" > 1< / span >
< span class = "token key atrule" > selector< / span > < span class = "token punctuation" > :< / span >
< span class = "token key atrule" > matchLabels< / span > < span class = "token punctuation" > :< / span >
< span class = "token key atrule" > app< / span > < span class = "token punctuation" > :< / span > productpage
< span class = "token key atrule" > version< / span > < span class = "token punctuation" > :< / span > v1
< span class = "token key atrule" > template< / span > < span class = "token punctuation" > :< / span >
< span class = "token key atrule" > metadata< / span > < span class = "token punctuation" > :< / span >
< span class = "token key atrule" > labels< / span > < span class = "token punctuation" > :< / span >
< span class = "token key atrule" > app< / span > < span class = "token punctuation" > :< / span > productpage
< span class = "token key atrule" > version< / span > < span class = "token punctuation" > :< / span > v1
< span class = "token key atrule" > spec< / span > < span class = "token punctuation" > :< / span >
< span class = "token key atrule" > serviceAccountName< / span > < span class = "token punctuation" > :< / span > bookinfo< span class = "token punctuation" > -< / span > productpage
< span class = "token key atrule" > containers< / span > < span class = "token punctuation" > :< / span >
< span class = "token punctuation" > -< / span > < span class = "token key atrule" > name< / span > < span class = "token punctuation" > :< / span > productpage
< span class = "token key atrule" > image< / span > < span class = "token punctuation" > :< / span > docker.io/istio/examples< span class = "token punctuation" > -< / span > bookinfo< span class = "token punctuation" > -< / span > productpage< span class = "token punctuation" > -< / span > v1< span class = "token punctuation" > :< / span > 1.15.0
< span class = "token key atrule" > imagePullPolicy< / span > < span class = "token punctuation" > :< / span > IfNotPresent
< span class = "token key atrule" > ports< / span > < span class = "token punctuation" > :< / span >
< span class = "token punctuation" > -< / span > < span class = "token key atrule" > containerPort< / span > < span class = "token punctuation" > :< / span > < span class = "token number" > 9080< / span >
< span class = "token key atrule" > volumeMounts< / span > < span class = "token punctuation" > :< / span >
< span class = "token punctuation" > -< / span > < span class = "token key atrule" > name< / span > < span class = "token punctuation" > :< / span > tmp
< span class = "token key atrule" > mountPath< / span > < span class = "token punctuation" > :< / span > /tmp
< span class = "token key atrule" > volumes< / span > < span class = "token punctuation" > :< / span >
< span class = "token punctuation" > -< / span > < span class = "token key atrule" > name< / span > < span class = "token punctuation" > :< / span > tmp
< span class = "token key atrule" > emptyDir< / span > < span class = "token punctuation" > :< / span > < span class = "token punctuation" > {< / span > < span class = "token punctuation" > }< / span >
< / code > < / pre >
< p > 再 查 看 下 < code > productpage< / code > 容 器 的 < a href = "https://github.com/istio/istio/blob/master/samples/bookinfo/src/productpage/Dockerfile" target = "_blank" > Dockerfile< / a > 。 < / p >
< pre class = "language-" > < code class = "lang-docker" > < span class = "token keyword" > FROM< / span > python< span class = "token punctuation" > :< / span > 3.7.4< span class = "token punctuation" > -< / span > slim
< span class = "token keyword" > COPY< / span > requirements.txt ./
< span class = "token keyword" > RUN< / span > pip install < span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > no< span class = "token punctuation" > -< / span > cache< span class = "token punctuation" > -< / span > dir < span class = "token punctuation" > -< / span > r requirements.txt
< span class = "token keyword" > COPY< / span > test< span class = "token punctuation" > -< / span > requirements.txt ./
< span class = "token keyword" > RUN< / span > pip install < span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > no< span class = "token punctuation" > -< / span > cache< span class = "token punctuation" > -< / span > dir < span class = "token punctuation" > -< / span > r test< span class = "token punctuation" > -< / span > requirements.txt
< span class = "token keyword" > COPY< / span > productpage.py /opt/microservices/
< span class = "token keyword" > COPY< / span > tests/unit/* /opt/microservices/
< span class = "token keyword" > COPY< / span > templates /opt/microservices/templates
< span class = "token keyword" > COPY< / span > static /opt/microservices/static
< span class = "token keyword" > COPY< / span > requirements.txt /opt/microservices/
< span class = "token keyword" > ARG< / span > flood_factor
< span class = "token keyword" > ENV< / span > FLOOD_FACTOR $< span class = "token punctuation" > {< / span > flood_factor< span class = "token punctuation" > :< / span > < span class = "token punctuation" > -< / span > 0< span class = "token punctuation" > }< / span >
< span class = "token keyword" > EXPOSE< / span > 9080
< span class = "token keyword" > WORKDIR< / span > /opt/microservices
< span class = "token keyword" > RUN< / span > python < span class = "token punctuation" > -< / span > m unittest discover
< span class = "token keyword" > USER< / span > 1
< span class = "token keyword" > CMD< / span > < span class = "token punctuation" > [< / span > < span class = "token string" > " python" < / span > < span class = "token punctuation" > ,< / span > < span class = "token string" > " productpage.py" < / span > < span class = "token punctuation" > ,< / span > < span class = "token string" > " 9080" < / span > < span class = "token punctuation" > ]< / span >
< / code > < / pre >
< p > 我 们 看 到 < code > Dockerfile< / code > 中 没 有 配 置 < code > ENTRYPOINT< / code > , 所 以 < code > CMD< / code > 的 配 置 < code > python productpage.py 9080< / code > 将 作 为 默 认 的 < code > ENTRYPOINT< / code > , 记 住 这 一 点 , 再 看 下 注 入 sidecar 之 后 的 配 置 。 < / p >
< pre class = "language-" > < code class = "lang-bash" > $ istioctl kube-inject -f samples/bookinfo/platform/kube/bookinfo.yaml
< / code > < / pre >
< p > 我 们 只 截 取 其 中 与 < code > productpage< / code > 相 关 的 < code > Deployment< / code > 配 置 中 的 部 分 YAML 配 置 。 < / p >
< pre class = "language-" > < code class = "lang-yaml" > < span class = "token key atrule" > containers< / span > < span class = "token punctuation" > :< / span >
< span class = "token punctuation" > -< / span > < span class = "token key atrule" > image< / span > < span class = "token punctuation" > :< / span > docker.io/istio/examples< span class = "token punctuation" > -< / span > bookinfo< span class = "token punctuation" > -< / span > productpage< span class = "token punctuation" > -< / span > v1< span class = "token punctuation" > :< / span > 1.15.0 < span class = "token comment" > # 应 用 镜 像 < / span >
< span class = "token key atrule" > name< / span > < span class = "token punctuation" > :< / span > productpage
< span class = "token key atrule" > ports< / span > < span class = "token punctuation" > :< / span >
< span class = "token punctuation" > -< / span > < span class = "token key atrule" > containerPort< / span > < span class = "token punctuation" > :< / span > < span class = "token number" > 9080< / span >
< span class = "token punctuation" > -< / span > < span class = "token key atrule" > args< / span > < span class = "token punctuation" > :< / span >
< span class = "token punctuation" > -< / span > proxy
< span class = "token punctuation" > -< / span > sidecar
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > domain
< span class = "token punctuation" > -< / span > $(POD_NAMESPACE).svc.cluster.local
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > configPath
< span class = "token punctuation" > -< / span > /etc/istio/proxy
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > binaryPath
< span class = "token punctuation" > -< / span > /usr/local/bin/envoy
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > serviceCluster
< span class = "token punctuation" > -< / span > productpage.$(POD_NAMESPACE)
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > drainDuration
< span class = "token punctuation" > -< / span > 45s
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > parentShutdownDuration
< span class = "token punctuation" > -< / span > 1m0s
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > discoveryAddress
< span class = "token punctuation" > -< / span > istiod.istio< span class = "token punctuation" > -< / span > system.svc< span class = "token punctuation" > :< / span > < span class = "token number" > 15012< / span >
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > zipkinAddress
< span class = "token punctuation" > -< / span > zipkin.istio< span class = "token punctuation" > -< / span > system< span class = "token punctuation" > :< / span > < span class = "token number" > 9411< / span >
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > proxyLogLevel=warning
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > proxyComponentLogLevel=misc< span class = "token punctuation" > :< / span > error
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > connectTimeout
< span class = "token punctuation" > -< / span > 10s
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > proxyAdminPort
< span class = "token punctuation" > -< / span > < span class = "token string" > " 15000" < / span >
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > concurrency
< span class = "token punctuation" > -< / span > < span class = "token string" > " 2" < / span >
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > controlPlaneAuthPolicy
< span class = "token punctuation" > -< / span > NONE
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > dnsRefreshRate
< span class = "token punctuation" > -< / span > 300s
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > statusPort
< span class = "token punctuation" > -< / span > < span class = "token string" > " 15020" < / span >
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > trust< span class = "token punctuation" > -< / span > domain=cluster.local
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > controlPlaneBootstrap=false
< span class = "token key atrule" > image< / span > < span class = "token punctuation" > :< / span > docker.io/istio/proxyv2< span class = "token punctuation" > :< / span > 1.5.1 < span class = "token comment" > # sidecar proxy< / span >
< span class = "token key atrule" > name< / span > < span class = "token punctuation" > :< / span > istio< span class = "token punctuation" > -< / span > proxy
< span class = "token key atrule" > ports< / span > < span class = "token punctuation" > :< / span >
< span class = "token punctuation" > -< / span > < span class = "token key atrule" > containerPort< / span > < span class = "token punctuation" > :< / span > < span class = "token number" > 15090< / span >
< span class = "token key atrule" > name< / span > < span class = "token punctuation" > :< / span > http< span class = "token punctuation" > -< / span > envoy< span class = "token punctuation" > -< / span > prom
< span class = "token key atrule" > protocol< / span > < span class = "token punctuation" > :< / span > TCP
< span class = "token key atrule" > initContainers< / span > < span class = "token punctuation" > :< / span >
< span class = "token punctuation" > -< / span > < span class = "token key atrule" > command< / span > < span class = "token punctuation" > :< / span >
< span class = "token punctuation" > -< / span > istio< span class = "token punctuation" > -< / span > iptables
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > p
< span class = "token punctuation" > -< / span > < span class = "token string" > " 15001" < / span >
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > z
< span class = "token punctuation" > -< / span > < span class = "token string" > " 15006" < / span >
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > u
< span class = "token punctuation" > -< / span > < span class = "token string" > " 1337" < / span >
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > m
< span class = "token punctuation" > -< / span > REDIRECT
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > i
< span class = "token punctuation" > -< / span > < span class = "token string" > ' *' < / span >
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > x
< span class = "token punctuation" > -< / span > < span class = "token string" > " " < / span >
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > b
< span class = "token punctuation" > -< / span > < span class = "token string" > ' *' < / span >
< span class = "token punctuation" > -< / span > < span class = "token punctuation" > -< / span > d
< span class = "token punctuation" > -< / span > < span class = "token number" > 15090< / span > < span class = "token punctuation" > ,< / span > < span class = "token number" > 15020< / span >
< span class = "token key atrule" > image< / span > < span class = "token punctuation" > :< / span > docker.io/istio/proxyv2< span class = "token punctuation" > :< / span > 1.5.1 < span class = "token comment" > # init 容 器 < / span >
< span class = "token key atrule" > name< / span > < span class = "token punctuation" > :< / span > istio< span class = "token punctuation" > -< / span > init
< / code > < / pre >
< p > Istio 给 应 用 Pod 注 入 的 配 置 主 要 包 括 : < / p >
< ul >
< li > Init 容 器 < code > istio-init< / code > : 用 于 pod 中 设 置 iptables 端 口 转 发 < / li >
< li > Sidecar 容 器 < code > istio-proxy< / code > : 运 行 sidecar 代 理 , 如 < a href = "https://www.servicemesher.com/istio-handbook/GLOSSARY.html#envoy" target = "_blank" > Envoy< / a > 或 < a href = "https://www.servicemesher.com/istio-handbook/GLOSSARY.html#mosn" target = "_blank" > MOSN< / a > < / li >
< / ul >
< p > 接 下 来 将 分 别 解 析 下 这 两 个 容 器 。 < / p >
< h2 id = "init-容器解析" > Init 容 器 解 析 < / h2 >
< p > Istio 在 pod 中 注 入 的 Init 容 器 名 为 < code > istio-init< / code > , 我 们 在 上 面 Istio 注 入 完 成 后 的 YAML 文 件 中 看 到 了 该 容 器 的 启 动 命 令 是 : < / p >
< pre class = "language-" > < code class = "lang-bash" > istio-iptables -p < span class = "token number" > 15001< / span > -z < span class = "token number" > 15006< / span > -u < span class = "token number" > 1337< / span > -m REDIRECT -i < span class = "token string" > ' *' < / span > -x < span class = "token string" > " " < / span > -b < span class = "token string" > ' *' < / span > -d < span class = "token number" > 15090,15020< / span >
< / code > < / pre >
< p > 我 们 再 检 查 下 该 容 器 的 < a href = "https://github.com/istio/istio/blob/master/pilot/docker/Dockerfile.proxyv2" target = "_blank" > Dockerfile< / a > 看 看 < code > ENTRYPOINT< / code > 是 怎 么 确 定 启 动 时 执 行 的 命 令 。 < / p >
< pre class = "language-" > < code class = "lang-docker" > < span class = "token comment" > # 前 面 的 内 容 省 略 < / span >
< span class = "token comment" > # The pilot-agent will bootstrap Envoy.< / span >
< span class = "token keyword" > ENTRYPOINT< / span > < span class = "token punctuation" > [< / span > < span class = "token string" > " /usr/local/bin/pilot-agent" < / span > < span class = "token punctuation" > ]< / span >
< / code > < / pre >
< p > 我 们 看 到 < code > istio-init< / code > 容 器 的 入 口 是 < code > /usr/local/bin/istio-iptables< / code > 命 令 行 , 该 命 令 行 工 具 的 代 码 的 位 置 在 Istio 源 码 仓 库 的 < a href = "https://github.com/istio/istio/tree/master/tools/istio-iptables" target = "_blank" > tools/istio-iptables< / a > 目 录 。 < / p >
< p > 注 意 : 在 Istio 1.1 版 本 时 还 是 使 用 < code > isito-iptables.sh< / code > 命 令 行 来 操 作 IPtables。 < / p >
< h3 id = "init-容器启动入口" > Init 容 器 启 动 入 口 < / h3 >
< p > Init 容 器 的 启 动 入 口 是 < code > istio-iptables< / code > 命 令 行 , 该 命 令 行 工 具 的 用 法 如 下 : < / p >
< pre class = "language-" > < code class = "lang-bash" > $ istio-iptables < span class = "token punctuation" > [< / span > flags< span class = "token punctuation" > ]< / span >
-p: 指 定 重 定 向 所 有 TCP 流 量 的 sidecar 端 口 ( 默 认 为 < span class = "token variable" > $ENVOY_PORT< / span > < span class = "token operator" > =< / span > < span class = "token number" > 15001< / span > )
-m: 指 定 入 站 连 接 重 定 向 到 sidecar 的 模 式 , “ REDIRECT” 或 “ TPROXY” ( 默 认 为 < span class = "token variable" > $ISTIO_INBOUND_INTERCEPTION_MODE< / span > < span class = "token punctuation" > )< / span >
-b: 逗 号 分 隔 的 入 站 端 口 列 表 , 其 流 量 将 重 定 向 到 Envoy( 可 选 ) 。 使 用 通 配 符 “ *” 表 示 重 定 向 所 有 端 口 。 为 空 时 表 示 禁 用 所 有 入 站 重 定 向 ( 默 认 为 < span class = "token variable" > $ISTIO_INBOUND_PORTS< / span > )
-d: 指 定 要 从 重 定 向 到 sidecar 中 排 除 的 入 站 端 口 列 表 ( 可 选 ) , 以 逗 号 格 式 分 隔 。 使 用 通 配 符 “ *” 表 示 重 定 向 所 有 入 站 流 量 ( 默 认 为 < span class = "token variable" > $ISTIO_LOCAL_EXCLUDE_PORTS< / span > )
-o: 逗 号 分 隔 的 出 站 端 口 列 表 , 不 包 括 重 定 向 到 Envoy 的 端 口 。
-i: 指 定 重 定 向 到 sidecar 的 IP 地 址 范 围 ( 可 选 ) , 以 逗 号 分 隔 的 CIDR 格 式 列 表 。 使 用 通 配 符 “ *” 表 示 重 定 向 所 有 出 站 流 量 。 空 列 表 将 禁 用 所 有 出 站 重 定 向 ( 默 认 为 < span class = "token variable" > $ISTIO_SERVICE_CIDR< / span > )
-x: 指 定 将 从 重 定 向 中 排 除 的 IP 地 址 范 围 , 以 逗 号 分 隔 的 CIDR 格 式 列 表 。 使 用 通 配 符 “ *” 表 示 重 定 向 所 有 出 站 流 量 ( 默 认 为 < span class = "token variable" > $ISTIO_SERVICE_EXCLUDE_CIDR< / span > ) 。
-k: 逗 号 分 隔 的 虚 拟 接 口 列 表 , 其 入 站 流 量 ( 来 自 虚 拟 机 的 ) 将 被 视 为 出 站 流 量 。
-g: 指 定 不 应 用 重 定 向 的 用 户 的 GID。 < span class = "token punctuation" > (< / span > 默 认 值 与 -u param 相 同 < span class = "token punctuation" > )< / span >
-u: 指 定 不 应 用 重 定 向 的 用 户 的 < span class = "token environment constant" > UID< / span > 。 通 常 情 况 下 , 这 是 代 理 容 器 的 < span class = "token environment constant" > UID< / span > ( 默 认 值 是 < span class = "token number" > 1337< / span > , 即 istio-proxy 的 < span class = "token environment constant" > UID< / span > ) 。
-z: 所 有 进 入 pod/VM 的 TCP 流 量 应 被 重 定 向 到 的 端 口 ( 默 认 < span class = "token variable" > $INBOUND_CAPTURE_PORT< / span > < span class = "token operator" > =< / span > < span class = "token number" > 15006< / span > ) 。
< / code > < / pre >
< p > 以 上 传 入 的 参 数 都 会 重 新 组 装 成 < a href = "https://wangchujiang.com/linux-command/c/iptables.html" target = "_blank" > < code > iptables< / code > < / a > 规 则 , 关 于 该 命 令 的 详 细 用 法 请 访 问 < a href = "https://github.com/istio/istio/blob/master/tools/istio-iptables/pkg/cmd/root.go" target = "_blank" > tools/istio-iptables/pkg/cmd/root.go< / a > 。 < / p >
< p > 该 容 器 存 在 的 意 义 就 是 让 sidecar 代 理 可 以 拦 截 所 有 的 进 出 pod 的 流 量 , 15090 端 口 ( Mixer 使 用 ) 和 15092 端 口 ( Ingress Gateway) 除 外 的 所 有 入 站 ( inbound) 流 量 重 定 向 到 15006 端 口 ( sidecar) , 再 拦 截 应 用 容 器 的 出 站 ( outbound) 流 量 经 过 sidecar 处 理 ( 通 过 15001 端 口 监 听 ) 后 再 出 站 。 关 于 Istio 中 端 口 用 途 请 参 考 < a href = "https://istio.io/zh/docs/ops/deployment/requirements/" target = "_blank" > Istio 官 方 文 档 < / a > 。 < / p >
< p > < strong > 命 令 解 析 < / strong > < / p >
< p > 这 条 启 动 命 令 的 作 用 是 : < / p >
< ul >
< li > 将 应 用 容 器 的 所 有 流 量 都 转 发 到 sidecar 的 15006 端 口 。 < / li >
< li > 使 用 < code > istio-proxy< / code > 用 户 身 份 运 行 , UID 为 1337, 即 sidecar 所 处 的 用 户 空 间 , 这 也 是 < code > istio-proxy< / code > 容 器 默 认 使 用 的 用 户 , 见 YAML 配 置 中 的 < code > runAsUser< / code > 字 段 。 < / li >
< li > 使 用 默 认 的 < code > REDIRECT< / code > 模 式 来 重 定 向 流 量 。 < / li >
< li > 将 所 有 出 站 流 量 都 重 定 向 到 sidecar 代 理 ( 通 过 15001 端 口 ) 。 < / li >
< / ul >
< p > 因 为 Init 容 器 初 始 化 完 毕 后 就 会 自 动 终 止 , 因 为 我 们 无 法 登 陆 到 容 器 中 查 看 iptables 信 息 , 但 是 Init 容 器 初 始 化 结 果 会 保 留 到 应 用 容 器 和 sidecar 容 器 中 。 < / p >
< h2 id = "iptables-注入解析" > iptables 注 入 解 析 < / h2 >
< p > 为 了 查 看 iptables 配 置 , 我 们 需 要 登 陆 到 sidecar 容 器 中 使 用 root 用 户 来 查 看 , 因 为 < code > kubectl< / code > 无 法 使 用 特 权 模 式 来 远 程 操 作 docker 容 器 , 所 以 我 们 需 要 登 陆 到 < code > productpage< / code > pod 所 在 的 主 机 上 使 用 < code > docker< / code > 命 令 登 陆 容 器 中 查 看 。 < / p >
< p > 如 果 您 使 用 minikube 部 署 的 Kubernetes, 可 以 直 接 登 录 到 minikube 的 虚 拟 机 中 并 切 换 为 root 用 户 。 查 看 iptables 配 置 , 列 出 NAT( 网 络 地 址 转 换 ) 表 的 所 有 规 则 , 因 为 在 Init 容 器 启 动 的 时 候 选 择 给 < code > istio-iptables< / code > 传 递 的 参 数 中 指 定 将 入 站 流 量 重 定 向 到 sidecar 的 模 式 为 < code > REDIRECT< / code > , 因 此 在 iptables 中 将 只 有 NAT 表 的 规 格 配 置 , 如 果 选 择 < code > TPROXY< / code > 还 会 有 < code > mangle< / code > 表 配 置 。 < code > iptables< / code > 命 令 的 详 细 用 法 请 参 考 < a href = "https://wangchujiang.com/linux-command/c/iptables.html" target = "_blank" > iptables< / a > 命 令 。 < / p >
< p > 我 们 仅 查 看 与 < code > productpage< / code > 有 关 的 iptables 规 则 如 下 。 < / p >
< pre class = "language-" > < code class = "lang-bash" > < span class = "token comment" > # 进 入 minikube 并 切 换 为 root 用 户 , minikube 默 认 用 户 为 docker< / span >
$ minikube < span class = "token function" > ssh< / span >
$ < span class = "token function" > sudo< / span > -i
< span class = "token comment" > # 查 看 productpage pod 的 istio-proxy 容 器 中 的 进 程 < / span >
$ docker < span class = "token function" > top< / span > < span class = "token variable" > < span class = "token variable" > `< / span > docker < span class = "token function" > ps< / span > < span class = "token operator" > |< / span > < span class = "token function" > grep< / span > < span class = "token string" > " istio-proxy_productpage" < / span > < span class = "token operator" > |< / span > < span class = "token function" > cut< / span > -d < span class = "token string" > " " < / span > -f1< span class = "token variable" > `< / span > < / span >
< span class = "token environment constant" > UID< / span > PID < span class = "token environment constant" > PPID< / span > C STIME TTY TIME CMD
< span class = "token number" > 1337< / span > < span class = "token number" > 10576< / span > < span class = "token number" > 10517< / span > < span class = "token number" > 0< / span > 08:09 ? 00:00:07 /usr/local/bin/pilot-agent proxy sidecar --domain default.svc.cluster.local --configPath /etc/istio/proxy --binaryPath /usr/local/bin/envoy --serviceCluster productpage.default --drainDuration 45s --parentShutdownDuration 1m0s --discoveryAddress istiod.istio-system.svc:15012 --zipkinAddress zipkin.istio-system:9411 --proxyLogLevel< span class = "token operator" > =< / span > warning --proxyComponentLogLevel< span class = "token operator" > =< / span > misc:error --connectTimeout 10s --proxyAdminPort < span class = "token number" > 15000< / span > --concurrency < span class = "token number" > 2< / span > --controlPlaneAuthPolicy NONE --dnsRefreshRate 300s --statusPort < span class = "token number" > 15020< / span > --trust-domain< span class = "token operator" > =< / span > cluster.local --controlPlaneBootstrap< span class = "token operator" > =< / span > false
< span class = "token number" > 1337< / span > < span class = "token number" > 10660< / span > < span class = "token number" > 10576< / span > < span class = "token number" > 0< / span > 08:09 ? 00:00:33 /usr/local/bin/envoy -c /etc/istio/proxy/envoy-rev0.json --restart-epoch < span class = "token number" > 0< / span > --drain-time-s < span class = "token number" > 45< / span > --parent-shutdown-time-s < span class = "token number" > 60< / span > --service-cluster productpage.default --service-node sidecar~172.17.0.16~productpage-v1-7f44c4d57c-ksf9b.default~default.svc.cluster.local --max-obj-name-len < span class = "token number" > 189< / span > --local-address-ip-version v4 --log-format < span class = "token punctuation" > [< / span > Envoy < span class = "token punctuation" > (< / span > Epoch < span class = "token number" > 0< / span > < span class = "token punctuation" > )< / span > < span class = "token punctuation" > ]< / span > < span class = "token punctuation" > [< / span > %Y-%m-%d %T.%e< span class = "token punctuation" > ]< / span > < span class = "token punctuation" > [< / span > %t< span class = "token punctuation" > ]< / span > < span class = "token punctuation" > [< / span > %l< span class = "token punctuation" > ]< / span > < span class = "token punctuation" > [< / span > %n< span class = "token punctuation" > ]< / span > %v -l warning --component-log-level misc:error --concurrency < span class = "token number" > 2< / span >
< span class = "token comment" > # 进 入 nsenter 进 入 sidecar 容 器 的 命 名 空 间 ( 以 上 任 何 一 个 都 可 以 ) < / span >
$ nsenter -n --target < span class = "token number" > 10660< / span >
< / code > < / pre >
< p > 在 该 进 程 的 命 名 空 间 下 查 看 其 iptables 规 则 链 。 < / p >
< pre class = "language-" > < code class = "lang-bash" > < span class = "token comment" > # 查 看 NAT 表 中 规 则 配 置 的 详 细 信 息 。 < / span >
$ iptables -t nat -L -v
< span class = "token comment" > # PREROUTING 链 : 用 于 目 标 地 址 转 换 ( DNAT) , 将 所 有 入 站 TCP 流 量 跳 转 到 ISTIO_INBOUND 链 上 。 < / span >
Chain PREROUTING < span class = "token punctuation" > (< / span > policy ACCEPT < span class = "token number" > 2701< / span > packets, 162K bytes< span class = "token punctuation" > )< / span >
pkts bytes target prot opt < span class = "token keyword" > in< / span > out < span class = "token builtin class-name" > source< / span > destination
< span class = "token number" > 2701< / span > 162K ISTIO_INBOUND tcp -- any any anywhere anywhere
< span class = "token comment" > # INPUT 链 : 处 理 输 入 数 据 包 , 非 TCP 流 量 将 继 续 OUTPUT 链 。 < / span >
Chain INPUT < span class = "token punctuation" > (< / span > policy ACCEPT < span class = "token number" > 2701< / span > packets, 162K bytes< span class = "token punctuation" > )< / span >
pkts bytes target prot opt < span class = "token keyword" > in< / span > out < span class = "token builtin class-name" > source< / span > destination
< span class = "token comment" > # OUTPUT 链 : 将 所 有 出 站 数 据 包 跳 转 到 ISTIO_OUTPUT 链 上 。 < / span >
Chain OUTPUT < span class = "token punctuation" > (< / span > policy ACCEPT < span class = "token number" > 79< / span > packets, < span class = "token number" > 6761< / span > bytes< span class = "token punctuation" > )< / span >
pkts bytes target prot opt < span class = "token keyword" > in< / span > out < span class = "token builtin class-name" > source< / span > destination
< span class = "token number" > 15< / span > < span class = "token number" > 900< / span > ISTIO_OUTPUT tcp -- any any anywhere anywhere
< span class = "token comment" > # POSTROUTING 链 : 所 有 数 据 包 流 出 网 卡 时 都 要 先 进 入 POSTROUTING 链 , 内 核 根 据 数 据 包 目 的 地 判 断 是 否 需 要 转 发 出 去 , 我 们 看 到 此 处 未 做 任 何 处 理 。 < / span >
Chain POSTROUTING < span class = "token punctuation" > (< / span > policy ACCEPT < span class = "token number" > 79< / span > packets, < span class = "token number" > 6761< / span > bytes< span class = "token punctuation" > )< / span >
pkts bytes target prot opt < span class = "token keyword" > in< / span > out < span class = "token builtin class-name" > source< / span > destination
< span class = "token comment" > # ISTIO_INBOUND 链 : 将 所 有 入 站 流 量 重 定 向 到 ISTIO_IN_REDIRECT 链 上 , 目 的 地 为 15090( mixer 使 用 ) 和 15020( Ingress gateway 使 用 , 用 于 Pilot 健 康 检 查 ) 端 口 的 流 量 除 外 , 发 送 到 以 上 两 个 端 口 的 流 量 将 返 回 iptables 规 则 链 的 调 用 点 , 即 PREROUTING 链 的 后 继 POSTROUTING。 < / span >
Chain ISTIO_INBOUND < span class = "token punctuation" > (< / span > < span class = "token number" > 1< / span > references< span class = "token punctuation" > )< / span >
pkts bytes target prot opt < span class = "token keyword" > in< / span > out < span class = "token builtin class-name" > source< / span > destination
< span class = "token number" > 0< / span > < span class = "token number" > 0< / span > RETURN tcp -- any any anywhere anywhere tcp dpt:ssh
< span class = "token number" > 2< / span > < span class = "token number" > 120< / span > RETURN tcp -- any any anywhere anywhere tcp dpt:15090
< span class = "token number" > 2699< / span > 162K RETURN tcp -- any any anywhere anywhere tcp dpt:15020
< span class = "token number" > 0< / span > < span class = "token number" > 0< / span > ISTIO_IN_REDIRECT tcp -- any any anywhere anywhere
< span class = "token comment" > # ISTIO_IN_REDIRECT 链 : 将 所 有 的 入 站 流 量 跳 转 到 本 地 的 15006 端 口 , 至 此 成 功 的 拦 截 了 流 量 到 sidecar 中 。 < / span >
Chain ISTIO_IN_REDIRECT < span class = "token punctuation" > (< / span > < span class = "token number" > 3< / span > references< span class = "token punctuation" > )< / span >
pkts bytes target prot opt < span class = "token keyword" > in< / span > out < span class = "token builtin class-name" > source< / span > destination
< span class = "token number" > 0< / span > < span class = "token number" > 0< / span > REDIRECT tcp -- any any anywhere anywhere redir ports < span class = "token number" > 15006< / span >
< span class = "token comment" > # ISTIO_OUTPUT 链 : 选 择 需 要 重 定 向 到 Envoy( 即 本 地 ) 的 出 站 流 量 , 所 有 非 localhost 的 流 量 全 部 转 发 到 ISTIO_REDIRECT。 为 了 避 免 流 量 在 该 Pod 中 无 限 循 环 , 所 有 到 istio-proxy 用 户 空 间 的 流 量 都 返 回 到 它 的 调 用 点 中 的 下 一 条 规 则 , 本 例 中 即 OUTPUT 链 , 因 为 跳 出 ISTIO_OUTPUT 规 则 之 后 就 进 入 下 一 条 链 POSTROUTING。 如 果 目 的 地 非 localhost 就 跳 转 到 ISTIO_REDIRECT; 如 果 流 量 是 来 自 istio-proxy 用 户 空 间 的 , 那 么 就 跳 出 该 链 , 返 回 它 的 调 用 链 继 续 执 行 下 一 条 规 则 ( OUTPUT 的 下 一 条 规 则 , 无 需 对 流 量 进 行 处 理 ) ; 所 有 的 非 istio-proxy 用 户 空 间 的 目 的 地 是 localhost 的 流 量 就 跳 转 到 ISTIO_REDIRECT。 < / span >
Chain ISTIO_OUTPUT < span class = "token punctuation" > (< / span > < span class = "token number" > 1< / span > references< span class = "token punctuation" > )< / span >
pkts bytes target prot opt < span class = "token keyword" > in< / span > out < span class = "token builtin class-name" > source< / span > destination
< span class = "token number" > 0< / span > < span class = "token number" > 0< / span > RETURN all -- any lo < span class = "token number" > 127.0< / span > .0.6 anywhere
< span class = "token number" > 0< / span > < span class = "token number" > 0< / span > ISTIO_IN_REDIRECT all -- any lo anywhere < span class = "token operator" > !< / span > localhost owner < span class = "token environment constant" > UID< / span > match < span class = "token number" > 1337< / span >
< span class = "token number" > 0< / span > < span class = "token number" > 0< / span > RETURN all -- any lo anywhere anywhere < span class = "token operator" > !< / span > owner < span class = "token environment constant" > UID< / span > match < span class = "token number" > 1337< / span >
< span class = "token number" > 15< / span > < span class = "token number" > 900< / span > RETURN all -- any any anywhere anywhere owner < span class = "token environment constant" > UID< / span > match < span class = "token number" > 1337< / span >
< span class = "token number" > 0< / span > < span class = "token number" > 0< / span > ISTIO_IN_REDIRECT all -- any lo anywhere < span class = "token operator" > !< / span > localhost owner GID match < span class = "token number" > 1337< / span >
< span class = "token number" > 0< / span > < span class = "token number" > 0< / span > RETURN all -- any lo anywhere anywhere < span class = "token operator" > !< / span > owner GID match < span class = "token number" > 1337< / span >
< span class = "token number" > 0< / span > < span class = "token number" > 0< / span > RETURN all -- any any anywhere anywhere owner GID match < span class = "token number" > 1337< / span >
< span class = "token number" > 0< / span > < span class = "token number" > 0< / span > RETURN all -- any any anywhere localhost
< span class = "token number" > 0< / span > < span class = "token number" > 0< / span > ISTIO_REDIRECT all -- any any anywhere anywhere
< span class = "token comment" > # ISTIO_REDIRECT 链 : 将 所 有 流 量 重 定 向 到 Sidecar( 即 本 地 ) 的 15001 端 口 。 < / span >
Chain ISTIO_REDIRECT < span class = "token punctuation" > (< / span > < span class = "token number" > 1< / span > references< span class = "token punctuation" > )< / span >
pkts bytes target prot opt < span class = "token keyword" > in< / span > out < span class = "token builtin class-name" > source< / span > destination
< span class = "token number" > 0< / span > < span class = "token number" > 0< / span > REDIRECT tcp -- any any anywhere anywhere redir ports < span class = "token number" > 15001< / span >
< / code > < / pre >
< p > 下 图 展 示 的 是 < code > productpage< / code > 服 务 请 求 访 问 < code > http://reviews.default.svc.cluster.local:9080/< / code > , 当 流 量 进 入 < code > reviews< / code > 服 务 内 部 时 , < code > reviews< / code > 服 务 内 部 的 sidecar proxy 是 如 何 做 流 量 拦 截 和 路 由 转 发 的 。 < / p >
2020-07-24 10:10:37 +08:00
< figure id = "fig6.3.2.5.2" > < a href = "../images/envoy-sidecar-traffic-interception-jimmysong-blog.png" data-lightbox = "95bab43a-8cba-4506-a896-055efce45a13" data-title = "Sidecar 流量劫持示意图" > < img src = "../images/envoy-sidecar-traffic-interception-jimmysong-blog.png" alt = "Sidecar 流量劫持示意图" > < / a > < figcaption > 图 6.3.2.5.2: Sidecar 流 量 劫 持 示 意 图 < / figcaption > < / figure >
2020-06-19 14:52:56 +08:00
< p > 第 一 步 开 始 时 , < code > productpage< / code > Pod 中 的 sidecar 已 经 通 过 EDS 选 择 出 了 要 请 求 的 < code > reviews< / code > 服 务 的 一 个 Pod, 知 晓 了 其 IP 地 址 , 发 送 TCP 连 接 请 求 。 < / p >
< p > < code > reviews< / code > 服 务 有 三 个 版 本 , 每 个 版 本 有 一 个 实 例 , 三 个 版 本 中 的 sidecar 工 作 步 骤 类 似 , 下 文 只 以 其 中 一 个 Pod 中 的 sidecar 流 量 转 发 步 骤 来 说 明 。 < / p >
< h3 id = "理解-iptables" > 理 解 iptables< / h3 >
< p > < code > iptables< / code > 是 Linux 内 核 中 的 防 火 墙 软 件 netfilter 的 管 理 工 具 , 位 于 用 户 空 间 , 同 时 也 是 netfilter 的 一 部 分 。 Netfilter 位 于 内 核 空 间 , 不 仅 有 网 络 地 址 转 换 的 功 能 , 也 具 备 数 据 包 内 容 修 改 、 以 及 数 据 包 过 滤 等 防 火 墙 功 能 。 < / p >
< p > 在 了 解 Init 容 器 初 始 化 的 iptables 之 前 , 我 们 先 来 了 解 下 iptables 和 规 则 配 置 。 < / p >
< p > 下 图 展 示 了 iptables 调 用 链 。 < / p >
2020-07-24 10:10:37 +08:00
< figure id = "fig6.3.2.5.3" > < a href = "../images/iptables.jpg" data-lightbox = "68fa3e9e-32f0-4876-a0f6-53dbbb236fa2" data-title = "iptables 调用链" > < img src = "../images/iptables.jpg" alt = "iptables 调用链" > < / a > < figcaption > 图 6.3.2.5.3: iptables 调 用 链 < / figcaption > < / figure >
2020-06-19 14:52:56 +08:00
< h3 id = "iptables-中的表" > iptables 中 的 表 < / h3 >
< p > Init 容 器 中 使 用 的 的 iptables 版 本 是 < code > v1.6.0< / code > , 共 包 含 5 张 表 : < / p >
< ol >
< li > < code > raw< / code > 用 于 配 置 数 据 包 , < code > raw< / code > 中 的 数 据 包 不 会 被 系 统 跟 踪 。 < / li >
< li > < code > filter< / code > 是 用 于 存 放 所 有 与 防 火 墙 相 关 操 作 的 默 认 表 。 < / li >
< li > < code > nat< / code > 用 于 < a href = "https://en.wikipedia.org/wiki/Network_address_translation" target = "_blank" > 网 络 地 址 转 换 < / a > ( 例 如 : 端 口 转 发 ) 。 < / li >
< li > < code > mangle< / code > 用 于 对 特 定 数 据 包 的 修 改 ( 参 考 < a href = "https://en.wikipedia.org/wiki/Mangled_packet" target = "_blank" > 损 坏 数 据 包 < / a > ) 。 < / li >
< li > < code > security< / code > 用 于 < a href = "https://wiki.archlinux.org/index.php/Security#Mandatory_access_control" target = "_blank" > 强 制 访 问 控 制 < / a > 网 络 规 则 。 < / li >
< / ol >
< p > < strong > 注 < / strong > : 在 本 示 例 中 只 用 到 了 < code > nat< / code > 表 。 < / p >
< p > 不 同 的 表 中 的 具 有 的 链 类 型 如 下 表 所 示 : < / p >
< table >
< thead >
< tr >
< th > 规 则 名 称 < / th >
< th > raw< / th >
< th > filter< / th >
< th > nat< / th >
< th > mangle< / th >
< th > security< / th >
< / tr >
< / thead >
< tbody >
< tr >
< td > PREROUTING< / td >
< td > ✓ < / td >
< td > < / td >
< td > ✓ < / td >
< td > ✓ < / td >
< td > < / td >
< / tr >
< tr >
< td > INPUT< / td >
< td > < / td >
< td > ✓ < / td >
< td > ✓ < / td >
< td > ✓ < / td >
< td > ✓ < / td >
< / tr >
< tr >
< td > OUTPUT< / td >
< td > < / td >
< td > ✓ < / td >
< td > ✓ < / td >
< td > ✓ < / td >
< td > ✓ < / td >
< / tr >
< tr >
< td > POSTROUTING< / td >
< td > < / td >
< td > < / td >
< td > ✓ < / td >
< td > ✓ < / td >
< td > < / td >
< / tr >
< tr >
< td > FORWARD< / td >
< td > ✓ < / td >
< td > ✓ < / td >
< td > < / td >
< td > ✓ < / td >
< td > ✓ < / td >
< / tr >
< / tbody >
< / table >
< p > 关 于 iptables 的 详 细 介 绍 请 参 考 < a href = "https://www.aliang.org/Linux/iptables.html" target = "_blank" > 常 见 iptables 使 用 规 则 场 景 整 理 < / a > 。 < / p >
< h3 id = "理解-iptables-规则" > 理 解 iptables 规 则 < / h3 >
< p > 查 看 < code > istio-proxy< / code > 容 器 中 的 默 认 的 iptables 规 则 , 默 认 查 看 的 是 filter 表 中 的 规 则 。 < / p >
< pre class = "language-" > < code class = "lang-bash" > $ iptables -L -v
Chain INPUT < span class = "token punctuation" > (< / span > policy ACCEPT 350K packets, 63M bytes< span class = "token punctuation" > )< / span >
pkts bytes target prot opt < span class = "token keyword" > in< / span > out < span class = "token builtin class-name" > source< / span > destination
Chain FORWARD < span class = "token punctuation" > (< / span > policy ACCEPT < span class = "token number" > 0< / span > packets, < span class = "token number" > 0< / span > bytes< span class = "token punctuation" > )< / span >
pkts bytes target prot opt < span class = "token keyword" > in< / span > out < span class = "token builtin class-name" > source< / span > destination
Chain OUTPUT < span class = "token punctuation" > (< / span > policy ACCEPT 18M packets, 1916M bytes< span class = "token punctuation" > )< / span >
pkts bytes target prot opt < span class = "token keyword" > in< / span > out < span class = "token builtin class-name" > source< / span > destination
< / code > < / pre >
< p > 我 们 看 到 三 个 默 认 的 链 , 分 别 是 INPUT、 FORWARD 和 OUTPUT, 每 个 链 中 的 第 一 行 输 出 表 示 链 名 称 ( 在 本 例 中 为 INPUT/FORWARD/OUTPUT) , 后 跟 默 认 策 略 ( ACCEPT) 。 < / p >
< p > 下 图 是 iptables 的 建 议 结 构 图 , 流 量 在 经 过 INPUT 链 之 后 就 进 入 了 上 层 协 议 栈 , 比 如 < / p >
< p > 每 条 链 中 都 可 以 添 加 多 条 规 则 , 规 则 是 按 照 顺 序 从 前 到 后 执 行 的 。 我 们 来 看 下 规 则 的 表 头 定 义 。 < / p >
< ul >
< li > < strong > pkts< / strong > : 处 理 过 的 匹 配 的 报 文 数 量 < / li >
< li > < strong > bytes< / strong > : 累 计 处 理 的 报 文 大 小 ( 字 节 数 ) < / li >
< li > < strong > target< / strong > : 如 果 报 文 与 规 则 匹 配 , 指 定 目 标 就 会 被 执 行 。 < / li >
< li > < strong > prot< / strong > : 协 议 , 例 如 < code > tdp< / code > 、 < code > udp< / code > 、 < code > icmp< / code > 和 < code > all< / code > 。 < / li >
< li > < strong > opt< / strong > : 很 少 使 用 , 这 一 列 用 于 显 示 IP 选 项 。 < / li >
< li > < strong > in< / strong > : 入 站 网 卡 。 < / li >
< li > < strong > out< / strong > : 出 站 网 卡 。 < / li >
< li > < strong > source< / strong > : 流 量 的 源 IP 地 址 或 子 网 , 后 者 是 < code > anywhere< / code > 。 < / li >
< li > < strong > destination< / strong > : 流 量 的 目 的 地 IP 地 址 或 子 网 , 或 者 是 < code > anywhere< / code > 。 < / li >
< / ul >
< p > 还 有 一 列 没 有 表 头 , 显 示 在 最 后 , 表 示 规 则 的 选 项 , 作 为 规 则 的 扩 展 匹 配 条 件 , 用 来 补 充 前 面 的 几 列 中 的 配 置 。 < code > prot< / code > 、 < code > opt< / code > 、 < code > in< / code > 、 < code > out< / code > 、 < code > source< / code > 和 < code > destination< / code > 和 显 示 在 < code > destination< / code > 后 面 的 没 有 表 头 的 一 列 扩 展 条 件 共 同 组 成 匹 配 规 则 。 当 流 量 匹 配 这 些 规 则 后 就 会 执 行 < code > target< / code > 。 < / p >
< p > 关 于 iptables 规 则 请 参 考 < a href = "https://www.aliang.org/Linux/iptables.html" target = "_blank" > 常 见 iptables 使 用 规 则 场 景 整 理 < / a > 。 < / p >
< p > < strong > target 支 持 的 类 型 < / strong > < / p >
< p > < code > target< / code > 类 型 包 括 ACCEPT< code > 、 REJECT< / code > 、 < code > DROP< / code > 、 < code > LOG< / code > 、 < code > SNAT< / code > 、 < code > MASQUERADE< / code > 、 < code > DNAT< / code > 、 < code > REDIRECT< / code > 、 < code > RETURN< / code > 或 者 跳 转 到 其 他 规 则 等 。 只 要 执 行 到 某 一 条 链 中 只 有 按 照 顺 序 有 一 条 规 则 匹 配 后 就 可 以 确 定 报 文 的 去 向 了 , 除 了 < code > RETURN< / code > 类 型 , 类 似 编 程 语 言 中 的 < code > return< / code > 语 句 , 返 回 到 它 的 调 用 点 , 继 续 执 行 下 一 条 规 则 。 < code > target< / code > 支 持 的 配 置 详 解 请 参 考 < a href = "http://www.zsythink.net/archives/1199" target = "_blank" > iptables 详 解 ( 1) : iptables 概 念 < / a > 。 < / p >
< p > 从 输 出 结 果 中 可 以 看 到 Init 容 器 没 有 在 iptables 的 默 认 链 路 中 创 建 任 何 规 则 , 而 是 创 建 了 新 的 链 路 。 < / p >
< h2 id = "流量路由过程详解" > 流 量 路 由 过 程 详 解 < / h2 >
< p > 流 量 路 由 分 为 Inbound 和 Outbound 两 个 过 程 , 下 面 将 根 据 上 文 中 的 示 例 及 sidecar 的 配 置 为 读 者 详 细 分 析 此 过 程 。 < / p >
< h3 id = "理解-inbound-handler" > 理 解 Inbound Handler< / h3 >
< p > Inbound handler 的 作 用 是 将 iptables 拦 截 到 的 downstream 的 流 量 转 交 给 localhost, 与 Pod 内 的 应 用 程 序 容 器 建 立 连 接 。 假 设 其 中 一 个 Pod 的 名 字 是 < code > reviews-v1-54b8794ddf-jxksn< / code > , 运 行 < code > istioctl proxy-config listener reviews-v1-54b8794ddf-jxksn< / code > 查 看 该 Pod 中 的 具 有 哪 些 Listener。 < / p >
< pre class = "language-" > < code class = "lang-ini" > ADDRESS PORT TYPE
172.17.0.15 9080 HTTP < --- 接 收 所 有 Inbound HTTP 流 量 , 该 地 址 即 为 业 务 进 程 的 真 实 监 听 地 址
172.17.0.15 15020 TCP < --- Ingress Gateway, Pilot 健 康 检 查
10.109.20.166 15012 TCP < --- Istiod http dns
10.103.34.135 14250 TCP < --+
10.103.34.135 14267 TCP |
10.103.34.135 14268 TCP |
10.104.122.175 15020 TCP |
10.104.122.175 15029 TCP |
10.104.122.175 15030 TCP |
10.104.122.175 15031 TCP |
10.104.122.175 15032 TCP |
10.104.122.175 15443 TCP |
10.104.122.175 31400 TCP | 接 收 与 0.0.0.0:15006 监 听 器 配 对 的 Outbound 流 量
10.104.122.175 443 TCP |
10.104.62.18 15443 TCP |
10.104.62.18 443 TCP |
10.106.201.253 16686 TCP |
10.109.20.166 443 TCP |
10.96.0.1 443 TCP |
10.96.0.10 53 TCP |
10.96.0.10 9153 TCP |
10.98.184.149 15011 TCP |
10.98.184.149 15012 TCP |
10.98.184.149 443 TCP |
0.0.0.0 14250 TCP |
0.0.0.0 15010 TCP |
0.0.0.0 15014 TCP |
0.0.0.0 15090 HTTP |
0.0.0.0 20001 TCP |
0.0.0.0 3000 TCP |
0.0.0.0 80 TCP |
0.0.0.0 8080 TCP |
0.0.0.0 9080 TCP |
0.0.0.0 9090 TCP |
0.0.0.0 9411 TCP < --+
0.0.0.0 15001 TCP < --- 接 收 所 有 经 iptables 拦 截 的 Outbound 流 量 并 转 交 给 虚 拟 监 听 器 处 理
0.0.0.0 15006 TCP < --- 接 收 所 有 经 iptables 拦 截 的 Inbound 流 量 并 转 交 给 虚 拟 监 听 器 处 理
< / code > < / pre >
< p > 当 来 自 < code > productpage< / code > 的 流 量 抵 达 < code > reviews< / code > Pod 的 时 候 , downstream 已 经 明 确 知 道 Pod 的 IP 地 址 为 < code > 172.17.0.16< / code > 所 以 才 会 访 问 该 Pod, 所 以 该 请 求 是 < code > 172.17.0.15:9080< / code > 。 < / p >
< p > < strong > < code > virtualInbound< / code > Listener< / strong > < / p >
< p > 从 该 Pod 的 Listener 列 表 中 可 以 看 到 , < code > 0.0.0.0:15006/TCP< / code > 的 Listener( 其 实 际 名 字 是 < code > virtualInbound< / code > ) 监 听 所 有 的 Inbound 流 量 , 下 面 是 该 Listener 的 详 细 配 置 。 < / p >
< pre class = "language-" > < code class = "lang-json" > < span class = "token punctuation" > {< / span >
< span class = "token property" > " name" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " virtualInbound" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " address" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " socketAddress" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " address" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " 0.0.0.0" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " portValue" < / span > < span class = "token operator" > :< / span > < span class = "token number" > 15006< / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > }< / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " filterChains" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > [< / span >
< span class = "token punctuation" > {< / span >
< span class = "token property" > " filters" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > [< / span >
< span class = "token comment" > /*省 略 部 分 内 容 */< / span >
< span class = "token punctuation" > {< / span >
< span class = "token property" > " filterChainMatch" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " destinationPort" < / span > < span class = "token operator" > :< / span > < span class = "token number" > 9080< / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " prefixRanges" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > [< / span >
< span class = "token punctuation" > {< / span >
< span class = "token property" > " addressPrefix" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " 172.17.0.15" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " prefixLen" < / span > < span class = "token operator" > :< / span > < span class = "token number" > 32< / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > ]< / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " applicationProtocols" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > [< / span >
< span class = "token string" > " istio-peer-exchange" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token string" > " istio" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token string" > " istio-http/1.0" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token string" > " istio-http/1.1" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token string" > " istio-h2" < / span >
< span class = "token punctuation" > ]< / span >
< span class = "token punctuation" > }< / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " filters" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > [< / span >
< span class = "token punctuation" > {< / span >
< span class = "token property" > " name" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " envoy.filters.network.metadata_exchange" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " config" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " protocol" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " istio-peer-exchange" < / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > }< / span > < span class = "token punctuation" > ,< / span >
< span class = "token punctuation" > {< / span >
< span class = "token property" > " name" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " envoy.http_connection_manager" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " typedConfig" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " @type" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " statPrefix" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " inbound_172.17.0.15_9080" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " routeConfig" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " name" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " inbound|9080|http|reviews.default.svc.cluster.local" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " virtualHosts" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > [< / span >
< span class = "token punctuation" > {< / span >
< span class = "token property" > " name" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " inbound|http|9080" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " domains" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > [< / span >
< span class = "token string" > " *" < / span >
< span class = "token punctuation" > ]< / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " routes" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > [< / span >
< span class = "token punctuation" > {< / span >
< span class = "token property" > " name" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " default" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " match" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " prefix" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " /" < / span >
< span class = "token punctuation" > }< / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " route" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " cluster" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " inbound|9080|http|reviews.default.svc.cluster.local" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " timeout" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " 0s" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " maxGrpcTimeout" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " 0s" < / span >
< span class = "token punctuation" > }< / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " decorator" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " operation" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " reviews.default.svc.cluster.local:9080/*" < / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > ]< / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > ]< / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " validateClusters" < / span > < span class = "token operator" > :< / span > < span class = "token boolean" > false< / span >
< span class = "token punctuation" > }< / span >
< span class = "token comment" > /*省 略 部 分 内 容 */< / span >
< span class = "token punctuation" > }< / span >
< / code > < / pre >
< p > Inbound handler 的 流 量 被 < code > virtualInbound< / code > Listener 转 移 到 < code > 172.17.0.15_9080< / code > Listener, 我 们 在 查 看 下 该 Listener 配 置 。 < / p >
< p > 运 行 < code > istioctl pc listener reviews-v1-54b8794ddf-jxksn --address 172.17.0.15 --port 9080 -o json< / code > 查 看 。 < / p >
< pre class = "language-" > < code class = "lang-json" > < span class = "token punctuation" > [< / span >
< span class = "token punctuation" > {< / span >
< span class = "token property" > " name" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " 172.17.0.15_9080" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " address" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " socketAddress" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " address" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " 172.17.0.15" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " portValue" < / span > < span class = "token operator" > :< / span > < span class = "token number" > 9080< / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > }< / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " filterChains" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > [< / span >
< span class = "token punctuation" > {< / span >
< span class = "token property" > " filterChainMatch" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " applicationProtocols" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > [< / span >
< span class = "token string" > " istio-peer-exchange" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token string" > " istio" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token string" > " istio-http/1.0" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token string" > " istio-http/1.1" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token string" > " istio-h2" < / span >
< span class = "token punctuation" > ]< / span >
< span class = "token punctuation" > }< / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " filters" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > [< / span >
< span class = "token punctuation" > {< / span >
< span class = "token property" > " name" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " envoy.http_connection_manager" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " config" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
...
< span class = "token property" > " routeConfig" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " name" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " inbound|9080|http|reviews.default.svc.cluster.local" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " virtualHosts" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > [< / span >
< span class = "token punctuation" > {< / span >
< span class = "token property" > " name" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " inbound|http|9080" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " domains" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > [< / span >
< span class = "token string" > " *" < / span >
< span class = "token punctuation" > ]< / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " routes" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > [< / span >
< span class = "token punctuation" > {< / span >
< span class = "token property" > " name" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " default" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " match" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " prefix" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " /" < / span >
< span class = "token punctuation" > }< / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " route" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " cluster" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " inbound|9080|http|reviews.default.svc.cluster.local" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " timeout" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " 0s" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " maxGrpcTimeout" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " 0s" < / span >
< span class = "token punctuation" > }< / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " decorator" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " operation" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " reviews.default.svc.cluster.local:9080/*" < / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > ]< / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > ]< / span > < span class = "token punctuation" > ,< / span >
< span class = "token punctuation" > }< / span >
...
< span class = "token punctuation" > }< / span > < span class = "token punctuation" > ,< / span >
< span class = "token punctuation" > {< / span >
< span class = "token property" > " filterChainMatch" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " transportProtocol" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " tls" < / span >
< span class = "token punctuation" > }< / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " tlsContext" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span > ...
< span class = "token punctuation" > }< / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " filters" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > [< / span > ...
< span class = "token punctuation" > ]< / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > ]< / span > < span class = "token punctuation" > ,< / span >
...
< span class = "token punctuation" > }< / span > < span class = "token punctuation" > ]< / span >
< / code > < / pre >
< p > 我 们 看 其 中 的 < code > filterChains.filters< / code > 中 的 < code > envoy.http_connection_manager< / code > 配 置 部 分 , 该 配 置 表 示 流 量 将 转 交 给 Cluster< code > inbound|9080|http|reviews.default.svc.cluster.local< / code > 处 理 。 < / p >
< p > < strong > < a href = "https://www.servicemesher.com/istio-handbook/GLOSSARY.html#cluster" target = "_blank" > Cluster< / a > < code > inbound|9080|http|reviews.default.svc.cluster.local< / code > < / strong > < / p >
< p > 运 行 < code > istioctl proxy-config cluster reviews-v1-54b8794ddf-jxksn --fqdn reviews.default.svc.cluster.local --direction inbound -o json< / code > 查 看 该 Cluster的 配 置 如 下 。 < / p >
< pre class = "language-" > < code class = "lang-json" > < span class = "token punctuation" > [< / span >
< span class = "token punctuation" > {< / span >
< span class = "token property" > " name" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " inbound|9080|http|reviews.default.svc.cluster.local" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " type" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " STATIC" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " connectTimeout" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " 1s" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " loadAssignment" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " clusterName" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " inbound|9080|http|reviews.default.svc.cluster.local" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " endpoints" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > [< / span >
< span class = "token punctuation" > {< / span >
< span class = "token property" > " lbEndpoints" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > [< / span >
< span class = "token punctuation" > {< / span >
< span class = "token property" > " endpoint" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " address" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " socketAddress" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " address" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " 127.0.0.1" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " portValue" < / span > < span class = "token operator" > :< / span > < span class = "token number" > 9080< / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > ]< / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > ]< / span >
< span class = "token punctuation" > }< / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " circuitBreakers" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " thresholds" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > [< / span >
< span class = "token punctuation" > {< / span >
< span class = "token property" > " maxConnections" < / span > < span class = "token operator" > :< / span > < span class = "token number" > 4294967295< / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " maxPendingRequests" < / span > < span class = "token operator" > :< / span > < span class = "token number" > 4294967295< / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " maxRequests" < / span > < span class = "token operator" > :< / span > < span class = "token number" > 4294967295< / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " maxRetries" < / span > < span class = "token operator" > :< / span > < span class = "token number" > 4294967295< / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > ]< / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > ]< / span >
< / code > < / pre >
< p > 可 以 看 到 该 Cluster的 Endpoint 直 接 对 应 的 就 是 localhost, 再 经 过 iptables 转 发 流 量 就 被 应 用 程 序 容 器 消 费 了 。 < / p >
< h3 id = "理解-outbound-handler" > 理 解 Outbound Handler< / h3 >
< p > 因 为 < code > reviews< / code > 会 向 < code > ratings< / code > 服 务 发 送 HTTP 请 求 , 请 求 的 地 址 是 : < code > http://ratings.default.svc.cluster.local:9080/< / code > , Outbound handler 的 作 用 是 将 iptables 拦 截 到 的 本 地 应 用 程 序 发 出 的 流 量 , 经 由 sidecar 判 断 如 何 路 由 到 upstream。 < / p >
< p > 应 用 程 序 容 器 发 出 的 请 求 为 Outbound 流 量 , 被 iptables 劫 持 后 转 移 给 Outbound handler 处 理 , 然 后 经 过 < code > virtualOutbound< / code > Listener、 < code > 0.0.0.0_9080< / code > Listener, 然 后 通 过 Route 9080 找 到 upstream 的 cluster, 进 而 通 过 EDS 找 到 Endpoint 执 行 路 由 动 作 。 < / p >
< p > < strong > Route < code > ratings.default.svc.cluster.local:9080< / code > < / strong > < / p >
< p > < code > reviews< / code > 会 请 求 < code > ratings< / code > 服 务 , 运 行 < code > istioctl proxy-config routes reviews-v1-54b8794ddf-jxksn --name 9080 -o json< / code > 查 看 route 配 置 , 因 为 sidecar 会 根 据 HTTP header 中 的 domains 来 匹 配 VirtualHost, 所 以 下 面 只 列 举 了 < code > ratings.default.svc.cluster.local:9080< / code > 这 一 个 VirtualHost。 < / p >
< pre class = "language-" > < code class = "lang-json" > < span class = "token punctuation" > [< / span > < span class = "token punctuation" > {< / span >
< span class = "token punctuation" > {< / span >
< span class = "token property" > " name" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " ratings.default.svc.cluster.local:9080" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " domains" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > [< / span >
< span class = "token string" > " ratings.default.svc.cluster.local" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token string" > " ratings.default.svc.cluster.local:9080" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token string" > " ratings" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token string" > " ratings:9080" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token string" > " ratings.default.svc.cluster" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token string" > " ratings.default.svc.cluster:9080" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token string" > " ratings.default.svc" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token string" > " ratings.default.svc:9080" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token string" > " ratings.default" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token string" > " ratings.default:9080" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token string" > " 10.98.49.62" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token string" > " 10.98.49.62:9080" < / span >
< span class = "token punctuation" > ]< / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " routes" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > [< / span >
< span class = "token punctuation" > {< / span >
< span class = "token property" > " name" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " default" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " match" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " prefix" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " /" < / span >
< span class = "token punctuation" > }< / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " route" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " cluster" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " outbound|9080||ratings.default.svc.cluster.local" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " timeout" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " 0s" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " retryPolicy" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " retryOn" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " connect-failure,refused-stream,unavailable,cancelled,resource-exhausted,retriable-status-codes" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " numRetries" < / span > < span class = "token operator" > :< / span > < span class = "token number" > 2< / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " retryHostPredicate" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > [< / span >
< span class = "token punctuation" > {< / span >
< span class = "token property" > " name" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " envoy.retry_host_predicates.previous_hosts" < / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > ]< / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " hostSelectionRetryMaxAttempts" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " 5" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " retriableStatusCodes" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > [< / span >
< span class = "token number" > 503< / span >
< span class = "token punctuation" > ]< / span >
< span class = "token punctuation" > }< / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " maxGrpcTimeout" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " 0s" < / span >
< span class = "token punctuation" > }< / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " decorator" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " operation" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " ratings.default.svc.cluster.local:9080/*" < / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > ]< / span >
< span class = "token punctuation" > }< / span > < span class = "token punctuation" > ,< / span >
..< span class = "token punctuation" > ]< / span >
< / code > < / pre >
< p > 从 该 Virtual Host 配 置 中 可 以 看 到 将 流 量 路 由 到 Cluster< code > outbound|9080||ratings.default.svc.cluster.local< / code > 。 < / p >
< p > < strong > Endpoint < code > outbound|9080||ratings.default.svc.cluster.local< / code > < / strong > < / p >
< p > 运 行 < code > istioctl proxy-config endpoint reviews-v1-54b8794ddf-jxksn --port 9080 -o json< / code > 查 看 Endpoint 配 置 , 我 们 只 选 取 其 中 的 < code > outbound|9080||ratings.default.svc.cluster.local< / code > Cluster的 结 果 如 下 。 < / p >
< pre class = "language-" > < code class = "lang-json" > < span class = "token punctuation" > {< / span >
< span class = "token property" > " clusterName" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " outbound|9080||ratings.default.svc.cluster.local" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " endpoints" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > [< / span >
< span class = "token punctuation" > {< / span >
< span class = "token property" > " locality" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token punctuation" > }< / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " lbEndpoints" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > [< / span >
< span class = "token punctuation" > {< / span >
< span class = "token property" > " endpoint" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " address" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " socketAddress" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " address" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " 172.33.100.2" < / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " portValue" < / span > < span class = "token operator" > :< / span > < span class = "token number" > 9080< / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > }< / span > < span class = "token punctuation" > ,< / span >
< span class = "token property" > " metadata" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " filterMetadata" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " istio" < / span > < span class = "token operator" > :< / span > < span class = "token punctuation" > {< / span >
< span class = "token property" > " uid" < / span > < span class = "token operator" > :< / span > < span class = "token string" > " kubernetes://ratings-v1-8558d4458d-ns6lk.default" < / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > ]< / span >
< span class = "token punctuation" > }< / span >
< span class = "token punctuation" > ]< / span >
< span class = "token punctuation" > }< / span >
< / code > < / pre >
< p > Endpoint 可 以 是 一 个 或 多 个 , sidecar 将 根 据 一 定 规 则 选 择 适 当 的 Endpoint 来 路 由 。 至 此 Review 服 务 找 到 了 它 upstream 服 务 Rating 的 Endpoint。 < / p >
< h2 id = "小结" > 小 结 < / h2 >
< p > 本 文 使 用 了 Istio 官 方 提 供 的 bookinfo 示 例 , 按 图 索 骥 得 带 领 读 者 了 解 了 sidecar 注 入 、 iptables 透 明 流 量 劫 持 及 sidecar 中 流 量 路 由 背 后 的 实 现 细 节 。 Sidecar 模 式 和 流 量 透 明 劫 持 是 Istio 服 务 网 格 的 特 色 和 基 础 功 能 , 理 解 该 功 能 的 背 后 过 程 及 实 现 细 节 , 将 有 助 于 大 家 理 解 Service Mesh 的 原 理 和 < a href = "https://www.servicemesher.com/istio-handbook/" target = "_blank" > Istio Handbook< / a > 后 面 章 节 中 的 内 容 , 因 此 希 望 读 者 可 以 在 自 己 的 环 境 中 从 头 来 试 验 一 遍 以 加 深 理 解 。 < / p >
< p > 使 用 iptables 做 流 量 劫 持 只 是 service mesh 的 数 据 平 面 中 做 流 量 劫 持 的 方 式 之 一 , 还 有 更 多 的 流 量 劫 持 方 案 , 下 面 引 用 自 < a href = "https://mosn.io/zh/docs/concept/traffic-hijack/" target = "_blank" > 云 原 生 网 络 代 理 MOSN 官 网 中 给 出 的 流 量 劫 持 < / a > 部 分 的 描 述 。 < / p >
< h3 id = "使用-iptables-做流量劫持时存在的问题" > 使 用 iptables 做 流 量 劫 持 时 存 在 的 问 题 < / h3 >
< p > 目 前 Istio 使 用 iptables 实 现 透 明 劫 持 , 主 要 存 在 以 下 三 个 问 题 : < / p >
< ol >
< li > 需 要 借 助 于 conntrack 模 块 实 现 连 接 跟 踪 , 在 连 接 数 较 多 的 情 况 下 , 会 造 成 较 大 的 消 耗 , 同 时 可 能 会 造 成 track 表 满 的 情 况 , 为 了 避 免 这 个 问 题 , 业 内 有 关 闭 conntrack 的 做 法 。 < / li >
< li > iptables 属 于 常 用 模 块 , 全 局 生 效 , 不 能 显 式 的 禁 止 相 关 联 的 修 改 , 可 管 控 性 比 较 差 。 < / li >
< li > iptables 重 定 向 流 量 本 质 上 是 通 过 loopback 交 换 数 据 , outbond 流 量 将 两 次 穿 越 协 议 栈 , 在 大 并 发 场 景 下 会 损 失 转 发 性 能 。 < / li >
< / ol >
< p > 上 述 几 个 问 题 并 非 在 所 有 场 景 中 都 存 在 , 比 方 说 某 些 场 景 下 , 连 接 数 并 不 多 , 且 NAT 表 未 被 使 用 到 的 情 况 下 , iptables 是 一 个 满 足 要 求 的 简 单 方 案 。 为 了 适 配 更 加 广 泛 的 场 景 , 透 明 劫 持 需 要 解 决 上 述 三 个 问 题 。 < / p >
< h3 id = "透明劫持方案优化" > 透 明 劫 持 方 案 优 化 < / h3 >
< p > < strong > 使 用 tproxy 处 理 inbound 流 量 < / strong > < / p >
< p > tproxy 可 以 用 于 inbound 流 量 的 重 定 向 , 且 无 需 改 变 报 文 中 的 目 的 IP/端 口 , 不 需 要 执 行 连 接 跟 踪 , 不 会 出 现 conntrack 模 块 创 建 大 量 连 接 的 问 题 。 受 限 于 内 核 版 本 , tproxy 应 用 于 outbound 存 在 一 定 缺 陷 。 目 前 Istio 支 持 通 过 tproxy 处 理 inbound 流 量 。 < / p >
< p > < strong > 使 用 hook connect 处 理 outbound 流 量 < / strong > < / p >
< p > 为 了 适 配 更 多 应 用 场 景 , outbound 方 向 通 过 hook connect 来 实 现 , 实 现 原 理 如 下 : < / p >
2020-07-24 10:10:37 +08:00
< figure id = "fig6.3.2.5.4" > < a href = "../images/hook-connect.jpg" data-lightbox = "341af902-2fa0-411c-b8b0-173e337d915e" data-title = "hook-connect 原理示意图" > < img src = "../images/hook-connect.jpg" alt = "hook-connect 原理示意图" > < / a > < figcaption > 图 6.3.2.5.4: hook-connect 原 理 示 意 图 < / figcaption > < / figure >
2020-06-19 14:52:56 +08:00
< p > 无 论 采 用 哪 种 透 明 劫 持 方 案 , 均 需 要 解 决 获 取 真 实 目 的 IP/端 口 的 问 题 , 使 用 iptables 方 案 通 过 getsockopt 方 式 获 取 , tproxy 可 以 直 接 读 取 目 的 地 址 , 通 过 修 改 调 用 接 口 , hook connect 方 案 读 取 方 式 类 似 于 tproxy。 < / p >
< p > 实 现 透 明 劫 持 后 , 在 内 核 版 本 满 足 要 求 ( 4.16以 上 ) 的 前 提 下 , 通 过 sockmap 可 以 缩 短 报 文 穿 越 路 径 , 进 而 改 善 outbound 方 向 的 转 发 性 能 。 < / p >
< h2 id = "参考" > 参 考 < / h2 >
< ul >
< li > < a href = "https://istio.io/docs/ops/diagnostic-tools/proxy-cmd/" target = "_blank" > Debugging Envoy and Istiod - istio.io< / a > < / li >
< li > < a href = "https://istio.io/zh/blog/2019/data-plane-setup/" target = "_blank" > 揭 开 Istio Sidecar 注 入 模 型 的 神 秘 面 纱 - istio.io< / a > < / li >
< li > < a href = "https://mosn.io/zh/docs/concept/traffic-hijack/" target = "_blank" > MOSN 作 为 Sidecar 使 用 时 的 流 量 劫 持 方 案 - mosn.io< / a > < / li >
< / ul >
< footer class = "page-footer" > < span class = "copyright" > < a href = "https://cloudnative.to/contact/" target = "_blank" > 加 入 云 原 生 社 区 · 共 谱 云 原 生 新 篇 章 < / a > < p > < / p > Copyright © 2017-2020 | Distributed under < a href = "https://creativecommons.org/licenses/by-nc-sa/4.0/deed.zh" target = "_blank" > CC BY 4.0< / a > | < a href = "https://jimmysong.io" target = "_blank" > jimmysong.io< / a > all right reserved, powered by Gitbook< / span > < span class = "footer-modification" > Updated at
2020-07-24 10:10:37 +08:00
2020-07-24 02:05:05
2020-06-19 14:52:56 +08:00
< / span > < / footer >
< / section >
< / div >
< div class = "search-results" >
< div class = "has-results" >
< h1 class = "search-results-title" > < span class = 'search-results-count' > < / span > results matching "< span class = 'search-query' > < / span > "< / h1 >
< ul class = "search-results-list" > < / ul >
< / div >
< div class = "no-results" >
< h1 class = "search-results-title" > No results matching "< span class = 'search-query' > < / span > "< / h1 >
< / div >
< / div >
< / div >
< / div >
< / div >
< / div >
< a href = "istio-tutorials-collection.html" class = "navigation navigation-prev " aria-label = "Previous page: Istio 免费学习资源汇总" >
< i class = "fa fa-angle-left" > < / i >
< / a >
< a href = "envoy-sidecar-routing-of-istio-service-mesh-deep-dive.html" class = "navigation navigation-next " aria-label = "Next page: Envoy Sidecar 代理的路由转发" >
< i class = "fa fa-angle-right" > < / i >
< / a >
< / div >
< script >
var gitbook = gitbook || [];
gitbook.push(function() {
2020-07-24 10:10:37 +08:00
gitbook.page.hasChanged({"page":{"title":"Sidecar 的注入与流量劫持","level":"6.3.2.5","depth":3,"next":{"title":"Envoy Sidecar 代理的路由转发","level":"6.3.2.6","depth":3,"path":"usecases/envoy-sidecar-routing-of-istio-service-mesh-deep-dive.md","ref":"usecases/envoy-sidecar-routing-of-istio-service-mesh-deep-dive.md","articles":[]},"previous":{"title":"Istio 免费学习资源汇总","level":"6.3.2.4","depth":3,"path":"usecases/istio-tutorials-collection.md","ref":"usecases/istio-tutorials-collection.md","articles":[]},"dir":"ltr"},"config":{"plugins":["github","codesnippet","splitter","page-toc-button","image-captions","editlink","back-to-top-button","-lunr","-search","search-plus","github-buttons@2.1.0","favicon@^0.0.2","tbfed-pagefooter@^0.0.1","3-ba","theme-default","-highlight","prism","prism-themes","sitemap-general","lightbox","ga","alerts"],"styles":{"ebook":"styles/ebook.css","epub":"styles/epub.css","mobi":"styles/mobi.css","pdf":"styles/pdf.css","print":"styles/print.css","website":"styles/website.css"},"pluginsConfig":{"tbfed-pagefooter":{"copyright":"< a href = https://cloudnative.to/contact/ > 加入云原生社区·共谱云原生新篇章< / a > < / p > Copyright © 2017-2020 | Distributed under < a href = https://creativecommons.org/licenses/by-nc-sa/4.0/deed.zh > CC BY 4.0< / a > | < a href = https://jimmysong.io > jimmysong.io< / a > ","modify_label":" Updated at ","modify_format":"YYYY-MM-DD HH:mm:ss"},"prism":{"css":["prism-themes/themes/prism-ghcolors.css"]},"github":{"url":"https://github.com/rootsongjc/kubernetes-handbook"},"editlink":{"label":"编辑本页","multilingual":false,"base":"https://github.com/rootsongjc/kubernetes-handbook/blob/master/"},"splitter":{},"codesnippet":{},"sitemap-general":{"prefix":"https://jimmysong.io/kubernetes-handbook/"},"fontsettings":{"theme":"white","family":"sans","size":2},"favicon":{"shortcut":"favicon.ico","bookmark":"favicon.ico"},"lightbox":{"jquery":true,"sameUuid":false},"page-toc-button":{},"back-to-top-button":{},"prism-themes":{},"alerts":{},"github-buttons":{"repo":"rootsongjc/kubernetes-handbook","types":["star"],"size":"small"},"3-ba":{"configuration":"auto","token":"11f7d254cfa4e0ca44b175c66d379ecc"},"ga":{"configuration":"auto","token":"UA-93485976-1"},"sharing":{"facebook":true,"twitter":true,"google":false,"weibo":false,"instapaper":false,"vk":false,"all":["facebook","google","twitter","weibo","instapaper"]},"theme-default":{"showLevel":true,"styles":{"ebook":"styles/ebook.css","epub":"styles/epub.css","mobi":"styles/mobi.css","pdf":"styles/pdf.css","print":"styles/print.css","website":"styles/website.css"}},"search-plus":{},"image-captions":{"caption":"图 _PAGE_LEVEL_._PAGE_IMAGE_NUMBER_: _CAPTION_","variable_name":"_pictures"}},"theme":"default","author":"Jimmy Song( 宋净超) ","pdf":{"pageNumbers":true,"fontSize":12,"fontFamily":"Arial","paperSize":"a4","chapterMark":"pagebreak","pageBreaksBefore":"/","margin":{"right":62,"left":62,"top":56,"bottom":56}},"structure":{"langs":"LANGS.md","readme":"README.md","glossary":"GLOSSARY.md","summary":"SUMMARY.md"},"variables":{"_pictures":[{"backlink":"index.html#fig1.1.1","level":"1.1","list_caption":"Figure: Stargazers over time","alt":"Stargazers over time","nro":1,"url":"https://starcharts.herokuapp.com/rootsongjc/kubernetes-handbook.svg","index":1,"caption_template":"图 _PAGE_LEVEL_._PAGE_IMAGE_NUMBER_: _CAPTION_","label":"Stargazers over time","attributes":{},"skip":false,"key":"1.1.1"},{"backlink":"cloud-native/play-with-kubernetes.html#fig2.3.1","level":"2.3","list_caption":"Figure: Play with Kubernetes网页截图","alt":"Play with Kubernetes网页截图","nro":2,"url":"../images/play-with-kubernetes.jpg","index":1,"caption_template":"图 _PAGE_LEVEL_._PAGE_IMAGE_NUMBER_: _CAPTION_","label":"Play with Kubernetes网页截图","attributes":{},"skip":false,"key":"2.3.1"},{"backlink":"cloud-native/cloud-native-local-quick-start.html#fig2.4.1","level":"2.4","list_caption":"Figure: Kubernetes dashboard","alt":"Kubernetes dashboard","nro":3,"url":"https://github.com/rootsongjc/kubernetes-vagr
2020-06-19 14:52:56 +08:00
});
< / script >
< / div >
< script src = "../gitbook/gitbook.js" > < / script >
< script src = "../gitbook/theme.js" > < / script >
< script src = "../gitbook/gitbook-plugin-github/plugin.js" > < / script >
< script src = "../gitbook/gitbook-plugin-splitter/splitter.js" > < / script >
< script src = "../gitbook/gitbook-plugin-page-toc-button/plugin.js" > < / script >
< script src = "../gitbook/gitbook-plugin-editlink/plugin.js" > < / script >
< script src = "../gitbook/gitbook-plugin-back-to-top-button/plugin.js" > < / script >
< script src = "../gitbook/gitbook-plugin-search-plus/jquery.mark.min.js" > < / script >
< script src = "../gitbook/gitbook-plugin-search-plus/search.js" > < / script >
< script src = "../gitbook/gitbook-plugin-github-buttons/plugin.js" > < / script >
< script src = "../gitbook/gitbook-plugin-3-ba/plugin.js" > < / script >
< script src = "../gitbook/gitbook-plugin-lightbox/js/lightbox.min.js" > < / script >
< script src = "../gitbook/gitbook-plugin-ga/plugin.js" > < / script >
< script src = "../gitbook/gitbook-plugin-alerts/plugin.js" > < / script >
< script src = "../gitbook/gitbook-plugin-sharing/buttons.js" > < / script >
< script src = "../gitbook/gitbook-plugin-fontsettings/fontsettings.js" > < / script >
< / body >
< / html >