kubernetes-handbook/usecases/understand-sidecar-injectio...

5223 lines
310 KiB
HTML
Raw Normal View History

<!DOCTYPE HTML>
<html lang="zh-hans" >
<head>
<meta charset="UTF-8">
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<title>Sidecar 的注入与透明流量劫持 · Kubernetes 中文指南——云原生应用架构实战手册</title>
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="description" content="">
<meta name="generator" content="GitBook 3.2.3">
<meta name="author" content="宋净超Jimmy Song">
<link rel="stylesheet" href="../gitbook/style.css">
<link rel="stylesheet" href="../gitbook/gitbook-plugin-splitter/splitter.css">
<link rel="stylesheet" href="../gitbook/gitbook-plugin-page-toc-button/plugin.css">
<link rel="stylesheet" href="../gitbook/gitbook-plugin-image-captions/image-captions.css">
<link rel="stylesheet" href="../gitbook/gitbook-plugin-back-to-top-button/plugin.css">
<link rel="stylesheet" href="../gitbook/gitbook-plugin-search-plus/search.css">
<link rel="stylesheet" href="../gitbook/gitbook-plugin-tbfed-pagefooter/footer.css">
<link rel="stylesheet" href="../gitbook/gitbook-plugin-prism/prism-ghcolors.css">
<link rel="stylesheet" href="../gitbook/gitbook-plugin-lightbox/css/lightbox.min.css">
<link rel="stylesheet" href="../gitbook/gitbook-plugin-expandable-chapters-small/expandable-chapters-small.css">
<link rel="stylesheet" href="../gitbook/gitbook-plugin-insert-logo/plugin.css">
<link rel="stylesheet" href="../gitbook/gitbook-plugin-fontsettings/website.css">
<meta name="HandheldFriendly" content="true"/>
<meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no">
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-status-bar-style" content="black">
<link rel="apple-touch-icon-precomposed" sizes="152x152" href="../gitbook/images/apple-touch-icon-precomposed-152.png">
<link rel="shortcut icon" href="../gitbook/images/favicon.ico" type="image/x-icon">
<link rel="next" href="istio-traffic-routing.html" />
<link rel="prev" href="sidecar-spec-in-istio.html" />
<link rel="shortcut icon" href='../favicon.ico' type="image/x-icon">
<link rel="bookmark" href='../favicon.ico' type="image/x-icon">
<style>
@media only screen and (max-width: 640px) {
.book-header .hidden-mobile {
display: none;
}
}
</style>
<script>
window["gitbook-plugin-github-buttons"] = {"repo":"rootsongjc/kubernetes-handbook","types":["star"],"size":"small"};
</script>
</head>
<body>
<div class="book">
<div class="book-summary">
<div id="book-search-input" role="search">
<input type="text" placeholder="输入并搜索" />
</div>
<nav role="navigation">
<ul class="summary">
<li>
<a href="https://jimmysong.io" target="_blank" class="custom-link">回到主页</a>
</li>
<li>
<a href="https://lib.jimmysong.io" target="_blank" class="custom-link">云原生资料库</a>
</li>
<li>
<a href="https://jimmysong.io/awesome-cloud-native/" target="_blank" class="custom-link">云原生开源项目大全</a>
</li>
<li>
<a href="https://cloudnative.to" target="_blank" class="custom-link">云原生社区</a>
</li>
<li class="divider"></li>
<li class="header">前言</li>
<li class="chapter " data-level="1.1" data-path="../">
<a href="../">
<b>1.1.</b>
序言
</a>
</li>
<li class="header">云原生</li>
<li class="chapter " data-level="2.1" data-path="../cloud-native/cloud-native-definition.html">
<a href="../cloud-native/cloud-native-definition.html">
<b>2.1.</b>
云原生的定义
</a>
</li>
<li class="chapter " data-level="2.2" data-path="../cloud-native/cloud-native-philosophy.html">
<a href="../cloud-native/cloud-native-philosophy.html">
<b>2.2.</b>
云原生的设计哲学
</a>
</li>
<li class="chapter " data-level="2.3" data-path="../cloud-native/kubernetes-history.html">
<a href="../cloud-native/kubernetes-history.html">
<b>2.3.</b>
Kubernetes 的诞生
</a>
</li>
<li class="chapter " data-level="2.4" data-path="../cloud-native/kubernetes-and-cloud-native-app-overview.html">
<a href="../cloud-native/kubernetes-and-cloud-native-app-overview.html">
<b>2.4.</b>
Kubernetes 与云原生应用概览
</a>
</li>
<li class="chapter " data-level="2.5" data-path="../cloud-native/from-kubernetes-to-cloud-native.html">
<a href="../cloud-native/from-kubernetes-to-cloud-native.html">
<b>2.5.</b>
云原生应用之路 —— 从 Kubernetes 到云原生
</a>
</li>
<li class="chapter " data-level="2.6" data-path="../cloud-native/define-cloud-native-app.html">
<a href="../cloud-native/define-cloud-native-app.html">
<b>2.6.</b>
定义云原生应用
</a>
<ul class="articles">
<li class="chapter " data-level="2.6.1" data-path="../cloud-native/oam.html">
<a href="../cloud-native/oam.html">
<b>2.6.1.</b>
OAM
</a>
<ul class="articles">
<li class="chapter " data-level="2.6.1.1" data-path="../cloud-native/workload.html">
<a href="../cloud-native/workload.html">
<b>2.6.1.1.</b>
Workload
</a>
</li>
<li class="chapter " data-level="2.6.1.2" data-path="../cloud-native/component.html">
<a href="../cloud-native/component.html">
<b>2.6.1.2.</b>
Component
</a>
</li>
<li class="chapter " data-level="2.6.1.3" data-path="../cloud-native/trait.html">
<a href="../cloud-native/trait.html">
<b>2.6.1.3.</b>
Trait
</a>
</li>
<li class="chapter " data-level="2.6.1.4" data-path="../cloud-native/application-scope.html">
<a href="../cloud-native/application-scope.html">
<b>2.6.1.4.</b>
Application Scope
</a>
</li>
<li class="chapter " data-level="2.6.1.5" data-path="../cloud-native/application-configuration.html">
<a href="../cloud-native/application-configuration.html">
<b>2.6.1.5.</b>
Application Configuration
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="2.6.2" data-path="../cloud-native/crossplane.html">
<a href="../cloud-native/crossplane.html">
<b>2.6.2.</b>
Crossplane
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="2.7" data-path="../cloud-native/cloud-native-programming-languages.html">
<a href="../cloud-native/cloud-native-programming-languages.html">
<b>2.7.</b>
云原生平台配置语言
</a>
<ul class="articles">
<li class="chapter " data-level="2.7.1" data-path="../cloud-native/cloud-native-programming-language-ballerina.html">
<a href="../cloud-native/cloud-native-programming-language-ballerina.html">
<b>2.7.1.</b>
Ballerina
</a>
</li>
<li class="chapter " data-level="2.7.2" data-path="../cloud-native/cloud-native-programming-language-pulumi.html">
<a href="../cloud-native/cloud-native-programming-language-pulumi.html">
<b>2.7.2.</b>
Pulumi
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="2.8" data-path="../cloud-native/the-future-of-cloud-native.html">
<a href="../cloud-native/the-future-of-cloud-native.html">
<b>2.8.</b>
云原生的未来
</a>
</li>
<li class="header">快速入门</li>
<li class="chapter " data-level="3.1" data-path="../cloud-native/quick-start.html">
<a href="../cloud-native/quick-start.html">
<b>3.1.</b>
云原生新手入门指南
</a>
</li>
<li class="chapter " data-level="3.2" data-path="../cloud-native/play-with-kubernetes.html">
<a href="../cloud-native/play-with-kubernetes.html">
<b>3.2.</b>
Play with Kubernetes
</a>
</li>
<li class="chapter " data-level="3.3" data-path="../cloud-native/cloud-native-local-quick-start.html">
<a href="../cloud-native/cloud-native-local-quick-start.html">
<b>3.3.</b>
快速部署一个云原生本地实验环境
</a>
</li>
<li class="chapter " data-level="3.4" data-path="../cloud-native/setup-kubernetes-with-rancher-and-aliyun.html">
<a href="../cloud-native/setup-kubernetes-with-rancher-and-aliyun.html">
<b>3.4.</b>
使用 Rancher 在阿里云上部署 Kubenretes 集群
</a>
</li>
<li class="header">概念与原理</li>
<li class="chapter " data-level="4.1" data-path="../concepts/">
<a href="../concepts/">
<b>4.1.</b>
Kubernetes 架构
</a>
<ul class="articles">
<li class="chapter " data-level="4.1.1" data-path="../concepts/concepts.html">
<a href="../concepts/concepts.html">
<b>4.1.1.</b>
Kubernetes 的设计理念
</a>
</li>
<li class="chapter " data-level="4.1.2" data-path="../concepts/etcd.html">
<a href="../concepts/etcd.html">
<b>4.1.2.</b>
Etcd 解析
</a>
</li>
<li class="chapter " data-level="4.1.3" data-path="../concepts/open-interfaces.html">
<a href="../concepts/open-interfaces.html">
<b>4.1.3.</b>
开放接口
</a>
<ul class="articles">
<li class="chapter " data-level="4.1.3.1" data-path="../concepts/cri.html">
<a href="../concepts/cri.html">
<b>4.1.3.1.</b>
容器运行时接口CRI
</a>
</li>
<li class="chapter " data-level="4.1.3.2" data-path="../concepts/cni.html">
<a href="../concepts/cni.html">
<b>4.1.3.2.</b>
容器网络接口CNI
</a>
</li>
<li class="chapter " data-level="4.1.3.3" data-path="../concepts/csi.html">
<a href="../concepts/csi.html">
<b>4.1.3.3.</b>
容器存储接口CSI
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="4.1.4" data-path="../concepts/objects.html">
<a href="../concepts/objects.html">
<b>4.1.4.</b>
Kubernetes 中的资源对象
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="4.2" data-path="../concepts/pod-state-and-lifecycle.html">
<a href="../concepts/pod-state-and-lifecycle.html">
<b>4.2.</b>
Pod 状态与生命周期管理
</a>
<ul class="articles">
<li class="chapter " data-level="4.2.1" data-path="../concepts/pod-overview.html">
<a href="../concepts/pod-overview.html">
<b>4.2.1.</b>
Pod 概览
</a>
</li>
<li class="chapter " data-level="4.2.2" data-path="../concepts/pod.html">
<a href="../concepts/pod.html">
<b>4.2.2.</b>
Pod 解析
</a>
</li>
<li class="chapter " data-level="4.2.3" data-path="../concepts/init-containers.html">
<a href="../concepts/init-containers.html">
<b>4.2.3.</b>
Init 容器
</a>
</li>
<li class="chapter " data-level="4.2.4" data-path="../concepts/pause-container.html">
<a href="../concepts/pause-container.html">
<b>4.2.4.</b>
Pause 容器
</a>
</li>
<li class="chapter " data-level="4.2.5" data-path="../concepts/pod-security-policy.html">
<a href="../concepts/pod-security-policy.html">
<b>4.2.5.</b>
Pod 安全策略
</a>
</li>
<li class="chapter " data-level="4.2.6" data-path="../concepts/pod-lifecycle.html">
<a href="../concepts/pod-lifecycle.html">
<b>4.2.6.</b>
Pod 的生命周期
</a>
</li>
<li class="chapter " data-level="4.2.7" data-path="../concepts/pod-hook.html">
<a href="../concepts/pod-hook.html">
<b>4.2.7.</b>
Pod Hook
</a>
</li>
<li class="chapter " data-level="4.2.8" data-path="../concepts/pod-preset.html">
<a href="../concepts/pod-preset.html">
<b>4.2.8.</b>
Pod Preset
</a>
</li>
<li class="chapter " data-level="4.2.9" data-path="../concepts/pod-disruption-budget.html">
<a href="../concepts/pod-disruption-budget.html">
<b>4.2.9.</b>
Pod 中断与 PDBPod 中断预算)
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="4.3" data-path="../concepts/cluster.html">
<a href="../concepts/cluster.html">
<b>4.3.</b>
集群资源管理
</a>
<ul class="articles">
<li class="chapter " data-level="4.3.1" data-path="../concepts/node.html">
<a href="../concepts/node.html">
<b>4.3.1.</b>
Node
</a>
</li>
<li class="chapter " data-level="4.3.2" data-path="../concepts/namespace.html">
<a href="../concepts/namespace.html">
<b>4.3.2.</b>
Namespace
</a>
</li>
<li class="chapter " data-level="4.3.3" data-path="../concepts/label.html">
<a href="../concepts/label.html">
<b>4.3.3.</b>
Label
</a>
</li>
<li class="chapter " data-level="4.3.4" data-path="../concepts/annotation.html">
<a href="../concepts/annotation.html">
<b>4.3.4.</b>
Annotation
</a>
</li>
<li class="chapter " data-level="4.3.5" data-path="../concepts/taint-and-toleration.html">
<a href="../concepts/taint-and-toleration.html">
<b>4.3.5.</b>
Taint 和 Toleration污点和容忍
</a>
</li>
<li class="chapter " data-level="4.3.6" data-path="../concepts/garbage-collection.html">
<a href="../concepts/garbage-collection.html">
<b>4.3.6.</b>
垃圾收集
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="4.4" data-path="../concepts/controllers.html">
<a href="../concepts/controllers.html">
<b>4.4.</b>
控制器
</a>
<ul class="articles">
<li class="chapter " data-level="4.4.1" data-path="../concepts/deployment.html">
<a href="../concepts/deployment.html">
<b>4.4.1.</b>
Deployment
</a>
</li>
<li class="chapter " data-level="4.4.2" data-path="../concepts/statefulset.html">
<a href="../concepts/statefulset.html">
<b>4.4.2.</b>
StatefulSet
</a>
</li>
<li class="chapter " data-level="4.4.3" data-path="../concepts/daemonset.html">
<a href="../concepts/daemonset.html">
<b>4.4.3.</b>
DaemonSet
</a>
</li>
<li class="chapter " data-level="4.4.4" data-path="../concepts/replicaset.html">
<a href="../concepts/replicaset.html">
<b>4.4.4.</b>
ReplicationController 和 ReplicaSet
</a>
</li>
<li class="chapter " data-level="4.4.5" data-path="../concepts/job.html">
<a href="../concepts/job.html">
<b>4.4.5.</b>
Job
</a>
</li>
<li class="chapter " data-level="4.4.6" data-path="../concepts/cronjob.html">
<a href="../concepts/cronjob.html">
<b>4.4.6.</b>
CronJob
</a>
</li>
<li class="chapter " data-level="4.4.7" data-path="../concepts/horizontal-pod-autoscaling.html">
<a href="../concepts/horizontal-pod-autoscaling.html">
<b>4.4.7.</b>
Horizontal Pod Autoscaling
</a>
<ul class="articles">
<li class="chapter " data-level="4.4.7.1" data-path="../concepts/custom-metrics-hpa.html">
<a href="../concepts/custom-metrics-hpa.html">
<b>4.4.7.1.</b>
自定义指标 HPA
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="4.4.8" data-path="../concepts/admission-controller.html">
<a href="../concepts/admission-controller.html">
<b>4.4.8.</b>
准入控制器Admission Controller
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="4.5" data-path="../concepts/service-discovery.html">
<a href="../concepts/service-discovery.html">
<b>4.5.</b>
服务发现与路由
</a>
<ul class="articles">
<li class="chapter " data-level="4.5.1" data-path="../concepts/service.html">
<a href="../concepts/service.html">
<b>4.5.1.</b>
Service
</a>
</li>
<li class="chapter " data-level="4.5.2" data-path="../concepts/topology-aware-routing.html">
<a href="../concepts/topology-aware-routing.html">
<b>4.5.2.</b>
拓扑感知路由
</a>
</li>
<li class="chapter " data-level="4.5.3" data-path="../concepts/ingress.html">
<a href="../concepts/ingress.html">
<b>4.5.3.</b>
Ingress
</a>
<ul class="articles">
<li class="chapter " data-level="4.5.3.1" data-path="../concepts/traefik-ingress-controller.html">
<a href="../concepts/traefik-ingress-controller.html">
<b>4.5.3.1.</b>
Traefik Ingress Controller
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="4.5.4" data-path="../concepts/gateway.html">
<a href="../concepts/gateway.html">
<b>4.5.4.</b>
Gateway
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="4.6" data-path="../concepts/authentication-and-permission.html">
<a href="../concepts/authentication-and-permission.html">
<b>4.6.</b>
身份与权限控制
</a>
<ul class="articles">
<li class="chapter " data-level="4.6.1" data-path="../concepts/serviceaccount.html">
<a href="../concepts/serviceaccount.html">
<b>4.6.1.</b>
ServiceAccount
</a>
</li>
<li class="chapter " data-level="4.6.2" data-path="../concepts/rbac.html">
<a href="../concepts/rbac.html">
<b>4.6.2.</b>
基于角色的访问控制RBAC
</a>
</li>
<li class="chapter " data-level="4.6.3" data-path="../concepts/network-policy.html">
<a href="../concepts/network-policy.html">
<b>4.6.3.</b>
NetworkPolicy
</a>
</li>
<li class="chapter " data-level="4.6.4" data-path="../concepts/spiffe.html">
<a href="../concepts/spiffe.html">
<b>4.6.4.</b>
SPIFFE
</a>
<ul class="articles">
<li class="chapter " data-level="4.6.4.1" data-path="../concepts/spire.html">
<a href="../concepts/spire.html">
<b>4.6.4.1.</b>
SPIRE
</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="chapter " data-level="4.7" data-path="../concepts/networking.html">
<a href="../concepts/networking.html">
<b>4.7.</b>
网络
</a>
<ul class="articles">
<li class="chapter " data-level="4.7.1" data-path="../concepts/flannel.html">
<a href="../concepts/flannel.html">
<b>4.7.1.</b>
扁平网络 Flannel
</a>
</li>
<li class="chapter " data-level="4.7.2" data-path="../concepts/calico.html">
<a href="../concepts/calico.html">
<b>4.7.2.</b>
非 Overlay 扁平网络 Calico
</a>
</li>
<li class="chapter " data-level="4.7.3" data-path="../concepts/cilium.html">
<a href="../concepts/cilium.html">
<b>4.7.3.</b>
基于 eBPF 的网络 Cilium
</a>
<ul class="articles">
<li class="chapter " data-level="4.7.3.1" data-path="../concepts/cilium-concepts.html">
<a href="../concepts/cilium-concepts.html">
<b>4.7.3.1.</b>
Cilium 架构设计与概念解析
</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="chapter " data-level="4.8" data-path="../concepts/storage.html">
<a href="../concepts/storage.html">
<b>4.8.</b>
存储
</a>
<ul class="articles">
<li class="chapter " data-level="4.8.1" data-path="../concepts/secret.html">
<a href="../concepts/secret.html">
<b>4.8.1.</b>
Secret
</a>
</li>
<li class="chapter " data-level="4.8.2" data-path="../concepts/configmap.html">
<a href="../concepts/configmap.html">
<b>4.8.2.</b>
ConfigMap
</a>
<ul class="articles">
<li class="chapter " data-level="4.8.2.1" data-path="../concepts/configmap-hot-update.html">
<a href="../concepts/configmap-hot-update.html">
<b>4.8.2.1.</b>
ConfigMap 的热更新
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="4.8.3" data-path="../concepts/volume.html">
<a href="../concepts/volume.html">
<b>4.8.3.</b>
Volume
</a>
</li>
<li class="chapter " data-level="4.8.4" data-path="../concepts/persistent-volume.html">
<a href="../concepts/persistent-volume.html">
<b>4.8.4.</b>
持久化卷Persistent Volume
</a>
</li>
<li class="chapter " data-level="4.8.5" data-path="../concepts/storageclass.html">
<a href="../concepts/storageclass.html">
<b>4.8.5.</b>
Storage Class
</a>
</li>
<li class="chapter " data-level="4.8.6" data-path="../concepts/local-persistent-storage.html">
<a href="../concepts/local-persistent-storage.html">
<b>4.8.6.</b>
本地持久化存储
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="4.9" data-path="../concepts/extension.html">
<a href="../concepts/extension.html">
<b>4.9.</b>
集群扩展
</a>
<ul class="articles">
<li class="chapter " data-level="4.9.1" data-path="../concepts/custom-resource.html">
<a href="../concepts/custom-resource.html">
<b>4.9.1.</b>
使用自定义资源扩展 API
</a>
</li>
<li class="chapter " data-level="4.9.2" data-path="../concepts/crd.html">
<a href="../concepts/crd.html">
<b>4.9.2.</b>
使用 CRD 扩展 Kubernetes API
</a>
</li>
<li class="chapter " data-level="4.9.3" data-path="../concepts/aggregated-api-server.html">
<a href="../concepts/aggregated-api-server.html">
<b>4.9.3.</b>
Aggregated API Server
</a>
</li>
<li class="chapter " data-level="4.9.4" data-path="../concepts/apiservice.html">
<a href="../concepts/apiservice.html">
<b>4.9.4.</b>
APIService
</a>
</li>
<li class="chapter " data-level="4.9.5" data-path="../concepts/service-catalog.html">
<a href="../concepts/service-catalog.html">
<b>4.9.5.</b>
服务目录Service Catalog
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="4.10" data-path="../concepts/multicluster.html">
<a href="../concepts/multicluster.html">
<b>4.10.</b>
多集群管理
</a>
<ul class="articles">
<li class="chapter " data-level="4.10.1" data-path="../concepts/multi-cluster-services-api.html">
<a href="../concepts/multi-cluster-services-api.html">
<b>4.10.1.</b>
多集群服务 APIMulti-Cluster Services API
</a>
</li>
<li class="chapter " data-level="4.10.2" data-path="../practice/federation.html">
<a href="../practice/federation.html">
<b>4.10.2.</b>
集群联邦Cluster Federation
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="4.11" data-path="../concepts/scheduling.html">
<a href="../concepts/scheduling.html">
<b>4.11.</b>
资源调度
</a>
<ul class="articles">
<li class="chapter " data-level="4.11.1" data-path="../concepts/qos.html">
<a href="../concepts/qos.html">
<b>4.11.1.</b>
服务质量等级QoS
</a>
</li>
</ul>
</li>
<li class="header">用户指南</li>
<li class="chapter " data-level="5.1" data-path="../guide/">
<a href="../guide/">
<b>5.1.</b>
用户指南概览
</a>
</li>
<li class="chapter " data-level="5.2" data-path="../guide/resource-configuration.html">
<a href="../guide/resource-configuration.html">
<b>5.2.</b>
资源对象配置
</a>
<ul class="articles">
<li class="chapter " data-level="5.2.1" data-path="../guide/configure-liveness-readiness-probes.html">
<a href="../guide/configure-liveness-readiness-probes.html">
<b>5.2.1.</b>
配置 Pod 的 liveness 和 readiness 探针
</a>
</li>
<li class="chapter " data-level="5.2.2" data-path="../guide/configure-pod-service-account.html">
<a href="../guide/configure-pod-service-account.html">
<b>5.2.2.</b>
配置 Pod 的 Service Account
</a>
</li>
<li class="chapter " data-level="5.2.3" data-path="../guide/secret-configuration.html">
<a href="../guide/secret-configuration.html">
<b>5.2.3.</b>
Secret 配置
</a>
</li>
<li class="chapter " data-level="5.2.4" data-path="../guide/resource-quota-management.html">
<a href="../guide/resource-quota-management.html">
<b>5.2.4.</b>
管理 namespace 中的资源配额
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="5.3" data-path="../guide/command-usage.html">
<a href="../guide/command-usage.html">
<b>5.3.</b>
命令使用
</a>
<ul class="articles">
<li class="chapter " data-level="5.3.1" data-path="../guide/docker-cli-to-kubectl.html">
<a href="../guide/docker-cli-to-kubectl.html">
<b>5.3.1.</b>
Docker 用户过渡到 kubectl 命令行指南
</a>
</li>
<li class="chapter " data-level="5.3.2" data-path="../guide/using-kubectl.html">
<a href="../guide/using-kubectl.html">
<b>5.3.2.</b>
kubectl 命令概览
</a>
</li>
<li class="chapter " data-level="5.3.3" data-path="../guide/kubectl-cheatsheet.html">
<a href="../guide/kubectl-cheatsheet.html">
<b>5.3.3.</b>
kubectl 命令技巧大全
</a>
</li>
<li class="chapter " data-level="5.3.4" data-path="../guide/using-etcdctl-to-access-kubernetes-data.html">
<a href="../guide/using-etcdctl-to-access-kubernetes-data.html">
<b>5.3.4.</b>
使用 etcdctl 访问 Kubernetes 数据
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="5.4" data-path="../guide/cluster-security-management.html">
<a href="../guide/cluster-security-management.html">
<b>5.4.</b>
集群安全性管理
</a>
<ul class="articles">
<li class="chapter " data-level="5.4.1" data-path="../guide/managing-tls-in-a-cluster.html">
<a href="../guide/managing-tls-in-a-cluster.html">
<b>5.4.1.</b>
管理集群中的 TLS
</a>
</li>
<li class="chapter " data-level="5.4.2" data-path="../guide/kubelet-authentication-authorization.html">
<a href="../guide/kubelet-authentication-authorization.html">
<b>5.4.2.</b>
kubelet 的认证授权
</a>
</li>
<li class="chapter " data-level="5.4.3" data-path="../guide/tls-bootstrapping.html">
<a href="../guide/tls-bootstrapping.html">
<b>5.4.3.</b>
TLS Bootstrap
</a>
</li>
<li class="chapter " data-level="5.4.4" data-path="../guide/kubectl-user-authentication-authorization.html">
<a href="../guide/kubectl-user-authentication-authorization.html">
<b>5.4.4.</b>
创建用户认证授权的 kubeconfig 文件
</a>
</li>
<li class="chapter " data-level="5.4.5" data-path="../guide/ip-masq-agent.html">
<a href="../guide/ip-masq-agent.html">
<b>5.4.5.</b>
IP 伪装代理
</a>
</li>
<li class="chapter " data-level="5.4.6" data-path="../guide/auth-with-kubeconfig-or-token.html">
<a href="../guide/auth-with-kubeconfig-or-token.html">
<b>5.4.6.</b>
使用 kubeconfig 或 token 进行用户身份认证
</a>
</li>
<li class="chapter " data-level="5.4.7" data-path="../guide/authentication.html">
<a href="../guide/authentication.html">
<b>5.4.7.</b>
Kubernetes 中的用户与身份认证授权
</a>
</li>
<li class="chapter " data-level="5.4.8" data-path="../guide/kubernetes-security-best-practice.html">
<a href="../guide/kubernetes-security-best-practice.html">
<b>5.4.8.</b>
Kubernetes 集群安全性配置最佳实践
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="5.5" data-path="../guide/access-kubernetes-cluster.html">
<a href="../guide/access-kubernetes-cluster.html">
<b>5.5.</b>
访问 Kubernetes 集群
</a>
<ul class="articles">
<li class="chapter " data-level="5.5.1" data-path="../guide/access-cluster.html">
<a href="../guide/access-cluster.html">
<b>5.5.1.</b>
访问集群
</a>
</li>
<li class="chapter " data-level="5.5.2" data-path="../guide/authenticate-across-clusters-kubeconfig.html">
<a href="../guide/authenticate-across-clusters-kubeconfig.html">
<b>5.5.2.</b>
使用 kubeconfig 文件配置跨集群认证
</a>
</li>
<li class="chapter " data-level="5.5.3" data-path="../guide/connecting-to-applications-port-forward.html">
<a href="../guide/connecting-to-applications-port-forward.html">
<b>5.5.3.</b>
通过端口转发访问集群中的应用程序
</a>
</li>
<li class="chapter " data-level="5.5.4" data-path="../guide/service-access-application-cluster.html">
<a href="../guide/service-access-application-cluster.html">
<b>5.5.4.</b>
使用 service 访问群集中的应用程序
</a>
</li>
<li class="chapter " data-level="5.5.5" data-path="../guide/accessing-kubernetes-pods-from-outside-of-the-cluster.html">
<a href="../guide/accessing-kubernetes-pods-from-outside-of-the-cluster.html">
<b>5.5.5.</b>
从外部访问 Kubernetes 中的 Pod
</a>
</li>
<li class="chapter " data-level="5.5.6" data-path="../guide/kubernetes-desktop-client.html">
<a href="../guide/kubernetes-desktop-client.html">
<b>5.5.6.</b>
Lens - Kubernetes IDE
</a>
</li>
<li class="chapter " data-level="5.5.7" data-path="../guide/kubernator-kubernetes-ui.html">
<a href="../guide/kubernator-kubernetes-ui.html">
<b>5.5.7.</b>
Kubernator - 更底层的 Kubernetes UI
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="5.6" data-path="../guide/application-development-deployment-flow.html">
<a href="../guide/application-development-deployment-flow.html">
<b>5.6.</b>
在 Kubernetes 中开发部署应用
</a>
<ul class="articles">
<li class="chapter " data-level="5.6.1" data-path="../guide/deploy-applications-in-kubernetes.html">
<a href="../guide/deploy-applications-in-kubernetes.html">
<b>5.6.1.</b>
适用于 Kubernetes 的应用开发部署流程
</a>
</li>
<li class="chapter " data-level="5.6.2" data-path="../guide/migrating-hadoop-yarn-to-kubernetes.html">
<a href="../guide/migrating-hadoop-yarn-to-kubernetes.html">
<b>5.6.2.</b>
迁移传统应用到 Kubernetes 中 —— 以 Hadoop YARN 为例
</a>
</li>
<li class="chapter " data-level="5.6.3" data-path="../guide/using-statefulset.html">
<a href="../guide/using-statefulset.html">
<b>5.6.3.</b>
使用 StatefulSet 部署用状态应用
</a>
</li>
</ul>
</li>
<li class="header">最佳实践</li>
<li class="chapter " data-level="6.1" data-path="../practice/">
<a href="../practice/">
<b>6.1.</b>
最佳实践概览
</a>
</li>
<li class="chapter " data-level="6.2" data-path="../practice/install-kubernetes-on-centos.html">
<a href="../practice/install-kubernetes-on-centos.html">
<b>6.2.</b>
在 CentOS 上部署 Kubernetes 集群
</a>
<ul class="articles">
<li class="chapter " data-level="6.2.1" data-path="../practice/create-tls-and-secret-key.html">
<a href="../practice/create-tls-and-secret-key.html">
<b>6.2.1.</b>
创建 TLS 证书和秘钥
</a>
</li>
<li class="chapter " data-level="6.2.2" data-path="../practice/create-kubeconfig.html">
<a href="../practice/create-kubeconfig.html">
<b>6.2.2.</b>
创建 kubeconfig 文件
</a>
</li>
<li class="chapter " data-level="6.2.3" data-path="../practice/etcd-cluster-installation.html">
<a href="../practice/etcd-cluster-installation.html">
<b>6.2.3.</b>
创建高可用 etcd 集群
</a>
</li>
<li class="chapter " data-level="6.2.4" data-path="../practice/kubectl-installation.html">
<a href="../practice/kubectl-installation.html">
<b>6.2.4.</b>
安装 kubectl 命令行工具
</a>
</li>
<li class="chapter " data-level="6.2.5" data-path="../practice/master-installation.html">
<a href="../practice/master-installation.html">
<b>6.2.5.</b>
部署 master 节点
</a>
</li>
<li class="chapter " data-level="6.2.6" data-path="../practice/flannel-installation.html">
<a href="../practice/flannel-installation.html">
<b>6.2.6.</b>
安装 flannel 网络插件
</a>
</li>
<li class="chapter " data-level="6.2.7" data-path="../practice/node-installation.html">
<a href="../practice/node-installation.html">
<b>6.2.7.</b>
部署 node 节点
</a>
</li>
<li class="chapter " data-level="6.2.8" data-path="../practice/kubedns-addon-installation.html">
<a href="../practice/kubedns-addon-installation.html">
<b>6.2.8.</b>
安装 kubedns 插件
</a>
</li>
<li class="chapter " data-level="6.2.9" data-path="../practice/dashboard-addon-installation.html">
<a href="../practice/dashboard-addon-installation.html">
<b>6.2.9.</b>
安装 dashboard 插件
</a>
</li>
<li class="chapter " data-level="6.2.10" data-path="../practice/heapster-addon-installation.html">
<a href="../practice/heapster-addon-installation.html">
<b>6.2.10.</b>
安装 heapster 插件
</a>
</li>
<li class="chapter " data-level="6.2.11" data-path="../practice/efk-addon-installation.html">
<a href="../practice/efk-addon-installation.html">
<b>6.2.11.</b>
安装 EFK 插件
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="6.3" data-path="../practice/install-kubernetes-with-kubeadm.html">
<a href="../practice/install-kubernetes-with-kubeadm.html">
<b>6.3.</b>
生产级的 Kubernetes 简化管理工具 kubeadm
</a>
<ul class="articles">
<li class="chapter " data-level="6.3.1" data-path="../practice/install-kubernetes-on-ubuntu-server-16.04-with-kubeadm.html">
<a href="../practice/install-kubernetes-on-ubuntu-server-16.04-with-kubeadm.html">
<b>6.3.1.</b>
使用 kubeadm 在 Ubuntu Server 16.04 上快速构建测试集群
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="6.4" data-path="../practice/service-discovery-and-loadbalancing.html">
<a href="../practice/service-discovery-and-loadbalancing.html">
<b>6.4.</b>
服务发现与负载均衡
</a>
<ul class="articles">
<li class="chapter " data-level="6.4.1" data-path="../practice/traefik-ingress-installation.html">
<a href="../practice/traefik-ingress-installation.html">
<b>6.4.1.</b>
安装 Traefik ingress
</a>
</li>
<li class="chapter " data-level="6.4.2" data-path="../practice/distributed-load-test.html">
<a href="../practice/distributed-load-test.html">
<b>6.4.2.</b>
分布式负载测试
</a>
</li>
<li class="chapter " data-level="6.4.3" data-path="../practice/network-and-cluster-perfermance-test.html">
<a href="../practice/network-and-cluster-perfermance-test.html">
<b>6.4.3.</b>
网络和集群性能测试
</a>
</li>
<li class="chapter " data-level="6.4.4" data-path="../practice/edge-node-configuration.html">
<a href="../practice/edge-node-configuration.html">
<b>6.4.4.</b>
边缘节点配置
</a>
</li>
<li class="chapter " data-level="6.4.5" data-path="../practice/nginx-ingress-installation.html">
<a href="../practice/nginx-ingress-installation.html">
<b>6.4.5.</b>
安装 Nginx ingress
</a>
</li>
<li class="chapter " data-level="6.4.6" data-path="../practice/dns-installation.html">
<a href="../practice/dns-installation.html">
<b>6.4.6.</b>
安装配置 DNS
</a>
<ul class="articles">
<li class="chapter " data-level="6.4.6.1" data-path="../practice/configuring-dns.html">
<a href="../practice/configuring-dns.html">
<b>6.4.6.1.</b>
安装配置 Kube-dns
</a>
</li>
<li class="chapter " data-level="6.4.6.2" data-path="../practice/coredns.html">
<a href="../practice/coredns.html">
<b>6.4.6.2.</b>
安装配置 CoreDNS
</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="chapter " data-level="6.5" data-path="../practice/operation.html">
<a href="../practice/operation.html">
<b>6.5.</b>
运维管理
</a>
<ul class="articles">
<li class="chapter " data-level="6.5.1" data-path="../practice/master-ha.html">
<a href="../practice/master-ha.html">
<b>6.5.1.</b>
Master 节点高可用
</a>
</li>
<li class="chapter " data-level="6.5.2" data-path="../practice/service-rolling-update.html">
<a href="../practice/service-rolling-update.html">
<b>6.5.2.</b>
服务滚动升级
</a>
</li>
<li class="chapter " data-level="6.5.3" data-path="../practice/app-log-collection.html">
<a href="../practice/app-log-collection.html">
<b>6.5.3.</b>
应用日志收集
</a>
</li>
<li class="chapter " data-level="6.5.4" data-path="../practice/configuration-best-practice.html">
<a href="../practice/configuration-best-practice.html">
<b>6.5.4.</b>
配置最佳实践
</a>
</li>
<li class="chapter " data-level="6.5.5" data-path="../practice/monitor.html">
<a href="../practice/monitor.html">
<b>6.5.5.</b>
集群及应用监控
</a>
</li>
<li class="chapter " data-level="6.5.6" data-path="../practice/data-persistence-problem.html">
<a href="../practice/data-persistence-problem.html">
<b>6.5.6.</b>
数据持久化问题
</a>
</li>
<li class="chapter " data-level="6.5.7" data-path="../practice/manage-compute-resources-container.html">
<a href="../practice/manage-compute-resources-container.html">
<b>6.5.7.</b>
管理容器的计算资源
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="6.6" data-path="../practice/storage.html">
<a href="../practice/storage.html">
<b>6.6.</b>
存储管理
</a>
<ul class="articles">
<li class="chapter " data-level="6.6.1" data-path="../practice/glusterfs.html">
<a href="../practice/glusterfs.html">
<b>6.6.1.</b>
GlusterFS
</a>
<ul class="articles">
<li class="chapter " data-level="6.6.1.1" data-path="../practice/using-glusterfs-for-persistent-storage.html">
<a href="../practice/using-glusterfs-for-persistent-storage.html">
<b>6.6.1.1.</b>
使用 GlusterFS 做持久化存储
</a>
</li>
<li class="chapter " data-level="6.6.1.2" data-path="../practice/using-heketi-gluster-for-persistent-storage.html">
<a href="../practice/using-heketi-gluster-for-persistent-storage.html">
<b>6.6.1.2.</b>
使用 Heketi 作为 Kubernetes 的持久存储 GlusterFS 的 external provisioner
</a>
</li>
<li class="chapter " data-level="6.6.1.3" data-path="../practice/storage-for-containers-using-glusterfs-with-openshift.html">
<a href="../practice/storage-for-containers-using-glusterfs-with-openshift.html">
<b>6.6.1.3.</b>
在 OpenShift 中使用 GlusterFS 做持久化存储
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="6.6.2" data-path="../practice/glusterd-2.0.html">
<a href="../practice/glusterd-2.0.html">
<b>6.6.2.</b>
GlusterD-2.0
</a>
</li>
<li class="chapter " data-level="6.6.3" data-path="../practice/ceph.html">
<a href="../practice/ceph.html">
<b>6.6.3.</b>
Ceph
</a>
<ul class="articles">
<li class="chapter " data-level="6.6.3.1" data-path="../practice/ceph-helm-install-guide-zh.html">
<a href="../practice/ceph-helm-install-guide-zh.html">
<b>6.6.3.1.</b>
用 Helm 托管安装 Ceph 集群并提供后端存储
</a>
</li>
<li class="chapter " data-level="6.6.3.2" data-path="../practice/using-ceph-for-persistent-storage.html">
<a href="../practice/using-ceph-for-persistent-storage.html">
<b>6.6.3.2.</b>
使用 Ceph 做持久化存储
</a>
</li>
<li class="chapter " data-level="6.6.3.3" data-path="../practice/rbd-provisioner.html">
<a href="../practice/rbd-provisioner.html">
<b>6.6.3.3.</b>
使用 rbd-provisioner 提供 rbd 持久化存储
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="6.6.4" data-path="../practice/openebs.html">
<a href="../practice/openebs.html">
<b>6.6.4.</b>
OpenEBS
</a>
<ul class="articles">
<li class="chapter " data-level="6.6.4.1" data-path="../practice/using-openebs-for-persistent-storage.html">
<a href="../practice/using-openebs-for-persistent-storage.html">
<b>6.6.4.1.</b>
使用 OpenEBS 做持久化存储
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="6.6.5" data-path="../practice/rook.html">
<a href="../practice/rook.html">
<b>6.6.5.</b>
Rook
</a>
</li>
<li class="chapter " data-level="6.6.6" data-path="../practice/nfs.html">
<a href="../practice/nfs.html">
<b>6.6.6.</b>
NFS
</a>
<ul class="articles">
<li class="chapter " data-level="6.6.6.1" data-path="../practice/using-nfs-for-persistent-storage.html">
<a href="../practice/using-nfs-for-persistent-storage.html">
<b>6.6.6.1.</b>
利用 NFS 动态提供 Kubernetes 后端存储卷
</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="chapter " data-level="6.7" data-path="../practice/monitoring.html">
<a href="../practice/monitoring.html">
<b>6.7.</b>
集群与应用监控
</a>
<ul class="articles">
<li class="chapter " data-level="6.7.1" data-path="../practice/heapster.html">
<a href="../practice/heapster.html">
<b>6.7.1.</b>
Heapster
</a>
<ul class="articles">
<li class="chapter " data-level="6.7.1.1" data-path="../practice/using-heapster-to-get-object-metrics.html">
<a href="../practice/using-heapster-to-get-object-metrics.html">
<b>6.7.1.1.</b>
使用 Heapster 获取集群和对象的 metric 数据
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="6.7.2" data-path="../practice/prometheus.html">
<a href="../practice/prometheus.html">
<b>6.7.2.</b>
Prometheus
</a>
<ul class="articles">
<li class="chapter " data-level="6.7.2.1" data-path="../practice/using-prometheus-to-monitor-kuberentes-cluster.html">
<a href="../practice/using-prometheus-to-monitor-kuberentes-cluster.html">
<b>6.7.2.1.</b>
使用 Prometheus 监控 Kubernetes 集群
</a>
</li>
<li class="chapter " data-level="6.7.2.2" data-path="../practice/promql.html">
<a href="../practice/promql.html">
<b>6.7.2.2.</b>
Prometheus 查询语言 PromQL 使用说明
</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="chapter " data-level="6.8" data-path="../practice/distributed-tracing.html">
<a href="../practice/distributed-tracing.html">
<b>6.8.</b>
分布式追踪
</a>
<ul class="articles">
<li class="chapter " data-level="6.8.1" data-path="../practice/opentracing.html">
<a href="../practice/opentracing.html">
<b>6.8.1.</b>
OpenTracing
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="6.9" data-path="../practice/services-management-tool.html">
<a href="../practice/services-management-tool.html">
<b>6.9.</b>
服务编排管理
</a>
<ul class="articles">
<li class="chapter " data-level="6.9.1" data-path="../practice/helm.html">
<a href="../practice/helm.html">
<b>6.9.1.</b>
使用 Helm 管理 Kubernetes 应用
</a>
</li>
<li class="chapter " data-level="6.9.2" data-path="../practice/create-private-charts-repo.html">
<a href="../practice/create-private-charts-repo.html">
<b>6.9.2.</b>
构建私有 Chart 仓库
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="6.10" data-path="../practice/ci-cd.html">
<a href="../practice/ci-cd.html">
<b>6.10.</b>
持续集成与发布CI/CD
</a>
<ul class="articles">
<li class="chapter " data-level="6.10.1" data-path="../practice/jenkins-ci-cd.html">
<a href="../practice/jenkins-ci-cd.html">
<b>6.10.1.</b>
使用 Jenkins 进行持续集成与发布
</a>
</li>
<li class="chapter " data-level="6.10.2" data-path="../practice/drone-ci-cd.html">
<a href="../practice/drone-ci-cd.html">
<b>6.10.2.</b>
使用 Drone 进行持续集成与发布
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="6.11" data-path="../practice/update-and-upgrade.html">
<a href="../practice/update-and-upgrade.html">
<b>6.11.</b>
更新与升级
</a>
<ul class="articles">
<li class="chapter " data-level="6.11.1" data-path="../practice/manually-upgrade.html">
<a href="../practice/manually-upgrade.html">
<b>6.11.1.</b>
手动升级 Kubernetes 集群
</a>
</li>
<li class="chapter " data-level="6.11.2" data-path="../practice/dashboard-upgrade.html">
<a href="../practice/dashboard-upgrade.html">
<b>6.11.2.</b>
升级 dashboard
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="6.12" data-path="../practice/controller-extended.html">
<a href="../practice/controller-extended.html">
<b>6.12.</b>
扩展控制器
</a>
<ul class="articles">
<li class="chapter " data-level="6.12.1" data-path="../practice/openkruise.html">
<a href="../practice/openkruise.html">
<b>6.12.1.</b>
OpenKruise
</a>
<ul class="articles">
<li class="chapter " data-level="6.12.1.1" data-path="../practice/in-place-update.html">
<a href="../practice/in-place-update.html">
<b>6.12.1.1.</b>
原地升级
</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="chapter " data-level="6.13" data-path="../practice/security-policy.html">
<a href="../practice/security-policy.html">
<b>6.13.</b>
安全策略
</a>
<ul class="articles">
<li class="chapter " data-level="6.13.1" data-path="../practice/open-policy-agent.html">
<a href="../practice/open-policy-agent.html">
<b>6.13.1.</b>
开放策略代理OPA
</a>
</li>
<li class="chapter " data-level="6.13.2" data-path="../practice/cloud-native-security.html">
<a href="../practice/cloud-native-security.html">
<b>6.13.2.</b>
云原生安全
</a>
</li>
</ul>
</li>
<li class="header">服务网格</li>
<li class="chapter " data-level="7.1" data-path="service-mesh.html">
<a href="service-mesh.html">
<b>7.1.</b>
服务网格Service Mesh
</a>
</li>
<li class="chapter " data-level="7.2" data-path="the-enterprise-path-to-service-mesh-architectures.html">
<a href="the-enterprise-path-to-service-mesh-architectures.html">
<b>7.2.</b>
企业级服务网格架构
</a>
<ul class="articles">
<li class="chapter " data-level="7.2.1" data-path="service-mesh-fundamental.html">
<a href="service-mesh-fundamental.html">
<b>7.2.1.</b>
服务网格基础
</a>
</li>
<li class="chapter " data-level="7.2.2" data-path="comparing-service-mesh-technologies.html">
<a href="comparing-service-mesh-technologies.html">
<b>7.2.2.</b>
服务网格技术对比
</a>
</li>
<li class="chapter " data-level="7.2.3" data-path="service-mesh-vs-api-gateway.html">
<a href="service-mesh-vs-api-gateway.html">
<b>7.2.3.</b>
服务网格对比 API 网关
</a>
</li>
<li class="chapter " data-level="7.2.4" data-path="service-mesh-adoption-and-evolution.html">
<a href="service-mesh-adoption-and-evolution.html">
<b>7.2.4.</b>
采纳和演进
</a>
</li>
<li class="chapter " data-level="7.2.5" data-path="service-mesh-customization-and-integration.html">
<a href="service-mesh-customization-and-integration.html">
<b>7.2.5.</b>
定制和集成
</a>
</li>
<li class="chapter " data-level="7.2.6" data-path="service-mesh-conclusion.html">
<a href="service-mesh-conclusion.html">
<b>7.2.6.</b>
总结
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="7.3" data-path="istio.html">
<a href="istio.html">
<b>7.3.</b>
Istio
</a>
<ul class="articles">
<li class="chapter " data-level="7.3.1" data-path="before-using-istio.html">
<a href="before-using-istio.html">
<b>7.3.1.</b>
使用 Istio 前需要考虑的问题
</a>
</li>
<li class="chapter " data-level="7.3.2" data-path="sidecar-pattern.html">
<a href="sidecar-pattern.html">
<b>7.3.2.</b>
Sidecar 模式
</a>
</li>
<li class="chapter " data-level="7.3.3" data-path="sidecar-spec-in-istio.html">
<a href="sidecar-spec-in-istio.html">
<b>7.3.3.</b>
Istio 中 sidecar 的注入规范
</a>
</li>
<li class="chapter active" data-level="7.3.4" data-path="understand-sidecar-injection-and-traffic-hijack-in-istio-service-mesh.html">
<a href="understand-sidecar-injection-and-traffic-hijack-in-istio-service-mesh.html">
<b>7.3.4.</b>
Sidecar 的注入与透明流量劫持
</a>
</li>
<li class="chapter " data-level="7.3.5" data-path="istio-traffic-routing.html">
<a href="istio-traffic-routing.html">
<b>7.3.5.</b>
Istio 中的流量路由过程详解
</a>
</li>
<li class="chapter " data-level="7.3.6" data-path="how-to-integrate-istio-with-vm.html">
<a href="how-to-integrate-istio-with-vm.html">
<b>7.3.6.</b>
Istio 如何支持虚拟机
</a>
</li>
<li class="chapter " data-level="7.3.7" data-path="istio-vm-support.html">
<a href="istio-vm-support.html">
<b>7.3.7.</b>
Istio 支持虚拟机的历史
</a>
</li>
<li class="chapter " data-level="7.3.8" data-path="istio-community-tips.html">
<a href="istio-community-tips.html">
<b>7.3.8.</b>
如何参与 Istio 社区及注意事项
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="7.4" data-path="envoy.html">
<a href="envoy.html">
<b>7.4.</b>
Envoy
</a>
<ul class="articles">
<li class="chapter " data-level="7.4.1" data-path="envoy-terminology.html">
<a href="envoy-terminology.html">
<b>7.4.1.</b>
Envoy 的架构与基本术语
</a>
</li>
<li class="chapter " data-level="7.4.2" data-path="envoy-front-proxy.html">
<a href="envoy-front-proxy.html">
<b>7.4.2.</b>
Envoy 作为前端代理
</a>
</li>
<li class="chapter " data-level="7.4.3" data-path="envoy-mesh-in-kubernetes-tutorial.html">
<a href="envoy-mesh-in-kubernetes-tutorial.html">
<b>7.4.3.</b>
Envoy mesh 教程
</a>
</li>
</ul>
</li>
<li class="header">领域应用</li>
<li class="chapter " data-level="8.1" data-path="./">
<a href="./">
<b>8.1.</b>
领域应用概览
</a>
</li>
<li class="chapter " data-level="8.2" data-path="microservices.html">
<a href="microservices.html">
<b>8.2.</b>
微服务架构
</a>
<ul class="articles">
<li class="chapter " data-level="8.2.1" data-path="service-discovery-in-microservices.html">
<a href="service-discovery-in-microservices.html">
<b>8.2.1.</b>
微服务中的服务发现
</a>
</li>
<li class="chapter " data-level="8.2.2" data-path="microservices-for-java-developers.html">
<a href="microservices-for-java-developers.html">
<b>8.2.2.</b>
使用 Java 构建微服务并发布到 Kubernetes 平台
</a>
<ul class="articles">
<li class="chapter " data-level="8.2.2.1" data-path="spring-boot-quick-start-guide.html">
<a href="spring-boot-quick-start-guide.html">
<b>8.2.2.1.</b>
Spring Boot 快速开始指南
</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="chapter " data-level="8.3" data-path="big-data.html">
<a href="big-data.html">
<b>8.3.</b>
大数据
</a>
<ul class="articles">
<li class="chapter " data-level="8.3.1" data-path="spark-on-kubernetes.html">
<a href="spark-on-kubernetes.html">
<b>8.3.1.</b>
Spark 与 Kubernetes
</a>
<ul class="articles">
<li class="chapter " data-level="8.3.1.1" data-path="spark-standalone-on-kubernetes.html">
<a href="spark-standalone-on-kubernetes.html">
<b>8.3.1.1.</b>
Spark standalone on Kubernetes
</a>
</li>
<li class="chapter " data-level="8.3.1.2" data-path="running-spark-with-kubernetes-native-scheduler.html">
<a href="running-spark-with-kubernetes-native-scheduler.html">
<b>8.3.1.2.</b>
运行支持 Kubernetes 原生调度的 Spark 程序
</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="chapter " data-level="8.4" data-path="serverless.html">
<a href="serverless.html">
<b>8.4.</b>
Serverless 架构
</a>
<ul class="articles">
<li class="chapter " data-level="8.4.1" data-path="understanding-serverless.html">
<a href="understanding-serverless.html">
<b>8.4.1.</b>
理解 Serverless
</a>
</li>
<li class="chapter " data-level="8.4.2" data-path="faas.html">
<a href="faas.html">
<b>8.4.2.</b>
FaaS函数即服务
</a>
<ul class="articles">
<li class="chapter " data-level="8.4.2.1" data-path="openfaas-quick-start.html">
<a href="openfaas-quick-start.html">
<b>8.4.2.1.</b>
OpenFaaS 快速入门指南
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="8.4.3" data-path="knative.html">
<a href="knative.html">
<b>8.4.3.</b>
Knative
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="8.5" data-path="edge-computing.html">
<a href="edge-computing.html">
<b>8.5.</b>
边缘计算
</a>
</li>
<li class="chapter " data-level="8.6" data-path="ai.html">
<a href="ai.html">
<b>8.6.</b>
人工智能
</a>
</li>
<li class="chapter " data-level="8.7" data-path="observability.html">
<a href="observability.html">
<b>8.7.</b>
可观察性
</a>
</li>
<li class="header">开发指南</li>
<li class="chapter " data-level="9.1" data-path="../develop/">
<a href="../develop/">
<b>9.1.</b>
开发指南概览
</a>
</li>
<li class="chapter " data-level="9.2" data-path="../develop/sigs-and-working-group.html">
<a href="../develop/sigs-and-working-group.html">
<b>9.2.</b>
SIG 和工作组
</a>
</li>
<li class="chapter " data-level="9.3" data-path="../develop/developing-environment.html">
<a href="../develop/developing-environment.html">
<b>9.3.</b>
开发环境搭建
</a>
<ul class="articles">
<li class="chapter " data-level="9.3.1" data-path="../develop/using-vagrant-and-virtualbox-for-development.html">
<a href="../develop/using-vagrant-and-virtualbox-for-development.html">
<b>9.3.1.</b>
本地分布式开发环境搭建(使用 Vagrant 和 Virtualbox
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="9.4" data-path="../develop/testing.html">
<a href="../develop/testing.html">
<b>9.4.</b>
单元测试和集成测试
</a>
</li>
<li class="chapter " data-level="9.5" data-path="../develop/client-go-sample.html">
<a href="../develop/client-go-sample.html">
<b>9.5.</b>
client-go 示例
</a>
<ul class="articles">
<li class="chapter " data-level="9.5.1" data-path="../develop/client-go-informer-sourcecode-analyse.html">
<a href="../develop/client-go-informer-sourcecode-analyse.html">
<b>9.5.1.</b>
client-go 中的 informer 源码分析
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="9.6" data-path="../develop/operator.html">
<a href="../develop/operator.html">
<b>9.6.</b>
Operator
</a>
<ul class="articles">
<li class="chapter " data-level="9.6.1" data-path="../develop/operator-sdk.html">
<a href="../develop/operator-sdk.html">
<b>9.6.1.</b>
operator-sdk
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="9.7" data-path="../develop/kubebuilder.html">
<a href="../develop/kubebuilder.html">
<b>9.7.</b>
kubebuilder
</a>
<ul class="articles">
<li class="chapter " data-level="9.7.1" data-path="../develop/kubebuilder-example.html">
<a href="../develop/kubebuilder-example.html">
<b>9.7.1.</b>
使用 kubebuilder 创建 operator 示例
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="9.8" data-path="../develop/advance-developer.html">
<a href="../develop/advance-developer.html">
<b>9.8.</b>
高级开发指南
</a>
</li>
<li class="chapter " data-level="9.9" data-path="../develop/contribute.html">
<a href="../develop/contribute.html">
<b>9.9.</b>
社区贡献
</a>
</li>
<li class="chapter " data-level="9.10" data-path="../develop/minikube.html">
<a href="../develop/minikube.html">
<b>9.10.</b>
Minikube
</a>
</li>
<li class="header">社区及生态</li>
<li class="chapter " data-level="10.1" data-path="../cloud-native/cncf.html">
<a href="../cloud-native/cncf.html">
<b>10.1.</b>
云原生计算基金会CNCF
</a>
<ul class="articles">
<li class="chapter " data-level="10.1.1" data-path="../cloud-native/cncf-charter.html">
<a href="../cloud-native/cncf-charter.html">
<b>10.1.1.</b>
CNCF 章程
</a>
</li>
<li class="chapter " data-level="10.1.2" data-path="../cloud-native/cncf-sig.html">
<a href="../cloud-native/cncf-sig.html">
<b>10.1.2.</b>
CNCF 特别兴趣小组SIG说明
</a>
</li>
<li class="chapter " data-level="10.1.3" data-path="../cloud-native/cncf-sandbox-criteria.html">
<a href="../cloud-native/cncf-sandbox-criteria.html">
<b>10.1.3.</b>
开源项目加入 CNCF Sandbox 的要求
</a>
</li>
<li class="chapter " data-level="10.1.4" data-path="../cloud-native/cncf-project-governing.html">
<a href="../cloud-native/cncf-project-governing.html">
<b>10.1.4.</b>
CNCF 中的项目治理
</a>
</li>
<li class="chapter " data-level="10.1.5" data-path="../cloud-native/cncf-ambassador.html">
<a href="../cloud-native/cncf-ambassador.html">
<b>10.1.5.</b>
CNCF Ambassador
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="10.2" data-path="../cloud-native/certification.html">
<a href="../cloud-native/certification.html">
<b>10.2.</b>
认证及培训
</a>
<ul class="articles">
<li class="chapter " data-level="10.2.1" data-path="../appendix/about-kcsp.html">
<a href="../appendix/about-kcsp.html">
<b>10.2.1.</b>
认证 Kubernetes 服务提供商KCSP说明
</a>
</li>
<li class="chapter " data-level="10.2.2" data-path="../appendix/about-cka-candidate.html">
<a href="../appendix/about-cka-candidate.html">
<b>10.2.2.</b>
认证 Kubernetes 管理员CKA说明
</a>
</li>
</ul>
</li>
<li class="header">附录</li>
<li class="chapter " data-level="11.1" data-path="../appendix/">
<a href="../appendix/">
<b>11.1.</b>
附录说明
</a>
</li>
<li class="chapter " data-level="11.2" data-path="../appendix/debug-kubernetes-services.html">
<a href="../appendix/debug-kubernetes-services.html">
<b>11.2.</b>
Kubernetes 中的应用故障排查
</a>
</li>
<li class="chapter " data-level="11.3" data-path="../appendix/material-share.html">
<a href="../appendix/material-share.html">
<b>11.3.</b>
Kubernetes 参考资源
</a>
</li>
<li class="chapter " data-level="11.4" data-path="../appendix/tricks.html">
<a href="../appendix/tricks.html">
<b>11.4.</b>
Kubernetes 使用技巧
</a>
</li>
<li class="chapter " data-level="11.5" data-path="../appendix/issues.html">
<a href="../appendix/issues.html">
<b>11.5.</b>
Kubernetes 相关问题记录
</a>
</li>
<li class="chapter " data-level="11.6" data-path="../appendix/summary-and-outlook.html">
<a href="../appendix/summary-and-outlook.html">
<b>11.6.</b>
Kubernetes 及云原生年度总结及展望
</a>
<ul class="articles">
<li class="chapter " data-level="11.6.1" data-path="../appendix/kubernetes-and-cloud-native-summary-in-2017-and-outlook-for-2018.html">
<a href="../appendix/kubernetes-and-cloud-native-summary-in-2017-and-outlook-for-2018.html">
<b>11.6.1.</b>
Kubernetes 与云原生 2017 年年终总结及 2018 年展望
</a>
</li>
<li class="chapter " data-level="11.6.2" data-path="../appendix/kubernetes-and-cloud-native-summary-in-2018-and-outlook-for-2019.html">
<a href="../appendix/kubernetes-and-cloud-native-summary-in-2018-and-outlook-for-2019.html">
<b>11.6.2.</b>
Kubernetes 与云原生 2018 年年终总结及 2019 年展望
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="11.7" data-path="../appendix/cncf-annual-report.html">
<a href="../appendix/cncf-annual-report.html">
<b>11.7.</b>
CNCF 年度报告解读
</a>
<ul class="articles">
<li class="chapter " data-level="11.7.1" data-path="../appendix/cncf-annual-report-2018.html">
<a href="../appendix/cncf-annual-report-2018.html">
<b>11.7.1.</b>
CNCF 2018 年年度报告解读
</a>
</li>
<li class="chapter " data-level="11.7.2" data-path="../appendix/cncf-annual-report-2020.html">
<a href="../appendix/cncf-annual-report-2020.html">
<b>11.7.2.</b>
CNCF 2020 年年度报告解读
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="11.8" data-path="../GLOSSARY.html">
<a href="../GLOSSARY.html">
<b>11.8.</b>
术语表
</a>
</li>
<li class="divider"></li>
<li>
<a href="https://www.gitbook.com" target="blank" class="gitbook-link">
本书使用 GitBook 发布
</a>
</li>
</ul>
</nav>
</div>
<div class="book-body">
<div class="body-inner">
<div class="book-header" role="navigation">
<!-- Title -->
<h1>
<i class="fa fa-circle-o-notch fa-spin"></i>
<a href=".." >Sidecar 的注入与透明流量劫持</a>
</h1>
</div>
<div class="page-wrapper" tabindex="-1" role="main">
<div class="page-inner">
<div class="search-plus" id="book-search-results">
<div class="search-noresults">
<section class="normal markdown-section">
<h1 id="sidecar-&#x7684;&#x6CE8;&#x5165;&#x4E0E;&#x900F;&#x660E;&#x6D41;&#x91CF;&#x52AB;&#x6301;">Sidecar &#x7684;&#x6CE8;&#x5165;&#x4E0E;&#x900F;&#x660E;&#x6D41;&#x91CF;&#x52AB;&#x6301;</h1>
<p>Istio &#x4E2D;&#x63D0;&#x4F9B;&#x4E86;&#x4EE5;&#x4E0B;&#x4E24;&#x79CD; <a href="../GLOSSARY.html#sidecar" class="glossary-term" title="Sidecar&#xFF0C;&#x5168;&#x79F0; Sidecar proxy&#xFF0C;&#x4E3A;&#x5728;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x65C1;&#x8FD0;&#x884C;&#x7684;&#x5355;&#x72EC;&#x7684;&#x8FDB;&#x7A0B;&#xFF0C;&#x5B83;&#x53EF;&#x4EE5;&#x4E3A;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x6DFB;&#x52A0;&#x8BB8;&#x591A;&#x529F;&#x80FD;&#xFF0C;&#x800C;&#x65E0;&#x9700;&#x5728;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x4E2D;&#x6DFB;&#x52A0;&#x989D;&#x5916;&#x7684;&#x7B2C;&#x4E09;&#x65B9;&#x7EC4;&#x4EF6;&#xFF0C;&#x6216;&#x4FEE;&#x6539;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x7684;&#x4EE3;&#x7801;&#x6216;&#x914D;&#x7F6E;&#x3002;">sidecar</a> &#x6CE8;&#x5165;&#x65B9;&#x5F0F;&#xFF1A;</p>
<ul>
<li>&#x4F7F;&#x7528; <code>istioctl</code> &#x624B;&#x52A8;&#x6CE8;&#x5165;&#x3002;</li>
<li>&#x57FA;&#x4E8E; Kubernetes &#x7684; <a href="https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/" target="_blank">&#x7A81;&#x53D8; webhook &#x51C6;&#x5165;&#x63A7;&#x5236;&#x5668;&#xFF08;mutating webhook addmission controller</a> &#x7684;&#x81EA;&#x52A8; <a href="../GLOSSARY.html#sidecar" class="glossary-term" title="Sidecar&#xFF0C;&#x5168;&#x79F0; Sidecar proxy&#xFF0C;&#x4E3A;&#x5728;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x65C1;&#x8FD0;&#x884C;&#x7684;&#x5355;&#x72EC;&#x7684;&#x8FDB;&#x7A0B;&#xFF0C;&#x5B83;&#x53EF;&#x4EE5;&#x4E3A;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x6DFB;&#x52A0;&#x8BB8;&#x591A;&#x529F;&#x80FD;&#xFF0C;&#x800C;&#x65E0;&#x9700;&#x5728;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x4E2D;&#x6DFB;&#x52A0;&#x989D;&#x5916;&#x7684;&#x7B2C;&#x4E09;&#x65B9;&#x7EC4;&#x4EF6;&#xFF0C;&#x6216;&#x4FEE;&#x6539;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x7684;&#x4EE3;&#x7801;&#x6216;&#x914D;&#x7F6E;&#x3002;">sidecar</a> &#x6CE8;&#x5165;&#x65B9;&#x5F0F;&#x3002;</li>
</ul>
<p>&#x4E0D;&#x8BBA;&#x662F;&#x624B;&#x52A8;&#x6CE8;&#x5165;&#x8FD8;&#x662F;&#x81EA;&#x52A8;&#x6CE8;&#x5165;&#xFF0C;<a href="../GLOSSARY.html#sidecar" class="glossary-term" title="Sidecar&#xFF0C;&#x5168;&#x79F0; Sidecar proxy&#xFF0C;&#x4E3A;&#x5728;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x65C1;&#x8FD0;&#x884C;&#x7684;&#x5355;&#x72EC;&#x7684;&#x8FDB;&#x7A0B;&#xFF0C;&#x5B83;&#x53EF;&#x4EE5;&#x4E3A;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x6DFB;&#x52A0;&#x8BB8;&#x591A;&#x529F;&#x80FD;&#xFF0C;&#x800C;&#x65E0;&#x9700;&#x5728;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x4E2D;&#x6DFB;&#x52A0;&#x989D;&#x5916;&#x7684;&#x7B2C;&#x4E09;&#x65B9;&#x7EC4;&#x4EF6;&#xFF0C;&#x6216;&#x4FEE;&#x6539;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x7684;&#x4EE3;&#x7801;&#x6216;&#x914D;&#x7F6E;&#x3002;">sidecar</a> &#x7684;&#x6CE8;&#x5165;&#x8FC7;&#x7A0B;&#x90FD;&#x9700;&#x8981;&#x9075;&#x5FAA;&#x5982;&#x4E0B;&#x6B65;&#x9AA4;&#xFF1A;</p>
<ol>
<li>Kubernetes &#x9700;&#x8981;&#x4E86;&#x89E3;&#x5F85;&#x6CE8;&#x5165;&#x7684; <a href="../GLOSSARY.html#sidecar" class="glossary-term" title="Sidecar&#xFF0C;&#x5168;&#x79F0; Sidecar proxy&#xFF0C;&#x4E3A;&#x5728;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x65C1;&#x8FD0;&#x884C;&#x7684;&#x5355;&#x72EC;&#x7684;&#x8FDB;&#x7A0B;&#xFF0C;&#x5B83;&#x53EF;&#x4EE5;&#x4E3A;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x6DFB;&#x52A0;&#x8BB8;&#x591A;&#x529F;&#x80FD;&#xFF0C;&#x800C;&#x65E0;&#x9700;&#x5728;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x4E2D;&#x6DFB;&#x52A0;&#x989D;&#x5916;&#x7684;&#x7B2C;&#x4E09;&#x65B9;&#x7EC4;&#x4EF6;&#xFF0C;&#x6216;&#x4FEE;&#x6539;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x7684;&#x4EE3;&#x7801;&#x6216;&#x914D;&#x7F6E;&#x3002;">sidecar</a> &#x6240;&#x8FDE;&#x63A5;&#x7684; Istio &#x96C6;&#x7FA4;&#x53CA;&#x5176;&#x914D;&#x7F6E;&#xFF1B;</li>
<li>Kubernetes &#x9700;&#x8981;&#x4E86;&#x89E3;&#x5F85;&#x6CE8;&#x5165;&#x7684; <a href="../GLOSSARY.html#sidecar" class="glossary-term" title="Sidecar&#xFF0C;&#x5168;&#x79F0; Sidecar proxy&#xFF0C;&#x4E3A;&#x5728;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x65C1;&#x8FD0;&#x884C;&#x7684;&#x5355;&#x72EC;&#x7684;&#x8FDB;&#x7A0B;&#xFF0C;&#x5B83;&#x53EF;&#x4EE5;&#x4E3A;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x6DFB;&#x52A0;&#x8BB8;&#x591A;&#x529F;&#x80FD;&#xFF0C;&#x800C;&#x65E0;&#x9700;&#x5728;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x4E2D;&#x6DFB;&#x52A0;&#x989D;&#x5916;&#x7684;&#x7B2C;&#x4E09;&#x65B9;&#x7EC4;&#x4EF6;&#xFF0C;&#x6216;&#x4FEE;&#x6539;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x7684;&#x4EE3;&#x7801;&#x6216;&#x914D;&#x7F6E;&#x3002;">sidecar</a> &#x5BB9;&#x5668;&#x672C;&#x8EAB;&#x7684;&#x914D;&#x7F6E;&#xFF0C;&#x5982;&#x955C;&#x50CF;&#x5730;&#x5740;&#x3001;&#x542F;&#x52A8;&#x53C2;&#x6570;&#x7B49;&#xFF1B;</li>
<li>Kubernetes &#x6839;&#x636E; <a href="../GLOSSARY.html#sidecar" class="glossary-term" title="Sidecar&#xFF0C;&#x5168;&#x79F0; Sidecar proxy&#xFF0C;&#x4E3A;&#x5728;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x65C1;&#x8FD0;&#x884C;&#x7684;&#x5355;&#x72EC;&#x7684;&#x8FDB;&#x7A0B;&#xFF0C;&#x5B83;&#x53EF;&#x4EE5;&#x4E3A;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x6DFB;&#x52A0;&#x8BB8;&#x591A;&#x529F;&#x80FD;&#xFF0C;&#x800C;&#x65E0;&#x9700;&#x5728;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x4E2D;&#x6DFB;&#x52A0;&#x989D;&#x5916;&#x7684;&#x7B2C;&#x4E09;&#x65B9;&#x7EC4;&#x4EF6;&#xFF0C;&#x6216;&#x4FEE;&#x6539;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x7684;&#x4EE3;&#x7801;&#x6216;&#x914D;&#x7F6E;&#x3002;">sidecar</a> &#x6CE8;&#x5165;&#x6A21;&#x677F;&#x548C;&#x4EE5;&#x4E0A;&#x914D;&#x7F6E;&#x586B;&#x5145; <a href="../GLOSSARY.html#sidecar" class="glossary-term" title="Sidecar&#xFF0C;&#x5168;&#x79F0; Sidecar proxy&#xFF0C;&#x4E3A;&#x5728;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x65C1;&#x8FD0;&#x884C;&#x7684;&#x5355;&#x72EC;&#x7684;&#x8FDB;&#x7A0B;&#xFF0C;&#x5B83;&#x53EF;&#x4EE5;&#x4E3A;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x6DFB;&#x52A0;&#x8BB8;&#x591A;&#x529F;&#x80FD;&#xFF0C;&#x800C;&#x65E0;&#x9700;&#x5728;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x4E2D;&#x6DFB;&#x52A0;&#x989D;&#x5916;&#x7684;&#x7B2C;&#x4E09;&#x65B9;&#x7EC4;&#x4EF6;&#xFF0C;&#x6216;&#x4FEE;&#x6539;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x7684;&#x4EE3;&#x7801;&#x6216;&#x914D;&#x7F6E;&#x3002;">sidecar</a> &#x7684;&#x914D;&#x7F6E;&#x53C2;&#x6570;&#xFF0C;&#x5C06;&#x4EE5;&#x4E0A;&#x914D;&#x7F6E;&#x6CE8;&#x5165;&#x5230;&#x5E94;&#x7528;&#x5BB9;&#x5668;&#x7684;&#x4E00;&#x4FA7;&#xFF1B;</li>
</ol>
<p>&#x4F7F;&#x7528;&#x4E0B;&#x9762;&#x7684;&#x547D;&#x4EE4;&#x53EF;&#x4EE5;&#x624B;&#x52A8;&#x6CE8;&#x5165; <a href="../GLOSSARY.html#sidecar" class="glossary-term" title="Sidecar&#xFF0C;&#x5168;&#x79F0; Sidecar proxy&#xFF0C;&#x4E3A;&#x5728;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x65C1;&#x8FD0;&#x884C;&#x7684;&#x5355;&#x72EC;&#x7684;&#x8FDB;&#x7A0B;&#xFF0C;&#x5B83;&#x53EF;&#x4EE5;&#x4E3A;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x6DFB;&#x52A0;&#x8BB8;&#x591A;&#x529F;&#x80FD;&#xFF0C;&#x800C;&#x65E0;&#x9700;&#x5728;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x4E2D;&#x6DFB;&#x52A0;&#x989D;&#x5916;&#x7684;&#x7B2C;&#x4E09;&#x65B9;&#x7EC4;&#x4EF6;&#xFF0C;&#x6216;&#x4FEE;&#x6539;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x7684;&#x4EE3;&#x7801;&#x6216;&#x914D;&#x7F6E;&#x3002;">sidecar</a>&#x3002;</p>
<pre class="language-"><code class="lang-bash">istioctl kube-inject -f <span class="token variable">${YAML_FILE}</span> <span class="token operator">|</span> kuebectl apply -f -
</code></pre>
<p>&#x8BE5;&#x547D;&#x4EE4;&#x4F1A;&#x4F7F;&#x7528; Istio &#x5185;&#x7F6E;&#x7684; <a href="../GLOSSARY.html#sidecar" class="glossary-term" title="Sidecar&#xFF0C;&#x5168;&#x79F0; Sidecar proxy&#xFF0C;&#x4E3A;&#x5728;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x65C1;&#x8FD0;&#x884C;&#x7684;&#x5355;&#x72EC;&#x7684;&#x8FDB;&#x7A0B;&#xFF0C;&#x5B83;&#x53EF;&#x4EE5;&#x4E3A;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x6DFB;&#x52A0;&#x8BB8;&#x591A;&#x529F;&#x80FD;&#xFF0C;&#x800C;&#x65E0;&#x9700;&#x5728;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x4E2D;&#x6DFB;&#x52A0;&#x989D;&#x5916;&#x7684;&#x7B2C;&#x4E09;&#x65B9;&#x7EC4;&#x4EF6;&#xFF0C;&#x6216;&#x4FEE;&#x6539;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x7684;&#x4EE3;&#x7801;&#x6216;&#x914D;&#x7F6E;&#x3002;">sidecar</a> &#x914D;&#x7F6E;&#x6765;&#x6CE8;&#x5165;&#xFF0C;&#x4E0B;&#x9762;&#x4F7F;&#x7528; Istio&#x8BE6;&#x7EC6;&#x914D;&#x7F6E;&#x8BF7;&#x53C2;&#x8003; <a href="https://istio.io/docs/setup/additional-setup/sidecar-injection/#manual-sidecar-injection" target="_blank">Istio &#x5B98;&#x7F51;</a>&#x3002;</p>
<p>&#x6CE8;&#x5165;&#x5B8C;&#x6210;&#x540E;&#x60A8;&#x5C06;&#x770B;&#x5230; Istio &#x4E3A;&#x539F;&#x6709; pod template &#x6CE8;&#x5165;&#x4E86; <code>initContainer</code> &#x53CA; <a href="../GLOSSARY.html#sidecar" class="glossary-term" title="Sidecar&#xFF0C;&#x5168;&#x79F0; Sidecar proxy&#xFF0C;&#x4E3A;&#x5728;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x65C1;&#x8FD0;&#x884C;&#x7684;&#x5355;&#x72EC;&#x7684;&#x8FDB;&#x7A0B;&#xFF0C;&#x5B83;&#x53EF;&#x4EE5;&#x4E3A;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x6DFB;&#x52A0;&#x8BB8;&#x591A;&#x529F;&#x80FD;&#xFF0C;&#x800C;&#x65E0;&#x9700;&#x5728;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x4E2D;&#x6DFB;&#x52A0;&#x989D;&#x5916;&#x7684;&#x7B2C;&#x4E09;&#x65B9;&#x7EC4;&#x4EF6;&#xFF0C;&#x6216;&#x4FEE;&#x6539;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x7684;&#x4EE3;&#x7801;&#x6216;&#x914D;&#x7F6E;&#x3002;">sidecar</a> proxy&#x76F8;&#x5173;&#x7684;&#x914D;&#x7F6E;&#x3002;</p>
<h2 id="init-&#x5BB9;&#x5668;">Init &#x5BB9;&#x5668;</h2>
<p>Init &#x5BB9;&#x5668;&#x662F;&#x4E00;&#x79CD;&#x4E13;&#x7528;&#x5BB9;&#x5668;&#xFF0C;&#x5B83;&#x5728;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x5BB9;&#x5668;&#x542F;&#x52A8;&#x4E4B;&#x524D;&#x8FD0;&#x884C;&#xFF0C;&#x7528;&#x6765;&#x5305;&#x542B;&#x4E00;&#x4E9B;&#x5E94;&#x7528;&#x955C;&#x50CF;&#x4E2D;&#x4E0D;&#x5B58;&#x5728;&#x7684;&#x5B9E;&#x7528;&#x5DE5;&#x5177;&#x6216;&#x5B89;&#x88C5;&#x811A;&#x672C;&#x3002;</p>
<p>&#x4E00;&#x4E2A; Pod &#x4E2D;&#x53EF;&#x4EE5;&#x6307;&#x5B9A;&#x591A;&#x4E2A; Init &#x5BB9;&#x5668;&#xFF0C;&#x5982;&#x679C;&#x6307;&#x5B9A;&#x4E86;&#x591A;&#x4E2A;&#xFF0C;&#x90A3;&#x4E48; Init &#x5BB9;&#x5668;&#x5C06;&#x4F1A;&#x6309;&#x987A;&#x5E8F;&#x4F9D;&#x6B21;&#x8FD0;&#x884C;&#x3002;&#x53EA;&#x6709;&#x5F53;&#x524D;&#x9762;&#x7684; Init &#x5BB9;&#x5668;&#x5FC5;&#x987B;&#x8FD0;&#x884C;&#x6210;&#x529F;&#x540E;&#xFF0C;&#x624D;&#x53EF;&#x4EE5;&#x8FD0;&#x884C;&#x4E0B;&#x4E00;&#x4E2A; Init &#x5BB9;&#x5668;&#x3002;&#x5F53;&#x6240;&#x6709;&#x7684; Init &#x5BB9;&#x5668;&#x8FD0;&#x884C;&#x5B8C;&#x6210;&#x540E;&#xFF0C;Kubernetes &#x624D;&#x521D;&#x59CB;&#x5316; Pod &#x548C;&#x8FD0;&#x884C;&#x5E94;&#x7528;&#x5BB9;&#x5668;&#x3002;</p>
<p>Init &#x5BB9;&#x5668;&#x4F7F;&#x7528; Linux Namespace&#xFF0C;&#x6240;&#x4EE5;&#x76F8;&#x5BF9;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x5BB9;&#x5668;&#x6765;&#x8BF4;&#x5177;&#x6709;&#x4E0D;&#x540C;&#x7684;&#x6587;&#x4EF6;&#x7CFB;&#x7EDF;&#x89C6;&#x56FE;&#x3002;&#x56E0;&#x6B64;&#xFF0C;&#x5B83;&#x4EEC;&#x80FD;&#x591F;&#x5177;&#x6709;&#x8BBF;&#x95EE; Secret &#x7684;&#x6743;&#x9650;&#xFF0C;&#x800C;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x5BB9;&#x5668;&#x5219;&#x4E0D;&#x80FD;&#x3002;</p>
<p>&#x5728; Pod &#x542F;&#x52A8;&#x8FC7;&#x7A0B;&#x4E2D;&#xFF0C;Init &#x5BB9;&#x5668;&#x4F1A;&#x6309;&#x987A;&#x5E8F;&#x5728;&#x7F51;&#x7EDC;&#x548C;&#x6570;&#x636E;&#x5377;&#x521D;&#x59CB;&#x5316;&#x4E4B;&#x540E;&#x542F;&#x52A8;&#x3002;&#x6BCF;&#x4E2A;&#x5BB9;&#x5668;&#x5FC5;&#x987B;&#x5728;&#x4E0B;&#x4E00;&#x4E2A;&#x5BB9;&#x5668;&#x542F;&#x52A8;&#x4E4B;&#x524D;&#x6210;&#x529F;&#x9000;&#x51FA;&#x3002;&#x5982;&#x679C;&#x7531;&#x4E8E;&#x8FD0;&#x884C;&#x65F6;&#x6216;&#x5931;&#x8D25;&#x9000;&#x51FA;&#xFF0C;&#x5C06;&#x5BFC;&#x81F4;&#x5BB9;&#x5668;&#x542F;&#x52A8;&#x5931;&#x8D25;&#xFF0C;&#x5B83;&#x4F1A;&#x6839;&#x636E; Pod &#x7684; <code>restartPolicy</code> &#x6307;&#x5B9A;&#x7684;&#x7B56;&#x7565;&#x8FDB;&#x884C;&#x91CD;&#x8BD5;&#x3002;&#x7136;&#x800C;&#xFF0C;&#x5982;&#x679C; Pod &#x7684; <code>restartPolicy</code> &#x8BBE;&#x7F6E;&#x4E3A; Always&#xFF0C;Init &#x5BB9;&#x5668;&#x5931;&#x8D25;&#x65F6;&#x4F1A;&#x4F7F;&#x7528; <code>RestartPolicy</code> &#x7B56;&#x7565;&#x3002;</p>
<p>&#x5728;&#x6240;&#x6709;&#x7684; Init &#x5BB9;&#x5668;&#x6CA1;&#x6709;&#x6210;&#x529F;&#x4E4B;&#x524D;&#xFF0C;Pod &#x5C06;&#x4E0D;&#x4F1A;&#x53D8;&#x6210; <code>Ready</code> &#x72B6;&#x6001;&#x3002;Init &#x5BB9;&#x5668;&#x7684;&#x7AEF;&#x53E3;&#x5C06;&#x4E0D;&#x4F1A;&#x5728; Service&#x4E2D;&#x8FDB;&#x884C;&#x805A;&#x96C6;&#x3002; &#x6B63;&#x5728;&#x521D;&#x59CB;&#x5316;&#x4E2D;&#x7684; Pod &#x5904;&#x4E8E; <code>Pending</code> &#x72B6;&#x6001;&#xFF0C;&#x4F46;&#x5E94;&#x8BE5;&#x4F1A;&#x5C06; <code>Initializing</code> &#x72B6;&#x6001;&#x8BBE;&#x7F6E;&#x4E3A; true&#x3002;Init &#x5BB9;&#x5668;&#x8FD0;&#x884C;&#x5B8C;&#x6210;&#x4EE5;&#x540E;&#x5C31;&#x4F1A;&#x81EA;&#x52A8;&#x7EC8;&#x6B62;&#x3002;</p>
<p>&#x5173;&#x4E8E; Init &#x5BB9;&#x5668;&#x7684;&#x8BE6;&#x7EC6;&#x4FE1;&#x606F;&#x8BF7;&#x53C2;&#x8003; <a href="https://jimmysong.io/kubernetes-handbook/concepts/init-containers.html" target="_blank">Init &#x5BB9;&#x5668; - Kubernetes &#x4E2D;&#x6587;&#x6307;&#x5357;/&#x4E91;&#x539F;&#x751F;&#x5E94;&#x7528;&#x67B6;&#x6784;&#x5B9E;&#x8DF5;&#x624B;&#x518C;</a>&#x3002;</p>
<h2 id="sidecar-&#x6CE8;&#x5165;&#x793A;&#x4F8B;&#x5206;&#x6790;">Sidecar &#x6CE8;&#x5165;&#x793A;&#x4F8B;&#x5206;&#x6790;</h2>
<p>&#x672C;&#x6587;&#x6211;&#x4EEC;&#x5C06;&#x4EE5; Istio &#x5B98;&#x65B9;&#x793A;&#x4F8B; <code>bookinfo</code> &#x4E2D; <code>reivews</code> &#x670D;&#x52A1;&#x4E3A;&#x4F8B;&#xFF0C;&#x6765;&#x63A5;&#x8BB2;&#x89E3; <a href="../GLOSSARY.html#sidecar" class="glossary-term" title="Sidecar&#xFF0C;&#x5168;&#x79F0; Sidecar proxy&#xFF0C;&#x4E3A;&#x5728;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x65C1;&#x8FD0;&#x884C;&#x7684;&#x5355;&#x72EC;&#x7684;&#x8FDB;&#x7A0B;&#xFF0C;&#x5B83;&#x53EF;&#x4EE5;&#x4E3A;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x6DFB;&#x52A0;&#x8BB8;&#x591A;&#x529F;&#x80FD;&#xFF0C;&#x800C;&#x65E0;&#x9700;&#x5728;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x4E2D;&#x6DFB;&#x52A0;&#x989D;&#x5916;&#x7684;&#x7B2C;&#x4E09;&#x65B9;&#x7EC4;&#x4EF6;&#xFF0C;&#x6216;&#x4FEE;&#x6539;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x7684;&#x4EE3;&#x7801;&#x6216;&#x914D;&#x7F6E;&#x3002;">Sidecar</a> &#x5BB9;&#x5668;&#x6CE8;&#x5165;&#x7684;&#x989D;&#x6D41;&#x7A0B;&#xFF0C;&#x6BCF;&#x4E2A;&#x6CE8;&#x5165;&#x4E86; <a href="../GLOSSARY.html#sidecar" class="glossary-term" title="Sidecar&#xFF0C;&#x5168;&#x79F0; Sidecar proxy&#xFF0C;&#x4E3A;&#x5728;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x65C1;&#x8FD0;&#x884C;&#x7684;&#x5355;&#x72EC;&#x7684;&#x8FDB;&#x7A0B;&#xFF0C;&#x5B83;&#x53EF;&#x4EE5;&#x4E3A;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x6DFB;&#x52A0;&#x8BB8;&#x591A;&#x529F;&#x80FD;&#xFF0C;&#x800C;&#x65E0;&#x9700;&#x5728;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x4E2D;&#x6DFB;&#x52A0;&#x989D;&#x5916;&#x7684;&#x7B2C;&#x4E09;&#x65B9;&#x7EC4;&#x4EF6;&#xFF0C;&#x6216;&#x4FEE;&#x6539;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x7684;&#x4EE3;&#x7801;&#x6216;&#x914D;&#x7F6E;&#x3002;">Sidecar</a> &#x7684; Pod &#x4E2D;&#x9664;&#x4E86;&#x539F;&#x5148;&#x5E94;&#x7528;&#x7684;&#x5E94;&#x7528;&#x672C;&#x8EAB;&#x7684;&#x5BB9;&#x5668;&#x5916;&#xFF0C;&#x90FD;&#x4F1A;&#x591A;&#x51FA;&#x6765;&#x8FD9;&#x6837;&#x4E24;&#x4E2A;&#x5BB9;&#x5668;&#xFF1A;</p>
<ul>
<li><code>istio-init</code>&#xFF1A;&#x7528;&#x4E8E;&#x7ED9; <a href="../GLOSSARY.html#sidecar" class="glossary-term" title="Sidecar&#xFF0C;&#x5168;&#x79F0; Sidecar proxy&#xFF0C;&#x4E3A;&#x5728;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x65C1;&#x8FD0;&#x884C;&#x7684;&#x5355;&#x72EC;&#x7684;&#x8FDB;&#x7A0B;&#xFF0C;&#x5B83;&#x53EF;&#x4EE5;&#x4E3A;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x6DFB;&#x52A0;&#x8BB8;&#x591A;&#x529F;&#x80FD;&#xFF0C;&#x800C;&#x65E0;&#x9700;&#x5728;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x4E2D;&#x6DFB;&#x52A0;&#x989D;&#x5916;&#x7684;&#x7B2C;&#x4E09;&#x65B9;&#x7EC4;&#x4EF6;&#xFF0C;&#x6216;&#x4FEE;&#x6539;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x7684;&#x4EE3;&#x7801;&#x6216;&#x914D;&#x7F6E;&#x3002;">Sidecar</a> &#x5BB9;&#x5668;&#x5373; Envoy &#x4EE3;&#x7406;&#x505A;&#x521D;&#x59CB;&#x5316;&#xFF0C;&#x8BBE;&#x7F6E; iptables &#x7AEF;&#x53E3;&#x8F6C;&#x53D1;</li>
<li><code>istio-proxy</code>&#xFF1A;Envoy &#x4EE3;&#x7406;&#x5BB9;&#x5668;&#xFF0C;&#x8FD0;&#x884C; Envoy &#x4EE3;&#x7406;</li>
</ul>
<p>&#x63A5;&#x4E0B;&#x6765;&#x5C06;&#x5206;&#x522B;&#x89E3;&#x6790;&#x4E0B;&#x8FD9;&#x4E24;&#x4E2A;&#x5BB9;&#x5668;&#x3002;</p>
<h3 id="init-&#x5BB9;&#x5668;&#x89E3;&#x6790;">Init &#x5BB9;&#x5668;&#x89E3;&#x6790;</h3>
<p>Istio &#x5728; Pod &#x4E2D;&#x6CE8;&#x5165;&#x7684; Init &#x5BB9;&#x5668;&#x540D;&#x4E3A; <code>istio-init</code>&#xFF0C;&#x5982;&#x679C;&#x4F60;&#x67E5;&#x770B; <code>reviews</code> Deployment &#x914D;&#x7F6E;&#xFF0C;&#x4F60;&#x5C06;&#x770B;&#x5230;&#x5176;&#x4E2D; <code>initContaienrs</code> &#x7684;&#x542F;&#x52A8;&#x53C2;&#x6570;&#xFF1A;</p>
<pre class="language-"><code class="lang-bash"> initContainers:
- name: istio-init
image: docker.io/istio/proxyv2:1.13.1
args:
- istio-iptables
- <span class="token string">&apos;-p&apos;</span>
- <span class="token string">&apos;15001&apos;</span>
- <span class="token string">&apos;-z&apos;</span>
- <span class="token string">&apos;15006&apos;</span>
- <span class="token string">&apos;-u&apos;</span>
- <span class="token string">&apos;1337&apos;</span>
- <span class="token string">&apos;-m&apos;</span>
- REDIRECT
- <span class="token string">&apos;-i&apos;</span>
- <span class="token string">&apos;*&apos;</span>
- <span class="token string">&apos;-x&apos;</span>
- <span class="token string">&apos;&apos;</span>
- <span class="token string">&apos;-b&apos;</span>
- <span class="token string">&apos;*&apos;</span>
- <span class="token string">&apos;-d&apos;</span>
- <span class="token number">15090,15021</span>,15020
</code></pre>
<p>&#x6211;&#x4EEC;&#x770B;&#x5230; <code>istio-init</code> &#x5BB9;&#x5668;&#x7684;&#x5165;&#x53E3;&#x662F; <code>istio-iptables</code> &#x547D;&#x4EE4;&#xFF0C;&#x8BE5;&#x547D;&#x4EE4;&#x662F;&#x7528;&#x4E8E;&#x521D;&#x59CB;&#x5316;&#x8DEF;&#x7531;&#x8868;&#x7684;&#x3002;</p>
<h3 id="init-&#x5BB9;&#x5668;&#x542F;&#x52A8;&#x5165;&#x53E3;">Init &#x5BB9;&#x5668;&#x542F;&#x52A8;&#x5165;&#x53E3;</h3>
<p>Init &#x5BB9;&#x5668;&#x7684;&#x542F;&#x52A8;&#x5165;&#x53E3;&#x662F; <code>/usr/local/bin/istio-iptable</code> &#x547D;&#x4EE4;&#xFF0C;&#x8BE5;&#x547D;&#x4EE4;&#x7684;&#x7528;&#x6CD5;&#x5982;&#x4E0B;&#xFF1A;</p>
<pre class="language-"><code class="lang-bash">$ istio-iptables -p PORT -u <span class="token environment constant">UID</span> -g GID <span class="token punctuation">[</span>-m mode<span class="token punctuation">]</span> <span class="token punctuation">[</span>-b ports<span class="token punctuation">]</span> <span class="token punctuation">[</span>-d ports<span class="token punctuation">]</span> <span class="token punctuation">[</span>-i CIDR<span class="token punctuation">]</span> <span class="token punctuation">[</span>-x CIDR<span class="token punctuation">]</span> <span class="token punctuation">[</span>-h<span class="token punctuation">]</span>
-p: &#x6307;&#x5B9A;&#x91CD;&#x5B9A;&#x5411;&#x6240;&#x6709; TCP &#x6D41;&#x91CF;&#x7684; Envoy &#x7AEF;&#x53E3;&#xFF08;&#x9ED8;&#x8BA4;&#x4E3A; <span class="token variable">$ENVOY_PORT</span> <span class="token operator">=</span> <span class="token number">15001</span>&#xFF09;
-u: &#x6307;&#x5B9A;&#x672A;&#x5E94;&#x7528;&#x91CD;&#x5B9A;&#x5411;&#x7684;&#x7528;&#x6237;&#x7684; <span class="token environment constant">UID</span>&#x3002;&#x901A;&#x5E38;&#xFF0C;&#x8FD9;&#x662F;&#x4EE3;&#x7406;&#x5BB9;&#x5668;&#x7684; <span class="token environment constant">UID</span>&#xFF08;&#x9ED8;&#x8BA4;&#x4E3A; <span class="token variable">$ENVOY_USER</span> &#x7684; uid&#xFF0C;istio_proxy &#x7684; uid &#x6216; <span class="token number">1337</span>&#xFF09;
-g: &#x6307;&#x5B9A;&#x672A;&#x5E94;&#x7528;&#x91CD;&#x5B9A;&#x5411;&#x7684;&#x7528;&#x6237;&#x7684; GID&#x3002;&#xFF08;&#x4E0E; -u param &#x76F8;&#x540C;&#x7684;&#x9ED8;&#x8BA4;&#x503C;&#xFF09;
-m: &#x6307;&#x5B9A;&#x5165;&#x7AD9;&#x8FDE;&#x63A5;&#x91CD;&#x5B9A;&#x5411;&#x5230; Envoy &#x7684;&#x6A21;&#x5F0F;&#xFF0C;&#x201C;REDIRECT&#x201D; &#x6216; &#x201C;TPROXY&#x201D;&#xFF08;&#x9ED8;&#x8BA4;&#x4E3A; <span class="token variable">$ISTIO_INBOUND_INTERCEPTION_MODE</span><span class="token punctuation">)</span>
-b: &#x9017;&#x53F7;&#x5206;&#x9694;&#x7684;&#x5165;&#x7AD9;&#x7AEF;&#x53E3;&#x5217;&#x8868;&#xFF0C;&#x5176;&#x6D41;&#x91CF;&#x5C06;&#x91CD;&#x5B9A;&#x5411;&#x5230; Envoy&#xFF08;&#x53EF;&#x9009;&#xFF09;&#x3002;&#x4F7F;&#x7528;&#x901A;&#x914D;&#x7B26; &#x201C;*&#x201D; &#x8868;&#x793A;&#x91CD;&#x5B9A;&#x5411;&#x6240;&#x6709;&#x7AEF;&#x53E3;&#x3002;&#x4E3A;&#x7A7A;&#x65F6;&#x8868;&#x793A;&#x7981;&#x7528;&#x6240;&#x6709;&#x5165;&#x7AD9;&#x91CD;&#x5B9A;&#x5411;&#xFF08;&#x9ED8;&#x8BA4;&#x4E3A; <span class="token variable">$ISTIO_INBOUND_PORTS</span>&#xFF09;
-d: &#x6307;&#x5B9A;&#x8981;&#x4ECE;&#x91CD;&#x5B9A;&#x5411;&#x5230; Envoy &#x4E2D;&#x6392;&#x9664;&#xFF08;&#x53EF;&#x9009;&#xFF09;&#x7684;&#x5165;&#x7AD9;&#x7AEF;&#x53E3;&#x5217;&#x8868;&#xFF0C;&#x4EE5;&#x9017;&#x53F7;&#x683C;&#x5F0F;&#x5206;&#x9694;&#x3002;&#x4F7F;&#x7528;&#x901A;&#x914D;&#x7B26;&#x201C;*&#x201D; &#x8868;&#x793A;&#x91CD;&#x5B9A;&#x5411;&#x6240;&#x6709;&#x5165;&#x7AD9;&#x6D41;&#x91CF;&#xFF08;&#x9ED8;&#x8BA4;&#x4E3A; <span class="token variable">$ISTIO_LOCAL_EXCLUDE_PORTS</span>&#xFF09;
-i: &#x6307;&#x5B9A;&#x91CD;&#x5B9A;&#x5411;&#x5230; Envoy&#xFF08;&#x53EF;&#x9009;&#xFF09;&#x7684; IP &#x5730;&#x5740;&#x8303;&#x56F4;&#xFF0C;&#x4EE5;&#x9017;&#x53F7;&#x5206;&#x9694;&#x7684; CIDR &#x683C;&#x5F0F;&#x5217;&#x8868;&#x3002;&#x4F7F;&#x7528;&#x901A;&#x914D;&#x7B26; &#x201C;*&#x201D; &#x8868;&#x793A;&#x91CD;&#x5B9A;&#x5411;&#x6240;&#x6709;&#x51FA;&#x7AD9;&#x6D41;&#x91CF;&#x3002;&#x7A7A;&#x5217;&#x8868;&#x5C06;&#x7981;&#x7528;&#x6240;&#x6709;&#x51FA;&#x7AD9;&#x91CD;&#x5B9A;&#x5411;&#xFF08;&#x9ED8;&#x8BA4;&#x4E3A; <span class="token variable">$ISTIO_SERVICE_CIDR</span>&#xFF09;
-x: &#x6307;&#x5B9A;&#x5C06;&#x4ECE;&#x91CD;&#x5B9A;&#x5411;&#x4E2D;&#x6392;&#x9664;&#x7684; IP &#x5730;&#x5740;&#x8303;&#x56F4;&#xFF0C;&#x4EE5;&#x9017;&#x53F7;&#x5206;&#x9694;&#x7684; CIDR &#x683C;&#x5F0F;&#x5217;&#x8868;&#x3002;&#x4F7F;&#x7528;&#x901A;&#x914D;&#x7B26; &#x201C;*&#x201D; &#x8868;&#x793A;&#x91CD;&#x5B9A;&#x5411;&#x6240;&#x6709;&#x51FA;&#x7AD9;&#x6D41;&#x91CF;&#xFF08;&#x9ED8;&#x8BA4;&#x4E3A; <span class="token variable">$ISTIO_SERVICE_EXCLUDE_CIDR</span>&#xFF09;&#x3002;
-z: &#x6240;&#x6709;&#x5165;&#x7AD9; TCP &#x6D41;&#x91CF;&#x91CD;&#x5B9A;&#x5411;&#x7AEF;&#x53E3;&#xFF08;&#x9ED8;&#x8BA4;&#x4E3A; <span class="token variable">$INBOUND_CAPTURE_PORT</span> <span class="token number">15006</span>&#xFF09;
</code></pre>
<p>&#x5173;&#x4E8E;&#x8BE5;&#x547D;&#x4EE4;&#x7684;&#x8BE6;&#x7EC6;&#x4EE3;&#x7801;&#x8BF7;<a href="https://github.com/istio/istio/blob/master/tools/istio-iptables/pkg/cmd/root.go" target="_blank">&#x67E5;&#x770B; GitHub&#xFF1A;<code>tools/istio-iptables/pkg/cmd/root.go</code></a>&#x3002;</p>
<p>&#x518D;&#x53C2;&#x8003; <code>istio-init</code> &#x5BB9;&#x5668;&#x7684;&#x542F;&#x52A8;&#x53C2;&#x6570;&#xFF0C;&#x5B8C;&#x6574;&#x7684;&#x542F;&#x52A8;&#x547D;&#x4EE4;&#x5982;&#x4E0B;&#xFF1A;</p>
<pre class="language-"><code class="lang-bash">$ /usr/local/bin/istio-iptables -p <span class="token number">15001</span> -z <span class="token number">15006</span> -u <span class="token number">1337</span> -m REDIRECT -i <span class="token string">&apos;*&apos;</span> -x <span class="token string">&quot;&quot;</span> -b * -d <span class="token string">&quot;15090,15201,15020&quot;</span>
</code></pre>
<p>&#x8BE5;&#x5BB9;&#x5668;&#x5B58;&#x5728;&#x7684;&#x610F;&#x4E49;&#x5C31;&#x662F;&#x8BA9; Envoy &#x4EE3;&#x7406;&#x53EF;&#x4EE5;&#x62E6;&#x622A;&#x6240;&#x6709;&#x7684;&#x8FDB;&#x51FA; Pod &#x7684;&#x6D41;&#x91CF;&#xFF0C;&#x5373;&#x5C06;&#x5165;&#x7AD9;&#x6D41;&#x91CF;&#x91CD;&#x5B9A;&#x5411;&#x5230; <a href="../GLOSSARY.html#sidecar" class="glossary-term" title="Sidecar&#xFF0C;&#x5168;&#x79F0; Sidecar proxy&#xFF0C;&#x4E3A;&#x5728;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x65C1;&#x8FD0;&#x884C;&#x7684;&#x5355;&#x72EC;&#x7684;&#x8FDB;&#x7A0B;&#xFF0C;&#x5B83;&#x53EF;&#x4EE5;&#x4E3A;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x6DFB;&#x52A0;&#x8BB8;&#x591A;&#x529F;&#x80FD;&#xFF0C;&#x800C;&#x65E0;&#x9700;&#x5728;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x4E2D;&#x6DFB;&#x52A0;&#x989D;&#x5916;&#x7684;&#x7B2C;&#x4E09;&#x65B9;&#x7EC4;&#x4EF6;&#xFF0C;&#x6216;&#x4FEE;&#x6539;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x7684;&#x4EE3;&#x7801;&#x6216;&#x914D;&#x7F6E;&#x3002;">Sidecar</a>&#xFF0C;&#x518D;&#x62E6;&#x622A;&#x5E94;&#x7528;&#x5BB9;&#x5668;&#x7684;&#x51FA;&#x7AD9;&#x6D41;&#x91CF;&#x7ECF;&#x8FC7; <a href="../GLOSSARY.html#sidecar" class="glossary-term" title="Sidecar&#xFF0C;&#x5168;&#x79F0; Sidecar proxy&#xFF0C;&#x4E3A;&#x5728;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x65C1;&#x8FD0;&#x884C;&#x7684;&#x5355;&#x72EC;&#x7684;&#x8FDB;&#x7A0B;&#xFF0C;&#x5B83;&#x53EF;&#x4EE5;&#x4E3A;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x6DFB;&#x52A0;&#x8BB8;&#x591A;&#x529F;&#x80FD;&#xFF0C;&#x800C;&#x65E0;&#x9700;&#x5728;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x4E2D;&#x6DFB;&#x52A0;&#x989D;&#x5916;&#x7684;&#x7B2C;&#x4E09;&#x65B9;&#x7EC4;&#x4EF6;&#xFF0C;&#x6216;&#x4FEE;&#x6539;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x7684;&#x4EE3;&#x7801;&#x6216;&#x914D;&#x7F6E;&#x3002;">Sidecar</a> &#x5904;&#x7406;&#x540E;&#x518D;&#x51FA;&#x7AD9;&#x3002;</p>
<p><strong>&#x547D;&#x4EE4;&#x89E3;&#x6790;</strong></p>
<p>&#x8FD9;&#x6761;&#x542F;&#x52A8;&#x547D;&#x4EE4;&#x7684;&#x4F5C;&#x7528;&#x662F;&#xFF1A;</p>
<ul>
<li>&#x5C06;&#x5E94;&#x7528;&#x5BB9;&#x5668;&#x7684;&#x6240;&#x6709;&#x6D41;&#x91CF;&#x90FD;&#x8F6C;&#x53D1;&#x5230; Envoy &#x7684; 15006 &#x7AEF;&#x53E3;&#x3002;</li>
<li>&#x4F7F;&#x7528; <code>istio-proxy</code> &#x7528;&#x6237;&#x8EAB;&#x4EFD;&#x8FD0;&#x884C;&#xFF0C; UID &#x4E3A; 1337&#xFF0C;&#x5373; Envoy &#x6240;&#x5904;&#x7684;&#x7528;&#x6237;&#x7A7A;&#x95F4;&#xFF0C;&#x8FD9;&#x4E5F;&#x662F; <code>istio-proxy</code> &#x5BB9;&#x5668;&#x9ED8;&#x8BA4;&#x4F7F;&#x7528;&#x7684;&#x7528;&#x6237;&#xFF0C;&#x89C1; YAML &#x914D;&#x7F6E;&#x4E2D;&#x7684; <code>runAsUser</code> &#x5B57;&#x6BB5;&#x3002;</li>
<li>&#x4F7F;&#x7528;&#x9ED8;&#x8BA4;&#x7684; <code>REDIRECT</code> &#x6A21;&#x5F0F;&#x6765;&#x91CD;&#x5B9A;&#x5411;&#x6D41;&#x91CF;&#x3002;</li>
<li>&#x5C06;&#x6240;&#x6709;&#x51FA;&#x7AD9;&#x6D41;&#x91CF;&#x90FD;&#x91CD;&#x5B9A;&#x5411;&#x5230; Envoy &#x4EE3;&#x7406;&#x3002;</li>
<li>&#x5C06;&#x9664;&#x4E86; 15090&#x3001;15201&#x3001;15020 &#x7AEF;&#x53E3;&#x4EE5;&#x5916;&#x7684;&#x6240;&#x6709;&#x7AEF;&#x53E3;&#x7684;&#x6D41;&#x91CF;&#x91CD;&#x5B9A;&#x5411;&#x5230; Envoy &#x4EE3;&#x7406;&#x3002;</li>
</ul>
<p>&#x56E0;&#x4E3A; Init &#x5BB9;&#x5668;&#x521D;&#x59CB;&#x5316;&#x5B8C;&#x6BD5;&#x540E;&#x5C31;&#x4F1A;&#x81EA;&#x52A8;&#x7EC8;&#x6B62;&#xFF0C;&#x56E0;&#x4E3A;&#x6211;&#x4EEC;&#x65E0;&#x6CD5;&#x767B;&#x9646;&#x5230;&#x5BB9;&#x5668;&#x4E2D;&#x67E5;&#x770B; iptables &#x4FE1;&#x606F;&#xFF0C;&#x4F46;&#x662F; Init &#x5BB9;&#x5668;&#x521D;&#x59CB;&#x5316;&#x7ED3;&#x679C;&#x4F1A;&#x4FDD;&#x7559;&#x5230;&#x5E94;&#x7528;&#x5BB9;&#x5668;&#x548C; <a href="../GLOSSARY.html#sidecar" class="glossary-term" title="Sidecar&#xFF0C;&#x5168;&#x79F0; Sidecar proxy&#xFF0C;&#x4E3A;&#x5728;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x65C1;&#x8FD0;&#x884C;&#x7684;&#x5355;&#x72EC;&#x7684;&#x8FDB;&#x7A0B;&#xFF0C;&#x5B83;&#x53EF;&#x4EE5;&#x4E3A;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x6DFB;&#x52A0;&#x8BB8;&#x591A;&#x529F;&#x80FD;&#xFF0C;&#x800C;&#x65E0;&#x9700;&#x5728;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x4E2D;&#x6DFB;&#x52A0;&#x989D;&#x5916;&#x7684;&#x7B2C;&#x4E09;&#x65B9;&#x7EC4;&#x4EF6;&#xFF0C;&#x6216;&#x4FEE;&#x6539;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x7684;&#x4EE3;&#x7801;&#x6216;&#x914D;&#x7F6E;&#x3002;">Sidecar</a> &#x5BB9;&#x5668;&#x4E2D;&#x3002;</p>
<h3 id="istio-proxy-&#x5BB9;&#x5668;&#x89E3;&#x6790;">istio-proxy &#x5BB9;&#x5668;&#x89E3;&#x6790;</h3>
<p>&#x4E3A;&#x4E86;&#x67E5;&#x770B; iptables &#x914D;&#x7F6E;&#xFF0C;&#x6211;&#x4EEC;&#x9700;&#x8981;&#x767B;&#x9646;&#x5230; <a href="../GLOSSARY.html#sidecar" class="glossary-term" title="Sidecar&#xFF0C;&#x5168;&#x79F0; Sidecar proxy&#xFF0C;&#x4E3A;&#x5728;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x65C1;&#x8FD0;&#x884C;&#x7684;&#x5355;&#x72EC;&#x7684;&#x8FDB;&#x7A0B;&#xFF0C;&#x5B83;&#x53EF;&#x4EE5;&#x4E3A;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x6DFB;&#x52A0;&#x8BB8;&#x591A;&#x529F;&#x80FD;&#xFF0C;&#x800C;&#x65E0;&#x9700;&#x5728;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x4E2D;&#x6DFB;&#x52A0;&#x989D;&#x5916;&#x7684;&#x7B2C;&#x4E09;&#x65B9;&#x7EC4;&#x4EF6;&#xFF0C;&#x6216;&#x4FEE;&#x6539;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x7684;&#x4EE3;&#x7801;&#x6216;&#x914D;&#x7F6E;&#x3002;">Sidecar</a> &#x5BB9;&#x5668;&#x4E2D;&#x4F7F;&#x7528; root &#x7528;&#x6237;&#x6765;&#x67E5;&#x770B;&#xFF0C;&#x56E0;&#x4E3A; <code>kubectl</code> &#x65E0;&#x6CD5;&#x4F7F;&#x7528;&#x7279;&#x6743;&#x6A21;&#x5F0F;&#x6765;&#x8FDC;&#x7A0B;&#x64CD;&#x4F5C; docker &#x5BB9;&#x5668;&#xFF0C;&#x6240;&#x4EE5;&#x6211;&#x4EEC;&#x9700;&#x8981;&#x767B;&#x9646;&#x5230; <code>reviews</code> Pod &#x6240;&#x5728;&#x7684;&#x4E3B;&#x673A;&#x4E0A;&#x4F7F;&#x7528; <code>docker</code> &#x547D;&#x4EE4;&#x767B;&#x9646;&#x5BB9;&#x5668;&#x4E2D;&#x67E5;&#x770B;&#x3002;</p>
<p>&#x67E5;&#x770B; <code>reviews</code> Pod &#x6240;&#x5728;&#x7684;&#x4E3B;&#x673A;&#x3002;</p>
<pre class="language-"><code class="lang-bash">$ kubectl -n default get pod -l <span class="token assign-left variable">app</span><span class="token operator">=</span>reviews -o wide
NAME READY STATUS RESTARTS AGE IP NODE
reviews-v1-745ffc55b7-2l2lw <span class="token number">2</span>/2 Running <span class="token number">0</span> 1d <span class="token number">172.33</span>.78.10 node3
</code></pre>
<p>&#x4ECE;&#x8F93;&#x51FA;&#x7ED3;&#x679C;&#x4E2D;&#x53EF;&#x4EE5;&#x770B;&#x5230;&#x8BE5; Pod &#x8FD0;&#x884C;&#x5728; <code>node3</code> &#x4E0A;&#xFF0C;&#x4F7F;&#x7528; <code>vagrant</code> &#x547D;&#x4EE4;&#x767B;&#x9646;&#x5230; <code>node3</code> &#x4E3B;&#x673A;&#x4E2D;&#x5E76;&#x5207;&#x6362;&#x4E3A; root &#x7528;&#x6237;&#x3002;</p>
<pre class="language-"><code class="lang-bash">$ vagrant <span class="token function">ssh</span> node3
$ <span class="token function">sudo</span> -i
</code></pre>
<p>&#x67E5;&#x770B; iptables &#x914D;&#x7F6E;&#xFF0C;&#x5217;&#x51FA; NAT&#xFF08;&#x7F51;&#x7EDC;&#x5730;&#x5740;&#x8F6C;&#x6362;&#xFF09;&#x8868;&#x7684;&#x6240;&#x6709;&#x89C4;&#x5219;&#xFF0C;&#x56E0;&#x4E3A;&#x5728; Init &#x5BB9;&#x5668;&#x542F;&#x52A8;&#x7684;&#x65F6;&#x5019;&#x9009;&#x62E9;&#x7ED9; <code>istio-iptables.sh</code> &#x4F20;&#x9012;&#x7684;&#x53C2;&#x6570;&#x4E2D;&#x6307;&#x5B9A;&#x5C06;&#x5165;&#x7AD9;&#x6D41;&#x91CF;&#x91CD;&#x5B9A;&#x5411;&#x5230; Envoy &#x7684;&#x6A21;&#x5F0F;&#x4E3A; &#x201C;REDIRECT&#x201D;&#xFF0C;&#x56E0;&#x6B64;&#x5728; iptables &#x4E2D;&#x5C06;&#x53EA;&#x6709; NAT &#x8868;&#x7684;&#x89C4;&#x683C;&#x914D;&#x7F6E;&#xFF0C;&#x5982;&#x679C;&#x9009;&#x62E9; <code>TPROXY</code> &#x8FD8;&#x4F1A;&#x6709; <code>mangle</code> &#x8868;&#x914D;&#x7F6E;&#x3002;<code>iptables</code> &#x547D;&#x4EE4;&#x7684;&#x8BE6;&#x7EC6;&#x7528;&#x6CD5;&#x8BF7;&#x53C2;&#x8003; <a href="https://wangchujiang.com/linux-command/c/iptables.html" target="_blank">iptables</a>&#xFF0C;&#x89C4;&#x5219;&#x914D;&#x7F6E;&#x8BF7;&#x53C2;&#x8003; <a href="http://www.zsythink.net/archives/1517" target="_blank">iptables &#x89C4;&#x5219;&#x914D;&#x7F6E;</a>&#x3002;</p>
<h2 id="&#x7406;&#x89E3;-iptables">&#x7406;&#x89E3; iptables</h2>
<p><code>iptables</code> &#x662F; Linux &#x5185;&#x6838;&#x4E2D;&#x7684;&#x9632;&#x706B;&#x5899;&#x8F6F;&#x4EF6; netfilter &#x7684;&#x7BA1;&#x7406;&#x5DE5;&#x5177;&#xFF0C;&#x4F4D;&#x4E8E;&#x7528;&#x6237;&#x7A7A;&#x95F4;&#xFF0C;&#x540C;&#x65F6;&#x4E5F;&#x662F; netfilter &#x7684;&#x4E00;&#x90E8;&#x5206;&#x3002;Netfilter &#x4F4D;&#x4E8E;&#x5185;&#x6838;&#x7A7A;&#x95F4;&#xFF0C;&#x4E0D;&#x4EC5;&#x6709;&#x7F51;&#x7EDC;&#x5730;&#x5740;&#x8F6C;&#x6362;&#x7684;&#x529F;&#x80FD;&#xFF0C;&#x4E5F;&#x5177;&#x5907;&#x6570;&#x636E;&#x5305;&#x5185;&#x5BB9;&#x4FEE;&#x6539;&#x3001;&#x4EE5;&#x53CA;&#x6570;&#x636E;&#x5305;&#x8FC7;&#x6EE4;&#x7B49;&#x9632;&#x706B;&#x5899;&#x529F;&#x80FD;&#x3002;</p>
<p>&#x5728;&#x4E86;&#x89E3; Init &#x5BB9;&#x5668;&#x521D;&#x59CB;&#x5316;&#x7684; iptables &#x4E4B;&#x524D;&#xFF0C;&#x6211;&#x4EEC;&#x5148;&#x6765;&#x4E86;&#x89E3;&#x4E0B; iptables &#x548C;&#x89C4;&#x5219;&#x914D;&#x7F6E;&#x3002;</p>
<p>&#x4E0B;&#x56FE;&#x5C55;&#x793A;&#x4E86; iptables &#x8C03;&#x7528;&#x94FE;&#x3002;</p>
<figure id="fig7.3.4.1"><a href="../images/iptables.jpg" data-lightbox="ca972fa0-641d-42ae-b289-e811e8b588e9" data-title="iptables &#x8C03;&#x7528;&#x94FE;"><img src="../images/iptables.jpg" alt="iptables &#x8C03;&#x7528;&#x94FE;"></a><figcaption>&#x56FE; 7.3.4.1&#xFF1A;iptables &#x8C03;&#x7528;&#x94FE;</figcaption></figure>
<h3 id="iptables-&#x4E2D;&#x7684;&#x8868;">iptables &#x4E2D;&#x7684;&#x8868;</h3>
<p>Init &#x5BB9;&#x5668;&#x4E2D;&#x4F7F;&#x7528;&#x7684;&#x7684; iptables &#x7248;&#x672C;&#x662F; <code>v1.6.0</code>&#xFF0C;&#x5171;&#x5305;&#x542B; 5 &#x5F20;&#x8868;&#xFF1A;</p>
<ol>
<li><code>raw</code> &#x7528;&#x4E8E;&#x914D;&#x7F6E;&#x6570;&#x636E;&#x5305;&#xFF0C;<code>raw</code> &#x4E2D;&#x7684;&#x6570;&#x636E;&#x5305;&#x4E0D;&#x4F1A;&#x88AB;&#x7CFB;&#x7EDF;&#x8DDF;&#x8E2A;&#x3002;</li>
<li><code>filter</code> &#x662F;&#x7528;&#x4E8E;&#x5B58;&#x653E;&#x6240;&#x6709;&#x4E0E;&#x9632;&#x706B;&#x5899;&#x76F8;&#x5173;&#x64CD;&#x4F5C;&#x7684;&#x9ED8;&#x8BA4;&#x8868;&#x3002;</li>
<li><code>nat</code> &#x7528;&#x4E8E; <a href="https://en.wikipedia.org/wiki/Network_address_translation" target="_blank">&#x7F51;&#x7EDC;&#x5730;&#x5740;&#x8F6C;&#x6362;</a>&#xFF08;&#x4F8B;&#x5982;&#xFF1A;&#x7AEF;&#x53E3;&#x8F6C;&#x53D1;&#xFF09;&#x3002;</li>
<li><code>mangle</code> &#x7528;&#x4E8E;&#x5BF9;&#x7279;&#x5B9A;&#x6570;&#x636E;&#x5305;&#x7684;&#x4FEE;&#x6539;&#xFF08;&#x53C2;&#x8003;<a href="https://en.wikipedia.org/wiki/Mangled_packet" target="_blank">&#x635F;&#x574F;&#x6570;&#x636E;&#x5305;</a>&#xFF09;&#x3002;</li>
<li><code>security</code> &#x7528;&#x4E8E;<a href="https://wiki.archlinux.org/index.php/Security#Mandatory_access_control" target="_blank">&#x5F3A;&#x5236;&#x8BBF;&#x95EE;&#x63A7;&#x5236;</a> &#x7F51;&#x7EDC;&#x89C4;&#x5219;&#x3002;</li>
</ol>
<p><strong>&#x6CE8;</strong>&#xFF1A;&#x5728;&#x672C;&#x793A;&#x4F8B;&#x4E2D;&#x53EA;&#x7528;&#x5230;&#x4E86; <code>nat</code> &#x8868;&#x3002;</p>
<p>&#x4E0D;&#x540C;&#x7684;&#x8868;&#x4E2D;&#x7684;&#x5177;&#x6709;&#x7684;&#x94FE;&#x7C7B;&#x578B;&#x5982;&#x4E0B;&#x8868;&#x6240;&#x793A;&#xFF1A;</p>
<table>
<thead>
<tr>
<th>&#x89C4;&#x5219;&#x540D;&#x79F0;</th>
<th>raw</th>
<th>filter</th>
<th>nat</th>
<th>mangle</th>
<th>security</th>
</tr>
</thead>
<tbody>
<tr>
<td>PREROUTING</td>
<td>&#x2713;</td>
<td></td>
<td>&#x2713;</td>
<td>&#x2713;</td>
<td></td>
</tr>
<tr>
<td>INPUT</td>
<td></td>
<td>&#x2713;</td>
<td>&#x2713;</td>
<td>&#x2713;</td>
<td>&#x2713;</td>
</tr>
<tr>
<td>OUTPUT</td>
<td></td>
<td>&#x2713;</td>
<td>&#x2713;</td>
<td>&#x2713;</td>
<td>&#x2713;</td>
</tr>
<tr>
<td>POSTROUTING</td>
<td></td>
<td></td>
<td>&#x2713;</td>
<td>&#x2713;</td>
<td></td>
</tr>
<tr>
<td>FORWARD</td>
<td>&#x2713;</td>
<td>&#x2713;</td>
<td></td>
<td>&#x2713;</td>
<td>&#x2713;</td>
</tr>
</tbody>
</table>
<p>&#x4E0B;&#x56FE;&#x662F; iptables &#x7684;&#x8C03;&#x7528;&#x94FE;&#x987A;&#x5E8F;&#x3002;</p>
<figure id="fig7.3.4.2"><a href="../images/iptables-chains.jpg" data-lightbox="f059c724-aeb0-49aa-bc64-97e0adba0b4c" data-title="IPtables &#x8C03;&#x7528;&#x94FE;&#x987A;&#x5E8F;"><img src="../images/iptables-chains.jpg" alt="IPtables &#x8C03;&#x7528;&#x94FE;&#x987A;&#x5E8F;"></a><figcaption>&#x56FE; 7.3.4.2&#xFF1A;IPtables &#x8C03;&#x7528;&#x94FE;&#x987A;&#x5E8F;</figcaption></figure>
<h3 id="iptables-&#x547D;&#x4EE4;">iptables &#x547D;&#x4EE4;</h3>
<p><code>iptables</code> &#x547D;&#x4EE4;&#x7684;&#x4E3B;&#x8981;&#x7528;&#x9014;&#x662F;&#x4FEE;&#x6539;&#x8FD9;&#x4E9B;&#x8868;&#x4E2D;&#x7684;&#x89C4;&#x5219;&#x3002;<code>iptables</code> &#x547D;&#x4EE4;&#x683C;&#x5F0F;&#x5982;&#x4E0B;&#xFF1A;</p>
<pre class="language-"><code class="lang-bash">$ iptables <span class="token punctuation">[</span>-t &#x8868;&#x540D;<span class="token punctuation">]</span> &#x547D;&#x4EE4;&#x9009;&#x9879;&#xFF3B;&#x94FE;&#x540D;<span class="token punctuation">]</span>&#xFF3B;&#x6761;&#x4EF6;&#x5339;&#x914D;&#xFF3D;<span class="token punctuation">[</span>-j &#x76EE;&#x6807;&#x52A8;&#x4F5C;&#x6216;&#x8DF3;&#x8F6C;&#xFF3D;
</code></pre>
<p>Init &#x5BB9;&#x5668;&#x4E2D;&#x7684; <code>/istio-iptables.sh</code> &#x542F;&#x52A8;&#x5165;&#x53E3;&#x811A;&#x672C;&#x5C31;&#x662F;&#x6267;&#x884C; iptables &#x521D;&#x59CB;&#x5316;&#x7684;&#x3002;</p>
<h3 id="&#x7406;&#x89E3;-iptables-&#x89C4;&#x5219;">&#x7406;&#x89E3; iptables &#x89C4;&#x5219;</h3>
<p>&#x67E5;&#x770B; <code>istio-proxy</code> &#x5BB9;&#x5668;&#x4E2D;&#x7684;&#x9ED8;&#x8BA4;&#x7684; iptables &#x89C4;&#x5219;&#xFF0C;&#x9ED8;&#x8BA4;&#x67E5;&#x770B;&#x7684;&#x662F; filter &#x8868;&#x4E2D;&#x7684;&#x89C4;&#x5219;&#x3002;</p>
<pre class="language-"><code class="lang-bash">$ iptables -L -v
Chain INPUT <span class="token punctuation">(</span>policy ACCEPT 350K packets, 63M bytes<span class="token punctuation">)</span>
pkts bytes target prot opt <span class="token keyword">in</span> out <span class="token builtin class-name">source</span> destination
Chain FORWARD <span class="token punctuation">(</span>policy ACCEPT <span class="token number">0</span> packets, <span class="token number">0</span> bytes<span class="token punctuation">)</span>
pkts bytes target prot opt <span class="token keyword">in</span> out <span class="token builtin class-name">source</span> destination
Chain OUTPUT <span class="token punctuation">(</span>policy ACCEPT 18M packets, 1916M bytes<span class="token punctuation">)</span>
pkts bytes target prot opt <span class="token keyword">in</span> out <span class="token builtin class-name">source</span> destination
</code></pre>
<p>&#x6211;&#x4EEC;&#x770B;&#x5230;&#x4E09;&#x4E2A;&#x9ED8;&#x8BA4;&#x7684;&#x94FE;&#xFF0C;&#x5206;&#x522B;&#x662F; INPUT&#x3001;FORWARD &#x548C; OUTPUT&#xFF0C;&#x6BCF;&#x4E2A;&#x94FE;&#x4E2D;&#x7684;&#x7B2C;&#x4E00;&#x884C;&#x8F93;&#x51FA;&#x8868;&#x793A;&#x94FE;&#x540D;&#x79F0;&#xFF08;&#x5728;&#x672C;&#x4F8B;&#x4E2D;&#x4E3A; INPUT/FORWARD/OUTPUT&#xFF09;&#xFF0C;&#x540E;&#x8DDF;&#x9ED8;&#x8BA4;&#x7B56;&#x7565;&#xFF08;ACCEPT&#xFF09;&#x3002;</p>
<p>&#x6BCF;&#x6761;&#x94FE;&#x4E2D;&#x90FD;&#x53EF;&#x4EE5;&#x6DFB;&#x52A0;&#x591A;&#x6761;&#x89C4;&#x5219;&#xFF0C;&#x89C4;&#x5219;&#x662F;&#x6309;&#x7167;&#x987A;&#x5E8F;&#x4ECE;&#x524D;&#x5230;&#x540E;&#x6267;&#x884C;&#x7684;&#x3002;&#x6211;&#x4EEC;&#x6765;&#x770B;&#x4E0B;&#x89C4;&#x5219;&#x7684;&#x8868;&#x5934;&#x5B9A;&#x4E49;&#x3002;</p>
<ul>
<li><strong>pkts</strong>&#xFF1A;&#x5904;&#x7406;&#x8FC7;&#x7684;&#x5339;&#x914D;&#x7684;&#x62A5;&#x6587;&#x6570;&#x91CF;</li>
<li><strong>bytes</strong>&#xFF1A;&#x7D2F;&#x8BA1;&#x5904;&#x7406;&#x7684;&#x62A5;&#x6587;&#x5927;&#x5C0F;&#xFF08;&#x5B57;&#x8282;&#x6570;&#xFF09;</li>
<li><strong>target</strong>&#xFF1A;&#x5982;&#x679C;&#x62A5;&#x6587;&#x4E0E;&#x89C4;&#x5219;&#x5339;&#x914D;&#xFF0C;&#x6307;&#x5B9A;&#x76EE;&#x6807;&#x5C31;&#x4F1A;&#x88AB;&#x6267;&#x884C;&#x3002;</li>
<li><strong>prot</strong>&#xFF1A;&#x534F;&#x8BAE;&#xFF0C;&#x4F8B;&#x5982; <code>tdp</code>&#x3001;<code>udp</code>&#x3001;<code>icmp</code> &#x548C; <code>all</code>&#x3002;</li>
<li><strong>opt</strong>&#xFF1A;&#x5F88;&#x5C11;&#x4F7F;&#x7528;&#xFF0C;&#x8FD9;&#x4E00;&#x5217;&#x7528;&#x4E8E;&#x663E;&#x793A; IP &#x9009;&#x9879;&#x3002;</li>
<li><strong>in</strong>&#xFF1A;&#x5165;&#x7AD9;&#x7F51;&#x5361;&#x3002;</li>
<li><strong>out</strong>&#xFF1A;&#x51FA;&#x7AD9;&#x7F51;&#x5361;&#x3002;</li>
<li><strong>source</strong>&#xFF1A;&#x6D41;&#x91CF;&#x7684;&#x6E90; IP &#x5730;&#x5740;&#x6216;&#x5B50;&#x7F51;&#xFF0C;&#x540E;&#x8005;&#x662F; <code>anywhere</code>&#x3002;</li>
<li><strong>destination</strong>&#xFF1A;&#x6D41;&#x91CF;&#x7684;&#x76EE;&#x7684;&#x5730; IP &#x5730;&#x5740;&#x6216;&#x5B50;&#x7F51;&#xFF0C;&#x6216;&#x8005;&#x662F; <code>anywhere</code>&#x3002;</li>
</ul>
<p>&#x8FD8;&#x6709;&#x4E00;&#x5217;&#x6CA1;&#x6709;&#x8868;&#x5934;&#xFF0C;&#x663E;&#x793A;&#x5728;&#x6700;&#x540E;&#xFF0C;&#x8868;&#x793A;&#x89C4;&#x5219;&#x7684;&#x9009;&#x9879;&#xFF0C;&#x4F5C;&#x4E3A;&#x89C4;&#x5219;&#x7684;&#x6269;&#x5C55;&#x5339;&#x914D;&#x6761;&#x4EF6;&#xFF0C;&#x7528;&#x6765;&#x8865;&#x5145;&#x524D;&#x9762;&#x7684;&#x51E0;&#x5217;&#x4E2D;&#x7684;&#x914D;&#x7F6E;&#x3002;<code>prot</code>&#x3001;<code>opt</code>&#x3001;<code>in</code>&#x3001;<code>out</code>&#x3001;<code>source</code> &#x548C; <code>destination</code> &#x548C;&#x663E;&#x793A;&#x5728; <code>destination</code> &#x540E;&#x9762;&#x7684;&#x6CA1;&#x6709;&#x8868;&#x5934;&#x7684;&#x4E00;&#x5217;&#x6269;&#x5C55;&#x6761;&#x4EF6;&#x5171;&#x540C;&#x7EC4;&#x6210;&#x5339;&#x914D;&#x89C4;&#x5219;&#x3002;&#x5F53;&#x6D41;&#x91CF;&#x5339;&#x914D;&#x8FD9;&#x4E9B;&#x89C4;&#x5219;&#x540E;&#x5C31;&#x4F1A;&#x6267;&#x884C; <code>target</code>&#x3002;</p>
<p><strong>target &#x652F;&#x6301;&#x7684;&#x7C7B;&#x578B;</strong></p>
<p><code>target</code> &#x7C7B;&#x578B;&#x5305;&#x62EC; ACCEPT<code>&#x3001;REJECT</code>&#x3001;<code>DROP</code>&#x3001;<code>LOG</code> &#x3001;<code>SNAT</code>&#x3001;<code>MASQUERADE</code>&#x3001;<code>DNAT</code>&#x3001;<code>REDIRECT</code>&#x3001;<code>RETURN</code> &#x6216;&#x8005;&#x8DF3;&#x8F6C;&#x5230;&#x5176;&#x4ED6;&#x89C4;&#x5219;&#x7B49;&#x3002;&#x53EA;&#x8981;&#x6267;&#x884C;&#x5230;&#x67D0;&#x4E00;&#x6761;&#x94FE;&#x4E2D;&#x53EA;&#x6709;&#x6309;&#x7167;&#x987A;&#x5E8F;&#x6709;&#x4E00;&#x6761;&#x89C4;&#x5219;&#x5339;&#x914D;&#x540E;&#x5C31;&#x53EF;&#x4EE5;&#x786E;&#x5B9A;&#x62A5;&#x6587;&#x7684;&#x53BB;&#x5411;&#x4E86;&#xFF0C;&#x9664;&#x4E86; <code>RETURN</code> &#x7C7B;&#x578B;&#xFF0C;&#x7C7B;&#x4F3C;&#x7F16;&#x7A0B;&#x8BED;&#x8A00;&#x4E2D;&#x7684; <code>return</code> &#x8BED;&#x53E5;&#xFF0C;&#x8FD4;&#x56DE;&#x5230;&#x5B83;&#x7684;&#x8C03;&#x7528;&#x70B9;&#xFF0C;&#x7EE7;&#x7EED;&#x6267;&#x884C;&#x4E0B;&#x4E00;&#x6761;&#x89C4;&#x5219;&#x3002;<code>target</code> &#x652F;&#x6301;&#x7684;&#x914D;&#x7F6E;&#x8BE6;&#x89E3;&#x8BF7;&#x53C2;&#x8003; <a href="http://www.zsythink.net/archives/1199" target="_blank">iptables &#x8BE6;&#x89E3;&#xFF08;1&#xFF09;&#xFF1A;iptables &#x6982;&#x5FF5;</a>&#x3002;</p>
<p>&#x4ECE;&#x8F93;&#x51FA;&#x7ED3;&#x679C;&#x4E2D;&#x53EF;&#x4EE5;&#x770B;&#x5230; Init &#x5BB9;&#x5668;&#x6CA1;&#x6709;&#x5728; iptables &#x7684;&#x9ED8;&#x8BA4;&#x94FE;&#x8DEF;&#x4E2D;&#x521B;&#x5EFA;&#x4EFB;&#x4F55;&#x89C4;&#x5219;&#xFF0C;&#x800C;&#x662F;&#x521B;&#x5EFA;&#x4E86;&#x65B0;&#x7684;&#x94FE;&#x8DEF;&#x3002;</p>
<h2 id="&#x67E5;&#x770B;-iptables-nat-&#x8868;&#x4E2D;&#x6CE8;&#x5165;&#x7684;&#x89C4;&#x5219;">&#x67E5;&#x770B; iptables nat &#x8868;&#x4E2D;&#x6CE8;&#x5165;&#x7684;&#x89C4;&#x5219;</h2>
<p>Init &#x5BB9;&#x5668;&#x901A;&#x8FC7;&#x5411; iptables nat &#x8868;&#x4E2D;&#x6CE8;&#x5165;&#x8F6C;&#x53D1;&#x89C4;&#x5219;&#x6765;&#x52AB;&#x6301;&#x6D41;&#x91CF;&#x7684;&#xFF0C;&#x4E0B;&#x56FE;&#x663E;&#x793A;&#x7684;&#x662F;&#x4E09;&#x4E2A; reviews &#x670D;&#x52A1;&#x793A;&#x4F8B;&#x4E2D;&#x7684;&#x67D0;&#x4E00;&#x4E2A; Pod&#xFF0C;&#x5176;&#x4E2D;&#x6709; init &#x5BB9;&#x5668;&#x3001;&#x5E94;&#x7528;&#x5BB9;&#x5668;&#x548C; <a href="../GLOSSARY.html#sidecar" class="glossary-term" title="Sidecar&#xFF0C;&#x5168;&#x79F0; Sidecar proxy&#xFF0C;&#x4E3A;&#x5728;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x65C1;&#x8FD0;&#x884C;&#x7684;&#x5355;&#x72EC;&#x7684;&#x8FDB;&#x7A0B;&#xFF0C;&#x5B83;&#x53EF;&#x4EE5;&#x4E3A;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x6DFB;&#x52A0;&#x8BB8;&#x591A;&#x529F;&#x80FD;&#xFF0C;&#x800C;&#x65E0;&#x9700;&#x5728;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x4E2D;&#x6DFB;&#x52A0;&#x989D;&#x5916;&#x7684;&#x7B2C;&#x4E09;&#x65B9;&#x7EC4;&#x4EF6;&#xFF0C;&#x6216;&#x4FEE;&#x6539;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x7684;&#x4EE3;&#x7801;&#x6216;&#x914D;&#x7F6E;&#x3002;">sidecar</a> &#x5BB9;&#x5668;&#xFF0C;&#x56FE;&#x4E2D;&#x5C55;&#x793A;&#x4E86; iptables &#x6D41;&#x91CF;&#x52AB;&#x6301;&#x7684;&#x8BE6;&#x7EC6;&#x8FC7;&#x7A0B;&#x3002;</p>
<figure id="fig7.3.4.3"><a href="../images/envoy-sidecar-traffic-interception-zh-20220424.jpg" data-lightbox="a7b565b2-937c-40af-bfd0-71643e01f7e8" data-title="Sidecar &#x6D41;&#x91CF;&#x52AB;&#x6301;&#x793A;&#x610F;&#x56FE;"><img src="../images/envoy-sidecar-traffic-interception-zh-20220424.jpg" alt="Sidecar &#x6D41;&#x91CF;&#x52AB;&#x6301;&#x793A;&#x610F;&#x56FE;"></a><figcaption>&#x56FE; 7.3.4.3&#xFF1A;<a href="../GLOSSARY.html#sidecar" class="glossary-term" title="Sidecar&#xFF0C;&#x5168;&#x79F0; Sidecar proxy&#xFF0C;&#x4E3A;&#x5728;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x65C1;&#x8FD0;&#x884C;&#x7684;&#x5355;&#x72EC;&#x7684;&#x8FDB;&#x7A0B;&#xFF0C;&#x5B83;&#x53EF;&#x4EE5;&#x4E3A;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x6DFB;&#x52A0;&#x8BB8;&#x591A;&#x529F;&#x80FD;&#xFF0C;&#x800C;&#x65E0;&#x9700;&#x5728;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x4E2D;&#x6DFB;&#x52A0;&#x989D;&#x5916;&#x7684;&#x7B2C;&#x4E09;&#x65B9;&#x7EC4;&#x4EF6;&#xFF0C;&#x6216;&#x4FEE;&#x6539;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x7684;&#x4EE3;&#x7801;&#x6216;&#x914D;&#x7F6E;&#x3002;">Sidecar</a> &#x6D41;&#x91CF;&#x52AB;&#x6301;&#x793A;&#x610F;&#x56FE;</figcaption></figure>
<p>Init &#x5BB9;&#x5668;&#x542F;&#x52A8;&#x65F6;&#x547D;&#x4EE4;&#x884C;&#x53C2;&#x6570;&#x4E2D;&#x6307;&#x5B9A;&#x4E86; <code>REDIRECT</code> &#x6A21;&#x5F0F;&#xFF0C;&#x56E0;&#x6B64;&#x53EA;&#x521B;&#x5EFA;&#x4E86; NAT &#x8868;&#x89C4;&#x5219;&#xFF0C;&#x63A5;&#x4E0B;&#x6765;&#x6211;&#x4EEC;&#x67E5;&#x770B;&#x4E0B; NAT &#x8868;&#x4E2D;&#x521B;&#x5EFA;&#x7684;&#x89C4;&#x5219;&#xFF0C;&#x8FD9;&#x662F;&#x5168;&#x6587;&#x4E2D;&#x7684;<strong>&#x91CD;&#x70B9;&#x90E8;&#x5206;</strong>&#xFF0C;&#x524D;&#x9762;&#x8BB2;&#x4E86;&#x90A3;&#x4E48;&#x591A;&#x90FD;&#x662F;&#x4E3A;&#x5B83;&#x505A;&#x94FA;&#x57AB;&#x7684;&#x3002;</p>
<h3 id="&#x8FDB;&#x5165;&#x5230;-reviews-pod">&#x8FDB;&#x5165;&#x5230; reviews pod</h3>
<p>Reviews &#x670D;&#x52A1;&#x6709;&#x4E09;&#x4E2A;&#x7248;&#x672C;&#xFF0C;&#x6211;&#x4EEC;&#x8FDB;&#x5165;&#x5230;&#x5176;&#x4E2D;&#x4EFB;&#x610F;&#x4E00;&#x4E2A;&#x7248;&#x672C;&#xFF0C;&#x4F8B;&#x5982; reviews-1&#xFF0C;&#x9996;&#x5148;&#x4F60;&#x9700;&#x8981;&#x641E;&#x6E05;&#x695A;&#x8FD9;&#x4E2A; pod &#x8FD0;&#x884C;&#x5728;&#x54EA;&#x4E2A;&#x8282;&#x70B9;&#x4E0A;&#xFF0C;&#x77E5;&#x9053;&#x90A3;&#x4E2A;&#x5BB9;&#x5668;&#x7684;&#x5177;&#x4F53; ID&#xFF0C;&#x7136;&#x540E;&#x4F7F;&#x7528; SSH &#x767B;&#x5F55;&#x90A3;&#x4E2A;&#x8282;&#x70B9;&#xFF0C;&#x4F7F;&#x7528; <code>ps</code> &#x547D;&#x4EE4;&#x67E5;&#x770B;&#x5230;&#x90A3;&#x4E2A;&#x5BB9;&#x5668;&#x7684;&#x5177;&#x4F53; PID&#xFF0C;&#x4F7F;&#x7528; <code>nsenter</code> &#x547D;&#x4EE4;&#x8FDB;&#x5165;&#x8BE5;&#x5BB9;&#x5668;&#x3002;</p>
<pre class="language-"><code class="lang-sh">nsenter -t<span class="token punctuation">{</span>PID<span class="token punctuation">}</span> -n
</code></pre>
<p><strong>&#x4E3A;&#x4EC0;&#x4E48;&#x4E0D;&#x76F4;&#x63A5;&#x4F7F;&#x7528; kubectl &#x8FDB;&#x5165;&#x5BB9;&#x5668;&#xFF1F;</strong></p>
<p>Istio &#x5411; pod &#x4E2D;&#x81EA;&#x52A8;&#x6CE8;&#x5165;&#x7684; <a href="../GLOSSARY.html#sidecar" class="glossary-term" title="Sidecar&#xFF0C;&#x5168;&#x79F0; Sidecar proxy&#xFF0C;&#x4E3A;&#x5728;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x65C1;&#x8FD0;&#x884C;&#x7684;&#x5355;&#x72EC;&#x7684;&#x8FDB;&#x7A0B;&#xFF0C;&#x5B83;&#x53EF;&#x4EE5;&#x4E3A;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x6DFB;&#x52A0;&#x8BB8;&#x591A;&#x529F;&#x80FD;&#xFF0C;&#x800C;&#x65E0;&#x9700;&#x5728;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x4E2D;&#x6DFB;&#x52A0;&#x989D;&#x5916;&#x7684;&#x7B2C;&#x4E09;&#x65B9;&#x7EC4;&#x4EF6;&#xFF0C;&#x6216;&#x4FEE;&#x6539;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x7684;&#x4EE3;&#x7801;&#x6216;&#x914D;&#x7F6E;&#x3002;">sidecar</a> &#x5BB9;&#x5668;&#xFF08;&#x540D;&#x4E3A; <code>istio-proxy</code>&#xFF09;&#x5176;&#x4E2D;&#x9ED8;&#x8BA4;&#x7684;&#x7528;&#x6237;&#x662F; <code>istio-proxy</code>&#xFF0C;&#x8BE5;&#x7528;&#x6237;&#x6CA1;&#x6709;&#x6743;&#x9650;&#x67E5;&#x770B;&#x8DEF;&#x7531;&#x8868;&#x89C4;&#x5219;&#xFF0C;&#x5373;&#x5F53;&#x4F60;&#x5728;&#x8BE5;&#x5BB9;&#x5668;&#x4E2D;&#x8FD0;&#x884C; <code>iptabes</code> &#x547D;&#x4EE4;&#x65F6;&#x4F1A;&#x5F97;&#x5230; <code>iptables -t nat -L -v</code> &#x8FD9;&#x6837;&#x7684;&#x7ED3;&#x679C;&#xFF0C;&#x800C;&#x4E14;&#x4F60;&#x53C8;&#x6CA1;&#x6709; root &#x6743;&#x9650;&#x3002;&#x5BF9;&#x4E8E; reviews &#x5BB9;&#x5668;&#x4E5F;&#x662F;&#x4E00;&#x6837;&#xFF0C;&#x9ED8;&#x8BA4;&#x7528;&#x6237;&#x7684; UID &#x662F; <code>1000</code>&#xFF0C;&#x800C;&#x4E14;&#x8FD9;&#x4E2A;&#x7528;&#x6237;&#x53C8;&#x6CA1;&#x6709;&#x540D;&#x5B57;&#xFF0C;&#x4E00;&#x6837;&#x4E5F;&#x65E0;&#x6CD5;&#x5207;&#x6362;&#x4E3A; root &#x7528;&#x6237;&#xFF0C;&#x7CFB;&#x7EDF;&#x4E2D;&#x9ED8;&#x8BA4;&#x6CA1;&#x6709;&#x5B89;&#x88C5; iptabels &#x547D;&#x4EE4;&#x3002;&#x6240;&#x4EE5;&#x6211;&#x4EEC;&#x53EA;&#x80FD;&#x767B;&#x5F55;&#x5230; Pod &#x7684;&#x5BBF;&#x4E3B;&#x8282;&#x70B9;&#x4E0A;&#xFF0C;&#x4F7F;&#x7528; <code>nsenter</code> &#x547D;&#x4EE4;&#x8FDB;&#x5165;&#x5BB9;&#x5668;&#x5185;&#x90E8;&#x3002;</p>
<h3 id="&#x67E5;&#x770B;&#x8DEF;&#x7531;&#x8868;">&#x67E5;&#x770B;&#x8DEF;&#x7531;&#x8868;</h3>
<p>&#x4E0B;&#x9762;&#x662F;&#x67E5;&#x770B; nat &#x8868;&#x4E2D;&#x7684;&#x89C4;&#x5219;&#xFF0C;&#x5176;&#x4E2D;&#x94FE;&#x7684;&#x540D;&#x5B57;&#x4E2D;&#x5305;&#x542B; <code>ISTIO</code> &#x524D;&#x7F00;&#x7684;&#x662F;&#x7531; Init &#x5BB9;&#x5668;&#x6CE8;&#x5165;&#x7684;&#xFF0C;&#x89C4;&#x5219;&#x5339;&#x914D;&#x662F;&#x6839;&#x636E;&#x4E0B;&#x9762;&#x663E;&#x793A;&#x7684;&#x987A;&#x5E8F;&#x6765;&#x6267;&#x884C;&#x7684;&#xFF0C;&#x5176;&#x4E2D;&#x4F1A;&#x6709;&#x591A;&#x6B21;&#x8DF3;&#x8F6C;&#x3002;</p>
<pre class="language-"><code class="lang-bash"><span class="token comment"># PREROUTING &#x94FE;&#xFF1A;&#x7528;&#x4E8E;&#x76EE;&#x6807;&#x5730;&#x5740;&#x8F6C;&#x6362;&#xFF08;DNAT&#xFF09;&#xFF0C;&#x5C06;&#x6240;&#x6709;&#x5165;&#x7AD9; TCP &#x6D41;&#x91CF;&#x8DF3;&#x8F6C;&#x5230; ISTIO_INBOUND &#x94FE;&#x4E0A;&#x3002;</span>
Chain PREROUTING <span class="token punctuation">(</span>policy ACCEPT <span class="token number">2701</span> packets, 162K bytes<span class="token punctuation">)</span>
pkts bytes target prot opt <span class="token keyword">in</span> out <span class="token builtin class-name">source</span> destination
<span class="token number">2701</span> 162K ISTIO_INBOUND tcp -- any any anywhere anywhere
<span class="token comment"># INPUT &#x94FE;&#xFF1A;&#x5904;&#x7406;&#x8F93;&#x5165;&#x6570;&#x636E;&#x5305;&#xFF0C;&#x975E; TCP &#x6D41;&#x91CF;&#x5C06;&#x7EE7;&#x7EED; OUTPUT &#x94FE;&#x3002;</span>
Chain INPUT <span class="token punctuation">(</span>policy ACCEPT <span class="token number">2701</span> packets, 162K bytes<span class="token punctuation">)</span>
pkts bytes target prot opt <span class="token keyword">in</span> out <span class="token builtin class-name">source</span> destination
<span class="token comment"># OUTPUT &#x94FE;&#xFF1A;&#x5C06;&#x6240;&#x6709;&#x51FA;&#x7AD9;&#x6570;&#x636E;&#x5305;&#x8DF3;&#x8F6C;&#x5230; ISTIO_OUTPUT &#x94FE;&#x4E0A;&#x3002;</span>
Chain OUTPUT <span class="token punctuation">(</span>policy ACCEPT <span class="token number">79</span> packets, <span class="token number">6761</span> bytes<span class="token punctuation">)</span>
pkts bytes target prot opt <span class="token keyword">in</span> out <span class="token builtin class-name">source</span> destination
<span class="token number">15</span> <span class="token number">900</span> ISTIO_OUTPUT tcp -- any any anywhere anywhere
<span class="token comment"># POSTROUTING &#x94FE;&#xFF1A;&#x6240;&#x6709;&#x6570;&#x636E;&#x5305;&#x6D41;&#x51FA;&#x7F51;&#x5361;&#x65F6;&#x90FD;&#x8981;&#x5148;&#x8FDB;&#x5165; POSTROUTING &#x94FE;&#xFF0C;&#x5185;&#x6838;&#x6839;&#x636E;&#x6570;&#x636E;&#x5305;&#x76EE;&#x7684;&#x5730;&#x5224;&#x65AD;&#x662F;&#x5426;&#x9700;&#x8981;&#x8F6C;&#x53D1;&#x51FA;&#x53BB;&#xFF0C;&#x6211;&#x4EEC;&#x770B;&#x5230;&#x6B64;&#x5904;&#x672A;&#x505A;&#x4EFB;&#x4F55;&#x5904;&#x7406;&#x3002;</span>
Chain POSTROUTING <span class="token punctuation">(</span>policy ACCEPT <span class="token number">79</span> packets, <span class="token number">6761</span> bytes<span class="token punctuation">)</span>
pkts bytes target prot opt <span class="token keyword">in</span> out <span class="token builtin class-name">source</span> destination
<span class="token comment"># ISTIO_INBOUND &#x94FE;&#xFF1A;&#x5C06;&#x6240;&#x6709;&#x5165;&#x7AD9;&#x6D41;&#x91CF;&#x91CD;&#x5B9A;&#x5411;&#x5230; ISTIO_IN_REDIRECT &#x94FE;&#x4E0A;&#x3002;&#x76EE;&#x7684;&#x5730;&#x4E3A; 15090&#xFF08;Prometheus &#x4F7F;&#x7528;&#xFF09;&#x548C; 15020&#xFF08;Ingress gateway &#x4F7F;&#x7528;&#xFF0C;&#x7528;&#x4E8E; Pilot &#x5065;&#x5EB7;&#x68C0;&#x67E5;&#xFF09;&#x7AEF;&#x53E3;&#x7684;&#x6D41;&#x91CF;&#x9664;&#x5916;&#xFF0C;&#x53D1;&#x9001;&#x5230;&#x4EE5;&#x4E0A;&#x4E24;&#x4E2A;&#x7AEF;&#x53E3;&#x7684;&#x6D41;&#x91CF;&#x5C06;&#x8FD4;&#x56DE; iptables &#x89C4;&#x5219;&#x94FE;&#x7684;&#x8C03;&#x7528;&#x70B9;&#xFF0C;&#x5373; PREROUTING &#x94FE;&#x7684;&#x540E;&#x7EE7; POSTROUTING &#x540E;&#x76F4;&#x63A5;&#x8C03;&#x7528;&#x539F;&#x59CB;&#x76EE;&#x7684;&#x5730;&#x3002;</span>
Chain ISTIO_INBOUND <span class="token punctuation">(</span><span class="token number">1</span> references<span class="token punctuation">)</span>
pkts bytes target prot opt <span class="token keyword">in</span> out <span class="token builtin class-name">source</span> destination
<span class="token number">0</span> <span class="token number">0</span> RETURN tcp -- any any anywhere anywhere tcp dpt:ssh
<span class="token number">2</span> <span class="token number">120</span> RETURN tcp -- any any anywhere anywhere tcp dpt:15090
<span class="token number">2699</span> 162K RETURN tcp -- any any anywhere anywhere tcp dpt:15020
<span class="token number">0</span> <span class="token number">0</span> ISTIO_IN_REDIRECT tcp -- any any anywhere anywhere
<span class="token comment"># ISTIO_IN_REDIRECT &#x94FE;&#xFF1A;&#x5C06;&#x6240;&#x6709;&#x7684;&#x5165;&#x7AD9;&#x6D41;&#x91CF;&#x8DF3;&#x8F6C;&#x5230;&#x672C;&#x5730;&#x7684; 15006 &#x7AEF;&#x53E3;&#xFF0C;&#x81F3;&#x6B64;&#x6210;&#x529F;&#x7684;&#x62E6;&#x622A;&#x4E86;&#x6D41;&#x91CF;&#x5230; sidecar &#x4EE3;&#x7406;&#x7684; Inbound Handler &#x4E2D;&#x3002;</span>
Chain ISTIO_IN_REDIRECT <span class="token punctuation">(</span><span class="token number">3</span> references<span class="token punctuation">)</span>
pkts bytes target prot opt <span class="token keyword">in</span> out <span class="token builtin class-name">source</span> destination
<span class="token number">0</span> <span class="token number">0</span> REDIRECT tcp -- any any anywhere anywhere redir ports <span class="token number">15006</span>
<span class="token comment"># ISTIO_OUTPUT &#x94FE;&#xFF1A;&#x89C4;&#x5219;&#x6BD4;&#x8F83;&#x590D;&#x6742;&#xFF0C;&#x5C06;&#x5728;&#x4E0B;&#x6587;&#x89E3;&#x91CA;</span>
Chain ISTIO_OUTPUT <span class="token punctuation">(</span><span class="token number">1</span> references<span class="token punctuation">)</span>
pkts bytes target prot opt <span class="token keyword">in</span> out <span class="token builtin class-name">source</span> destination
<span class="token number">0</span> <span class="token number">0</span> RETURN all -- any lo <span class="token number">127.0</span>.0.6 anywhere <span class="token comment">#&#x89C4;&#x5219;1</span>
<span class="token number">0</span> <span class="token number">0</span> ISTIO_IN_REDIRECT all -- any lo anywhere <span class="token operator">!</span>localhost owner <span class="token environment constant">UID</span> match <span class="token number">1337</span> <span class="token comment">#&#x89C4;&#x5219;2</span>
<span class="token number">0</span> <span class="token number">0</span> RETURN all -- any lo anywhere anywhere <span class="token operator">!</span> owner <span class="token environment constant">UID</span> match <span class="token number">1337</span> <span class="token comment">#&#x89C4;&#x5219;3</span>
<span class="token number">15</span> <span class="token number">900</span> RETURN all -- any any anywhere anywhere owner <span class="token environment constant">UID</span> match <span class="token number">1337</span> <span class="token comment">#&#x89C4;&#x5219;4</span>
<span class="token number">0</span> <span class="token number">0</span> ISTIO_IN_REDIRECT all -- any lo anywhere <span class="token operator">!</span>localhost owner GID match <span class="token number">1337</span> <span class="token comment">#&#x89C4;&#x5219;5</span>
<span class="token number">0</span> <span class="token number">0</span> RETURN all -- any lo anywhere anywhere <span class="token operator">!</span> owner GID match <span class="token number">1337</span> <span class="token comment">#&#x89C4;&#x5219;6</span>
<span class="token number">0</span> <span class="token number">0</span> RETURN all -- any any anywhere anywhere owner GID match <span class="token number">1337</span> <span class="token comment">#&#x89C4;&#x5219;7</span>
<span class="token number">0</span> <span class="token number">0</span> RETURN all -- any any anywhere localhost <span class="token comment">#&#x89C4;&#x5219;8</span>
<span class="token number">0</span> <span class="token number">0</span> ISTIO_REDIRECT all -- any any anywhere anywhere <span class="token comment">#&#x89C4;&#x5219;9</span>
<span class="token comment"># ISTIO_REDIRECT &#x94FE;&#xFF1A;&#x5C06;&#x6240;&#x6709;&#x6D41;&#x91CF;&#x91CD;&#x5B9A;&#x5411;&#x5230; Envoy &#x4EE3;&#x7406;&#x7684; 15001 &#x7AEF;&#x53E3;&#x3002;</span>
Chain ISTIO_REDIRECT <span class="token punctuation">(</span><span class="token number">1</span> references<span class="token punctuation">)</span>
pkts bytes target prot opt <span class="token keyword">in</span> out <span class="token builtin class-name">source</span> destination
<span class="token number">0</span> <span class="token number">0</span> REDIRECT tcp -- any any anywhere anywhere redir ports <span class="token number">15001</span>
</code></pre>
<p>&#x8FD9;&#x91CC;&#x7740;&#x91CD;&#x9700;&#x8981;&#x89E3;&#x91CA;&#x7684;&#x662F; <code>ISTIO_OUTPUT</code> &#x94FE;&#x4E2D;&#x7684; 9 &#x6761;&#x89C4;&#x5219;&#xFF0C;&#x4E3A;&#x4E86;&#x4FBF;&#x4E8E;&#x9605;&#x8BFB;&#xFF0C;&#x6211;&#x5C06;&#x4EE5;&#x4E0A;&#x89C4;&#x5219;&#x4E2D;&#x7684;&#x90E8;&#x5206;&#x5185;&#x5BB9;&#x4F7F;&#x7528;&#x8868;&#x683C;&#x7684;&#x5F62;&#x5F0F;&#x6765;&#x5C55;&#x793A;&#x5982;&#x4E0B;&#xFF1A;</p>
<table>
<thead>
<tr>
<th><strong>&#x89C4;&#x5219;</strong></th>
<th><strong>target</strong></th>
<th><strong>in</strong></th>
<th><strong>out</strong></th>
<th><strong>source</strong></th>
<th><strong>destination</strong></th>
</tr>
</thead>
<tbody>
<tr>
<td>1</td>
<td>RETURN</td>
<td>any</td>
<td>lo</td>
<td>127.0.0.6</td>
<td>anywhere</td>
</tr>
<tr>
<td>2</td>
<td>ISTIO_IN_REDIRECT</td>
<td>any</td>
<td>lo</td>
<td>anywhere</td>
<td>!localhost owner UID match 1337</td>
</tr>
<tr>
<td>3</td>
<td>RETURN</td>
<td>any</td>
<td>lo</td>
<td>anywhere</td>
<td>anywhere !owner UID match 1337</td>
</tr>
<tr>
<td>4</td>
<td>RETURN</td>
<td>any</td>
<td>any</td>
<td>anywhere</td>
<td>anywhere owner UID match 1337</td>
</tr>
<tr>
<td>5</td>
<td>ISTIO_IN_REDIRECT</td>
<td>any</td>
<td>lo</td>
<td>anywhere</td>
<td>!localhost owner GID match 1337</td>
</tr>
<tr>
<td>6</td>
<td>RETURN</td>
<td>any</td>
<td>lo</td>
<td>anywhere</td>
<td>anywhere !owner GID match 1337</td>
</tr>
<tr>
<td>7</td>
<td>RETURN</td>
<td>any</td>
<td>any</td>
<td>anywhere</td>
<td>anywhere owner GID match 1337</td>
</tr>
<tr>
<td>8</td>
<td>RETURN</td>
<td>any</td>
<td>any</td>
<td>anywhere</td>
<td>localhost</td>
</tr>
<tr>
<td>9</td>
<td>ISTIO_REDIRECT</td>
<td>any</td>
<td>any</td>
<td>anywhere</td>
<td>anywhere</td>
</tr>
</tbody>
</table>
<p>&#x4E0B;&#x56FE;&#x5C55;&#x793A;&#x4E86; <code>ISTIO_ROUTE</code> &#x89C4;&#x5219;&#x7684;&#x8BE6;&#x7EC6;&#x6D41;&#x7A0B;&#x3002;</p>
<figure id="fig7.3.4.4"><a href="../images/istio-route-iptables.jpg" data-lightbox="c3742afe-ad36-4e48-baf4-6e8075d61242" data-title="ISTIO_ROUTE iptables &#x89C4;&#x5219;&#x6D41;&#x7A0B;&#x56FE;"><img src="../images/istio-route-iptables.jpg" alt="ISTIO_ROUTE iptables &#x89C4;&#x5219;&#x6D41;&#x7A0B;&#x56FE;"></a><figcaption>&#x56FE; 7.3.4.4&#xFF1A;ISTIO_ROUTE iptables &#x89C4;&#x5219;&#x6D41;&#x7A0B;&#x56FE;</figcaption></figure>
<p>&#x6211;&#x5C06;&#x6309;&#x7167;&#x89C4;&#x5219;&#x7684;&#x51FA;&#x73B0;&#x987A;&#x5E8F;&#x6765;&#x89E3;&#x91CA;&#x6BCF;&#x6761;&#x89C4;&#x5219;&#x7684;&#x76EE;&#x7684;&#x3001;&#x5BF9;&#x5E94;&#x6587;&#x7AE0;&#x5F00;&#x5934;&#x56FE;&#x793A;&#x4E2D;&#x7684;&#x6B65;&#x9AA4;&#x53CA;&#x8BE6;&#x60C5;&#x3002;&#x5176;&#x4E2D;&#x89C4;&#x5219; 5&#x3001;6&#x3001;7 &#x662F;&#x5206;&#x522B;&#x5BF9;&#x89C4;&#x5219; 2&#x3001;3&#x3001;4 &#x7684;&#x5E94;&#x7528;&#x8303;&#x56F4;&#x6269;&#x5927;&#xFF08;&#x4ECE; UID &#x6269;&#x5927;&#x4E3A; GID&#xFF09;&#xFF0C;&#x4F5C;&#x7528;&#x662F;&#x7C7B;&#x4F3C;&#x7684;&#xFF0C;&#x5C06;&#x5408;&#x5E76;&#x89E3;&#x91CA;&#x3002;&#x6CE8;&#x610F;&#xFF0C;&#x5176;&#x4E2D;&#x7684;&#x89C4;&#x5219;&#x662F;&#x6309;&#x987A;&#x5E8F;&#x6267;&#x884C;&#x7684;&#xFF0C;&#x4E5F;&#x5C31;&#x662F;&#x8BF4;&#x6392;&#x5E8F;&#x8D8A;&#x9760;&#x540E;&#x7684;&#x89C4;&#x5219;&#x5C06;&#x4F5C;&#x4E3A;&#x9ED8;&#x8BA4;&#x503C;&#x3002;&#x51FA;&#x7AD9;&#x7F51;&#x5361;&#xFF08;out&#xFF09;&#x4E3A; <code>lo</code> &#xFF08;&#x672C;&#x5730;&#x56DE;&#x73AF;&#x5730;&#x5740;&#xFF0C;loopback &#x63A5;&#x53E3;&#xFF09;&#x65F6;&#xFF0C;&#x8868;&#x793A;&#x6D41;&#x91CF;&#x7684;&#x76EE;&#x7684;&#x5730;&#x662F;&#x672C;&#x5730; Pod&#xFF0C;&#x5BF9;&#x4E8E; Pod &#x5411;&#x5916;&#x90E8;&#x53D1;&#x9001;&#x7684;&#x6D41;&#x91CF;&#x5C31;&#x4E0D;&#x4F1A;&#x7ECF;&#x8FC7;&#x8FD9;&#x4E2A;&#x63A5;&#x53E3;&#x3002;&#x6240;&#x6709; <code>review</code> Pod &#x7684;&#x51FA;&#x7AD9;&#x6D41;&#x91CF;&#x53EA;&#x9002;&#x7528;&#x4E8E;&#x89C4;&#x5219; 4&#x3001;7&#x3001;8&#x3001;9&#x3002;</p>
<p><strong>&#x89C4;&#x5219; 1</strong></p>
<ul>
<li>&#x76EE;&#x7684;&#xFF1A;<strong>&#x900F;&#x4F20;</strong> Envoy &#x4EE3;&#x7406;&#x53D1;&#x9001;&#x5230;&#x672C;&#x5730;&#x5E94;&#x7528;&#x5BB9;&#x5668;&#x7684;&#x6D41;&#x91CF;&#xFF0C;&#x4F7F;&#x5176;&#x7ED5;&#x8FC7; Envoy &#x4EE3;&#x7406;&#xFF0C;&#x76F4;&#x8FBE;&#x5E94;&#x7528;&#x5BB9;&#x5668;&#x3002;</li>
<li>&#x5BF9;&#x5E94;&#x56FE;&#x793A;&#x4E2D;&#x7684;&#x6B65;&#x9AA4;&#xFF1A;6 &#x5230; 7&#x3002;</li>
<li>&#x8BE6;&#x60C5;&#xFF1A;&#x8BE5;&#x89C4;&#x5219;&#x4F7F;&#x5F97;&#x6240;&#x6709;&#x6765;&#x81EA; <code>127.0.0.6</code>&#xFF08;&#x8BE5; IP &#x5730;&#x5740;&#x5C06;&#x5728;&#x4E0B;&#x6587;&#x89E3;&#x91CA;&#xFF09; &#x7684;&#x8BF7;&#x6C42;&#xFF0C;&#x8DF3;&#x51FA;&#x8BE5;&#x94FE;&#xFF0C;&#x8FD4;&#x56DE; iptables &#x7684;&#x8C03;&#x7528;&#x70B9;&#xFF08;&#x5373; <code>OUTPUT</code>&#xFF09;&#x540E;&#x7EE7;&#x7EED;&#x6267;&#x884C;&#x5176;&#x4F59;&#x8DEF;&#x7531;&#x89C4;&#x5219;&#xFF0C;&#x5373; <code>POSTROUTING</code> &#x89C4;&#x5219;&#xFF0C;&#x628A;&#x6D41;&#x91CF;&#x53D1;&#x9001;&#x5230;&#x4EFB;&#x610F;&#x76EE;&#x7684;&#x5730;&#x5740;&#xFF0C;&#x5982;&#x672C;&#x5730; Pod &#x5185;&#x7684;&#x5E94;&#x7528;&#x5BB9;&#x5668;&#x3002;&#x5982;&#x679C;&#x6CA1;&#x6709;&#x8FD9;&#x6761;&#x89C4;&#x5219;&#xFF0C;&#x7531; Pod &#x5185; Envoy &#x4EE3;&#x7406;&#x53D1;&#x51FA;&#x7684;&#x5BF9; Pod &#x5185;&#x5BB9;&#x5668;&#x8BBF;&#x95EE;&#x7684;&#x6D41;&#x91CF;&#x5C06;&#x4F1A;&#x6267;&#x884C;&#x4E0B;&#x4E00;&#x6761;&#x89C4;&#x5219;&#xFF0C;&#x5373;&#x89C4;&#x5219; 2&#xFF0C;&#x6D41;&#x91CF;&#x5C06;&#x518D;&#x6B21;&#x8FDB;&#x5165;&#x5230;&#x4E86; Inbound Handler &#x4E2D;&#xFF0C;&#x4ECE;&#x800C;&#x5F62;&#x6210;&#x4E86;&#x6B7B;&#x5FAA;&#x73AF;&#x3002;&#x5C06;&#x8FD9;&#x6761;&#x89C4;&#x5219;&#x653E;&#x5728;&#x7B2C;&#x4E00;&#x4F4D;&#x53EF;&#x4EE5;&#x907F;&#x514D;&#x6D41;&#x91CF;&#x5728; Inbound Handler &#x4E2D;&#x6B7B;&#x5FAA;&#x73AF;&#x7684;&#x95EE;&#x9898;&#x3002;</li>
</ul>
<p><strong>&#x89C4;&#x5219; 2&#x3001;5</strong></p>
<ul>
<li>&#x76EE;&#x7684;&#xFF1A;&#x5904;&#x7406; Envoy &#x4EE3;&#x7406;&#x53D1;&#x51FA;&#x7684;&#x7AD9;&#x5185;&#x6D41;&#x91CF;&#xFF08;Pod &#x5185;&#x90E8;&#x7684;&#x6D41;&#x91CF;&#xFF09;&#xFF0C;&#x4F46;&#x4E0D;&#x662F;&#x5BF9; localhost &#x7684;&#x8BF7;&#x6C42;&#xFF0C;&#x901A;&#x8FC7;&#x540E;&#x7EED;&#x89C4;&#x5219;&#x5C06;&#x5176;&#x8F6C;&#x53D1;&#x7ED9; Envoy &#x4EE3;&#x7406;&#x7684; Inbound Handler&#x3002;&#x8BE5;&#x89C4;&#x5219;&#x9002;&#x7528;&#x4E8E; Pod &#x5BF9;&#x81EA;&#x8EAB; IP &#x5730;&#x5740;&#x8C03;&#x7528;&#x7684;&#x573A;&#x666F;&#x3002;</li>
<li>&#x5BF9;&#x5E94;&#x56FE;&#x793A;&#x4E2D;&#x7684;&#x6B65;&#x9AA4;&#xFF1A;6 &#x5230; 7&#x3002;</li>
<li>&#x8BE6;&#x60C5;&#xFF1A;&#x5982;&#x679C;&#x6D41;&#x91CF;&#x7684;&#x76EE;&#x7684;&#x5730;&#x975E; localhost&#xFF0C;&#x4E14;&#x6570;&#x636E;&#x5305;&#x662F;&#x7531; 1337 UID&#xFF08;&#x5373; <code>istio-proxy</code> &#x7528;&#x6237;&#xFF0C;Envoy &#x4EE3;&#x7406;&#xFF09;&#x53D1;&#x51FA;&#x7684;&#xFF0C;&#x6D41;&#x91CF;&#x5C06;&#x88AB;&#x7ECF;&#x8FC7; <code>ISTIO_IN_REDIRECT</code> &#x6700;&#x7EC8;&#x8F6C;&#x53D1;&#x5230; Envoy &#x7684; Inbound Handler&#x3002;</li>
</ul>
<p><strong>&#x89C4;&#x5219; 3&#x3001;6</strong></p>
<ul>
<li>&#x76EE;&#x7684;&#xFF1A;<strong>&#x900F;&#x4F20;</strong> Pod &#x5185;&#x7684;&#x5E94;&#x7528;&#x5BB9;&#x5668;&#x7684;&#x7AD9;&#x5185;&#x6D41;&#x91CF;&#x3002;&#x9002;&#x7528;&#x4E8E;&#x5728;&#x5E94;&#x7528;&#x5BB9;&#x5668;&#x4E2D;&#x53D1;&#x51FA;&#x7684;&#x5BF9;&#x672C;&#x5730; Pod &#x7684;&#x6D41;&#x91CF;&#x3002;</li>
<li>&#x8BE6;&#x60C5;&#xFF1A;&#x5982;&#x679C;&#x6D41;&#x91CF;&#x4E0D;&#x662F;&#x7531; Envoy &#x7528;&#x6237;&#x53D1;&#x51FA;&#x7684;&#xFF0C;&#x90A3;&#x4E48;&#x5C31;&#x8DF3;&#x51FA;&#x8BE5;&#x94FE;&#xFF0C;&#x8FD4;&#x56DE; <code>OUTPUT</code> &#x8C03;&#x7528; <code>POSTROUTING</code>&#xFF0C;&#x76F4;&#x8FBE;&#x76EE;&#x7684;&#x5730;&#x3002;</li>
</ul>
<p><strong>&#x89C4;&#x5219; 4&#x3001;7</strong></p>
<ul>
<li>&#x76EE;&#x7684;&#xFF1A;<strong>&#x900F;&#x4F20;</strong> Envoy &#x4EE3;&#x7406;&#x53D1;&#x51FA;&#x7684;&#x51FA;&#x7AD9;&#x8BF7;&#x6C42;&#x3002;</li>
<li>&#x5BF9;&#x5E94;&#x56FE;&#x793A;&#x4E2D;&#x7684;&#x6B65;&#x9AA4;&#xFF1A;14 &#x5230; 15&#x3002;</li>
<li>&#x8BE6;&#x60C5;&#xFF1A;&#x5982;&#x679C;&#x8BF7;&#x6C42;&#x662F;&#x7531; Envoy &#x4EE3;&#x7406;&#x53D1;&#x51FA;&#x7684;&#xFF0C;&#x5219;&#x8FD4;&#x56DE; <code>OUTPUT</code> &#x7EE7;&#x7EED;&#x8C03;&#x7528; <code>POSTROUTING</code> &#x89C4;&#x5219;&#xFF0C;&#x6700;&#x7EC8;&#x76F4;&#x63A5;&#x8BBF;&#x95EE;&#x76EE;&#x7684;&#x5730;&#x3002;</li>
</ul>
<p><strong>&#x89C4;&#x5219; 8</strong></p>
<ul>
<li>&#x76EE;&#x7684;&#xFF1A;<strong>&#x900F;&#x4F20;</strong> Pod &#x5185;&#x90E8;&#x5BF9; localhost &#x7684;&#x8BF7;&#x6C42;&#x3002;</li>
<li>&#x8BE6;&#x60C5;&#xFF1A;&#x5982;&#x679C;&#x8BF7;&#x6C42;&#x7684;&#x76EE;&#x7684;&#x5730;&#x662F; localhost&#xFF0C;&#x5219;&#x8FD4;&#x56DE; OUTPUT &#x8C03;&#x7528; <code>POSTROUTING</code>&#xFF0C;&#x76F4;&#x63A5;&#x8BBF;&#x95EE; localhost&#x3002;</li>
</ul>
<p><strong>&#x89C4;&#x5219; 9</strong></p>
<ul>
<li>&#x76EE;&#x7684;&#xFF1A;&#x6240;&#x6709;&#x5176;&#x4ED6;&#x7684;&#x6D41;&#x91CF;&#x5C06;&#x88AB;&#x8F6C;&#x53D1;&#x5230; <code>ISTIO_REDIRECT</code> &#x540E;&#xFF0C;&#x6700;&#x7EC8;&#x8FBE;&#x5230; Envoy &#x4EE3;&#x7406;&#x7684; Outbound Handler&#x3002;</li>
</ul>
<p>&#x4EE5;&#x4E0A;&#x89C4;&#x5219;&#x907F;&#x514D;&#x4E86; Envoy &#x4EE3;&#x7406;&#x5230;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x7684;&#x8DEF;&#x7531;&#x5728; iptables &#x89C4;&#x5219;&#x4E2D;&#x7684;&#x6B7B;&#x5FAA;&#x73AF;&#xFF0C;&#x4FDD;&#x969C;&#x4E86;&#x6D41;&#x91CF;&#x53EF;&#x4EE5;&#x88AB;&#x6B63;&#x786E;&#x7684;&#x8DEF;&#x7531;&#x5230; Envoy &#x4EE3;&#x7406;&#x4E0A;&#xFF0C;&#x4E5F;&#x53EF;&#x4EE5;&#x53D1;&#x51FA;&#x771F;&#x6B63;&#x7684;&#x51FA;&#x7AD9;&#x8BF7;&#x6C42;&#x3002;</p>
<p><strong>&#x5173;&#x4E8E; RETURN target</strong></p>
<p>&#x4F60;&#x53EF;&#x80FD;&#x7559;&#x610F;&#x5230;&#x4E0A;&#x8FF0;&#x89C4;&#x5219;&#x4E2D;&#x6709;&#x5F88;&#x591A; RETURN target&#xFF0C;&#x5B83;&#x7684;&#x610F;&#x601D;&#x662F;&#xFF0C;&#x6307;&#x5B9A;&#x5230;&#x8FD9;&#x6761;&#x89C4;&#x5219;&#x65F6;&#xFF0C;&#x8DF3;&#x51FA;&#x8BE5;&#x89C4;&#x5219;&#x94FE;&#xFF0C;&#x8FD4;&#x56DE; iptables &#x7684;&#x8C03;&#x7528;&#x70B9;&#xFF08;&#x5728;&#x6211;&#x4EEC;&#x7684;&#x4F8B;&#x5B50;&#x4E2D;&#x5373; <code>OUTPUT</code>&#xFF09;&#x540E;&#x7EE7;&#x7EED;&#x6267;&#x884C;&#x5176;&#x4F59;&#x8DEF;&#x7531;&#x89C4;&#x5219;&#xFF0C;&#x5728;&#x6211;&#x4EEC;&#x7684;&#x4F8B;&#x5B50;&#x4E2D;&#x5373; <code>POSTROUTING</code> &#x89C4;&#x5219;&#xFF0C;&#x628A;&#x6D41;&#x91CF;&#x53D1;&#x9001;&#x5230;&#x4EFB;&#x610F;&#x76EE;&#x7684;&#x5730;&#x5740;&#xFF0C;&#x4F60;&#x53EF;&#x4EE5;&#x628A;&#x5B83;&#x76F4;&#x89C2;&#x7684;&#x7406;&#x89E3;&#x4E3A;<strong>&#x900F;&#x4F20;</strong>&#x3002;</p>
<p><strong>&#x5173;&#x4E8E; 127.0.0.6 IP &#x5730;&#x5740;</strong></p>
<p>127.0.0.6 &#x8FD9;&#x4E2A; IP &#x662F; Istio &#x4E2D;&#x9ED8;&#x8BA4;&#x7684; <code>InboundPassthroughClusterIpv4</code>&#xFF0C;&#x5728; Istio &#x7684;&#x4EE3;&#x7801;&#x4E2D;&#x6307;&#x5B9A;&#x3002;&#x5373;&#x6D41;&#x91CF;&#x5728;&#x8FDB;&#x5165; Envoy &#x4EE3;&#x7406;&#x540E;&#x88AB;&#x7ED1;&#x5B9A;&#x7684; IP &#x5730;&#x5740;&#xFF0C;&#x4F5C;&#x7528;&#x662F;&#x8BA9; Outbound &#x6D41;&#x91CF;&#x91CD;&#x65B0;&#x53D1;&#x9001;&#x5230; Pod &#x4E2D;&#x7684;&#x5E94;&#x7528;&#x5BB9;&#x5668;&#xFF0C;&#x5373; <strong>Passthought&#xFF08;&#x900F;&#x4F20;&#xFF09;&#xFF0C;&#x7ED5;&#x8FC7; Outbound Handler</strong>&#x3002;&#x8BE5;&#x6D41;&#x91CF;&#x662F;&#x5BF9; Pod &#x81EA;&#x8EAB;&#x7684;&#x8BBF;&#x95EE;&#xFF0C;&#x800C;&#x4E0D;&#x662F;&#x771F;&#x6B63;&#x7684;&#x5BF9;&#x5916;&#x6D41;&#x91CF;&#x3002;&#x81F3;&#x4E8E;&#x4E3A;&#x4EC0;&#x4E48;&#x9009;&#x62E9;&#x8FD9;&#x4E2A; IP &#x4F5C;&#x4E3A;&#x6D41;&#x91CF;&#x900F;&#x4F20;&#xFF0C;&#x8BF7;&#x53C2;&#x8003; <a href="https://github.com/istio/istio/issues/29603" target="_blank">Istio Issue-29603</a>&#x3002;</p>
<h2 id="&#x4F7F;&#x7528;-iptables-&#x505A;&#x6D41;&#x91CF;&#x52AB;&#x6301;&#x65F6;&#x5B58;&#x5728;&#x7684;&#x95EE;&#x9898;">&#x4F7F;&#x7528; iptables &#x505A;&#x6D41;&#x91CF;&#x52AB;&#x6301;&#x65F6;&#x5B58;&#x5728;&#x7684;&#x95EE;&#x9898;</h2>
<p>&#x76EE;&#x524D; Istio &#x4F7F;&#x7528; iptables &#x5B9E;&#x73B0;&#x900F;&#x660E;&#x52AB;&#x6301;&#xFF0C;&#x4E3B;&#x8981;&#x5B58;&#x5728;&#x4EE5;&#x4E0B;&#x4E09;&#x4E2A;&#x95EE;&#x9898;&#xFF1A;</p>
<ol>
<li>&#x9700;&#x8981;&#x501F;&#x52A9;&#x4E8E; conntrack &#x6A21;&#x5757;&#x5B9E;&#x73B0;&#x8FDE;&#x63A5;&#x8DDF;&#x8E2A;&#xFF0C;&#x5728;&#x8FDE;&#x63A5;&#x6570;&#x8F83;&#x591A;&#x7684;&#x60C5;&#x51B5;&#x4E0B;&#xFF0C;&#x4F1A;&#x9020;&#x6210;&#x8F83;&#x5927;&#x7684;&#x6D88;&#x8017;&#xFF0C;&#x540C;&#x65F6;&#x53EF;&#x80FD;&#x4F1A;&#x9020;&#x6210; track &#x8868;&#x6EE1;&#x7684;&#x60C5;&#x51B5;&#xFF0C;&#x4E3A;&#x4E86;&#x907F;&#x514D;&#x8FD9;&#x4E2A;&#x95EE;&#x9898;&#xFF0C;&#x4E1A;&#x5185;&#x6709;&#x5173;&#x95ED; conntrack &#x7684;&#x505A;&#x6CD5;&#x3002;</li>
<li>iptables &#x5C5E;&#x4E8E;&#x5E38;&#x7528;&#x6A21;&#x5757;&#xFF0C;&#x5168;&#x5C40;&#x751F;&#x6548;&#xFF0C;&#x4E0D;&#x80FD;&#x663E;&#x5F0F;&#x7684;&#x7981;&#x6B62;&#x76F8;&#x5173;&#x8054;&#x7684;&#x4FEE;&#x6539;&#xFF0C;&#x53EF;&#x7BA1;&#x63A7;&#x6027;&#x6BD4;&#x8F83;&#x5DEE;&#x3002;</li>
<li>iptables &#x91CD;&#x5B9A;&#x5411;&#x6D41;&#x91CF;&#x672C;&#x8D28;&#x4E0A;&#x662F;&#x901A;&#x8FC7; loopback &#x4EA4;&#x6362;&#x6570;&#x636E;&#xFF0C;outbond &#x6D41;&#x91CF;&#x5C06;&#x4E24;&#x6B21;&#x7A7F;&#x8D8A;&#x534F;&#x8BAE;&#x6808;&#xFF0C;&#x5728;&#x5927;&#x5E76;&#x53D1;&#x573A;&#x666F;&#x4E0B;&#x4F1A;&#x635F;&#x5931;&#x8F6C;&#x53D1;&#x6027;&#x80FD;&#x3002;</li>
</ol>
<p>&#x4E0A;&#x8FF0;&#x51E0;&#x4E2A;&#x95EE;&#x9898;&#x5E76;&#x975E;&#x5728;&#x6240;&#x6709;&#x573A;&#x666F;&#x4E2D;&#x90FD;&#x5B58;&#x5728;&#xFF0C;&#x6BD4;&#x65B9;&#x8BF4;&#x67D0;&#x4E9B;&#x573A;&#x666F;&#x4E0B;&#xFF0C;&#x8FDE;&#x63A5;&#x6570;&#x5E76;&#x4E0D;&#x591A;&#xFF0C;&#x4E14; NAT &#x8868;&#x672A;&#x88AB;&#x4F7F;&#x7528;&#x5230;&#x7684;&#x60C5;&#x51B5;&#x4E0B;&#xFF0C;iptables &#x662F;&#x4E00;&#x4E2A;&#x6EE1;&#x8DB3;&#x8981;&#x6C42;&#x7684;&#x7B80;&#x5355;&#x65B9;&#x6848;&#x3002;&#x4E3A;&#x4E86;&#x9002;&#x914D;&#x66F4;&#x52A0;&#x5E7F;&#x6CDB;&#x7684;&#x573A;&#x666F;&#xFF0C;&#x900F;&#x660E;&#x52AB;&#x6301;&#x9700;&#x8981;&#x89E3;&#x51B3;&#x4E0A;&#x8FF0;&#x4E09;&#x4E2A;&#x95EE;&#x9898;&#x3002;</p>
<h2 id="&#x900F;&#x660E;&#x52AB;&#x6301;&#x65B9;&#x6848;&#x4F18;&#x5316;">&#x900F;&#x660E;&#x52AB;&#x6301;&#x65B9;&#x6848;&#x4F18;&#x5316;</h2>
<p>&#x4E3A;&#x4E86;&#x4F18;&#x5316; Istio &#x4E2D;&#x7684;&#x900F;&#x660E;&#x6D41;&#x91CF;&#x52AB;&#x6301;&#x7684;&#x6027;&#x80FD;&#xFF0C;&#x4E1A;&#x754C;&#x63D0;&#x51FA;&#x4E86;&#x4EE5;&#x4E0B;&#x65B9;&#x6848;&#x3002;</p>
<p><strong>&#x4F7F;&#x7528; Merbridge &#x5F00;&#x6E90;&#x9879;&#x76EE;&#x5229;&#x7528; <a href="../GLOSSARY.html#ebpf" class="glossary-term" title="eBPF &#x662F;&#x6269;&#x5C55;&#x7684;&#x67CF;&#x514B;&#x83B1;&#x5C01;&#x5305;&#x8FC7;&#x6EE4;&#x5668;&#xFF08;extented Berkeley Packet Filter&#xFF09;&#x7684;&#x7F29;&#x5199;&#xFF0C;&#x5B83;&#x662F;&#x7C7B; Unix &#x7CFB;&#x7EDF;&#x4E0A;&#x6570;&#x636E;&#x94FE;&#x8DEF;&#x5C42;&#x7684;&#x4E00;&#x79CD;&#x539F;&#x59CB;&#x63A5;&#x53E3;&#xFF0C;&#x63D0;&#x4F9B;&#x539F;&#x59CB;&#x94FE;&#x8DEF;&#x5C42;&#x5C01;&#x5305;&#x7684;&#x6536;&#x53D1;&#xFF0C;&#x9664;&#x6B64;&#x4E4B;&#x5916;&#xFF0C;&#x5982;&#x679C;&#x7F51;&#x5361;&#x9A71;&#x52A8;&#x652F;&#x6301;&#x6D2A;&#x6CDB;&#x6A21;&#x5F0F;&#xFF0C;&#x90A3;&#x4E48;&#x5B83;&#x53EF;&#x4EE5;&#x8BA9;&#x7F51;&#x5361;&#x5904;&#x4E8E;&#x6B64;&#x79CD;&#x6A21;&#x5F0F;&#xFF0C;&#x8FD9;&#x6837;&#x53EF;&#x4EE5;&#x6536;&#x5230;&#x7F51;&#x7EDC;&#x4E0A;&#x7684;&#x6240;&#x6709;&#x5305;&#xFF0C;&#x4E0D;&#x7BA1;&#x4ED6;&#x4EEC;&#x7684;&#x76EE;&#x7684;&#x5730;&#x662F;&#x4E0D;&#x662F;&#x6240;&#x5728;&#x4E3B;&#x673A;&#x3002;">eBPF</a> &#x52AB;&#x6301;&#x6D41;&#x91CF;</strong></p>
<p><a href="https://github.com/merbridge/merbridge" target="_blank">Merbridge</a> &#x662F;&#x7531; DaoCloud &#x5728; 2022 &#x5E74;&#x521D;&#x5F00;&#x6E90;&#x7684;&#x7684;&#x4E00;&#x6B3E;&#x5229;&#x7528; <a href="../GLOSSARY.html#ebpf" class="glossary-term" title="eBPF &#x662F;&#x6269;&#x5C55;&#x7684;&#x67CF;&#x514B;&#x83B1;&#x5C01;&#x5305;&#x8FC7;&#x6EE4;&#x5668;&#xFF08;extented Berkeley Packet Filter&#xFF09;&#x7684;&#x7F29;&#x5199;&#xFF0C;&#x5B83;&#x662F;&#x7C7B; Unix &#x7CFB;&#x7EDF;&#x4E0A;&#x6570;&#x636E;&#x94FE;&#x8DEF;&#x5C42;&#x7684;&#x4E00;&#x79CD;&#x539F;&#x59CB;&#x63A5;&#x53E3;&#xFF0C;&#x63D0;&#x4F9B;&#x539F;&#x59CB;&#x94FE;&#x8DEF;&#x5C42;&#x5C01;&#x5305;&#x7684;&#x6536;&#x53D1;&#xFF0C;&#x9664;&#x6B64;&#x4E4B;&#x5916;&#xFF0C;&#x5982;&#x679C;&#x7F51;&#x5361;&#x9A71;&#x52A8;&#x652F;&#x6301;&#x6D2A;&#x6CDB;&#x6A21;&#x5F0F;&#xFF0C;&#x90A3;&#x4E48;&#x5B83;&#x53EF;&#x4EE5;&#x8BA9;&#x7F51;&#x5361;&#x5904;&#x4E8E;&#x6B64;&#x79CD;&#x6A21;&#x5F0F;&#xFF0C;&#x8FD9;&#x6837;&#x53EF;&#x4EE5;&#x6536;&#x5230;&#x7F51;&#x7EDC;&#x4E0A;&#x7684;&#x6240;&#x6709;&#x5305;&#xFF0C;&#x4E0D;&#x7BA1;&#x4ED6;&#x4EEC;&#x7684;&#x76EE;&#x7684;&#x5730;&#x662F;&#x4E0D;&#x662F;&#x6240;&#x5728;&#x4E3B;&#x673A;&#x3002;">eBPF</a> &#x52A0;&#x901F; Istio &#x670D;&#x52A1;&#x7F51;&#x683C;&#x7684;&#x63D2;&#x4EF6;&#x3002;&#x4F7F;&#x7528; Merbridge &#x53EF;&#x4EE5;&#x5728;&#x4E00;&#x5B9A;&#x7A0B;&#x5EA6;&#x4E0A;&#x4F18;&#x5316;&#x6570;&#x636E;&#x5E73;&#x9762;&#x7684;&#x7F51;&#x7EDC;&#x6027;&#x80FD;&#x3002;</p>
<p>Merbridge &#x5229;&#x7528; <a href="../GLOSSARY.html#ebpf" class="glossary-term" title="eBPF &#x662F;&#x6269;&#x5C55;&#x7684;&#x67CF;&#x514B;&#x83B1;&#x5C01;&#x5305;&#x8FC7;&#x6EE4;&#x5668;&#xFF08;extented Berkeley Packet Filter&#xFF09;&#x7684;&#x7F29;&#x5199;&#xFF0C;&#x5B83;&#x662F;&#x7C7B; Unix &#x7CFB;&#x7EDF;&#x4E0A;&#x6570;&#x636E;&#x94FE;&#x8DEF;&#x5C42;&#x7684;&#x4E00;&#x79CD;&#x539F;&#x59CB;&#x63A5;&#x53E3;&#xFF0C;&#x63D0;&#x4F9B;&#x539F;&#x59CB;&#x94FE;&#x8DEF;&#x5C42;&#x5C01;&#x5305;&#x7684;&#x6536;&#x53D1;&#xFF0C;&#x9664;&#x6B64;&#x4E4B;&#x5916;&#xFF0C;&#x5982;&#x679C;&#x7F51;&#x5361;&#x9A71;&#x52A8;&#x652F;&#x6301;&#x6D2A;&#x6CDB;&#x6A21;&#x5F0F;&#xFF0C;&#x90A3;&#x4E48;&#x5B83;&#x53EF;&#x4EE5;&#x8BA9;&#x7F51;&#x5361;&#x5904;&#x4E8E;&#x6B64;&#x79CD;&#x6A21;&#x5F0F;&#xFF0C;&#x8FD9;&#x6837;&#x53EF;&#x4EE5;&#x6536;&#x5230;&#x7F51;&#x7EDC;&#x4E0A;&#x7684;&#x6240;&#x6709;&#x5305;&#xFF0C;&#x4E0D;&#x7BA1;&#x4ED6;&#x4EEC;&#x7684;&#x76EE;&#x7684;&#x5730;&#x662F;&#x4E0D;&#x662F;&#x6240;&#x5728;&#x4E3B;&#x673A;&#x3002;">eBPF</a> &#x7684; sockops &#x548C; redir &#x80FD;&#x529B;&#xFF0C;&#x53EF;&#x4EE5;&#x76F4;&#x63A5;&#x5C06;&#x6570;&#x636E;&#x5305;&#x4ECE; inbound socket &#x4F20;&#x8F93;&#x5230; outbound socket&#x3002;<a href="../GLOSSARY.html#ebpf" class="glossary-term" title="eBPF &#x662F;&#x6269;&#x5C55;&#x7684;&#x67CF;&#x514B;&#x83B1;&#x5C01;&#x5305;&#x8FC7;&#x6EE4;&#x5668;&#xFF08;extented Berkeley Packet Filter&#xFF09;&#x7684;&#x7F29;&#x5199;&#xFF0C;&#x5B83;&#x662F;&#x7C7B; Unix &#x7CFB;&#x7EDF;&#x4E0A;&#x6570;&#x636E;&#x94FE;&#x8DEF;&#x5C42;&#x7684;&#x4E00;&#x79CD;&#x539F;&#x59CB;&#x63A5;&#x53E3;&#xFF0C;&#x63D0;&#x4F9B;&#x539F;&#x59CB;&#x94FE;&#x8DEF;&#x5C42;&#x5C01;&#x5305;&#x7684;&#x6536;&#x53D1;&#xFF0C;&#x9664;&#x6B64;&#x4E4B;&#x5916;&#xFF0C;&#x5982;&#x679C;&#x7F51;&#x5361;&#x9A71;&#x52A8;&#x652F;&#x6301;&#x6D2A;&#x6CDB;&#x6A21;&#x5F0F;&#xFF0C;&#x90A3;&#x4E48;&#x5B83;&#x53EF;&#x4EE5;&#x8BA9;&#x7F51;&#x5361;&#x5904;&#x4E8E;&#x6B64;&#x79CD;&#x6A21;&#x5F0F;&#xFF0C;&#x8FD9;&#x6837;&#x53EF;&#x4EE5;&#x6536;&#x5230;&#x7F51;&#x7EDC;&#x4E0A;&#x7684;&#x6240;&#x6709;&#x5305;&#xFF0C;&#x4E0D;&#x7BA1;&#x4ED6;&#x4EEC;&#x7684;&#x76EE;&#x7684;&#x5730;&#x662F;&#x4E0D;&#x662F;&#x6240;&#x5728;&#x4E3B;&#x673A;&#x3002;">eBPF</a> &#x63D0;&#x4F9B;&#x4E86; <code>bpf_msg_redirect_hash</code> &#x51FD;&#x6570;&#x53EF;&#x4EE5;&#x76F4;&#x63A5;&#x8F6C;&#x53D1;&#x5E94;&#x7528;&#x7A0B;&#x5E8F;&#x7684;&#x6570;&#x636E;&#x5305;&#x3002;</p>
<p>&#x8BE6;&#x89C1; <a href="https://jimmysong.io/istio-handbook/ecosystem/merbridge.html" target="_blank">Istio &#x670D;&#x52A1;&#x7F51;&#x683C; &#x2014;&#x2014; &#x4E91;&#x539F;&#x751F;&#x5E94;&#x7528;&#x7F51;&#x7EDC;&#x6784;&#x5EFA;&#x6307;&#x5357;</a>&#x3002;</p>
<p><strong>&#x4F7F;&#x7528; tproxy &#x5904;&#x7406; inbound &#x6D41;&#x91CF;</strong></p>
<p>tproxy &#x53EF;&#x4EE5;&#x7528;&#x4E8E; inbound &#x6D41;&#x91CF;&#x7684;&#x91CD;&#x5B9A;&#x5411;&#xFF0C;&#x4E14;&#x65E0;&#x9700;&#x6539;&#x53D8;&#x62A5;&#x6587;&#x4E2D;&#x7684;&#x76EE;&#x7684; IP/&#x7AEF;&#x53E3;&#xFF0C;&#x4E0D;&#x9700;&#x8981;&#x6267;&#x884C;&#x8FDE;&#x63A5;&#x8DDF;&#x8E2A;&#xFF0C;&#x4E0D;&#x4F1A;&#x51FA;&#x73B0; conntrack &#x6A21;&#x5757;&#x521B;&#x5EFA;&#x5927;&#x91CF;&#x8FDE;&#x63A5;&#x7684;&#x95EE;&#x9898;&#x3002;&#x53D7;&#x9650;&#x4E8E;&#x5185;&#x6838;&#x7248;&#x672C;&#xFF0C;tproxy &#x5E94;&#x7528;&#x4E8E; outbound &#x5B58;&#x5728;&#x4E00;&#x5B9A;&#x7F3A;&#x9677;&#x3002;&#x76EE;&#x524D; Istio &#x652F;&#x6301;&#x901A;&#x8FC7; tproxy &#x5904;&#x7406; inbound &#x6D41;&#x91CF;&#x3002;</p>
<p><strong>&#x4F7F;&#x7528; hook connect &#x5904;&#x7406; outbound &#x6D41;&#x91CF;</strong></p>
<p>&#x4E3A;&#x4E86;&#x9002;&#x914D;&#x66F4;&#x591A;&#x5E94;&#x7528;&#x573A;&#x666F;&#xFF0C;outbound &#x65B9;&#x5411;&#x901A;&#x8FC7; hook connect &#x6765;&#x5B9E;&#x73B0;&#xFF0C;&#x5B9E;&#x73B0;&#x539F;&#x7406;&#x5982;&#x4E0B;&#xFF1A;</p>
<figure id="fig7.3.4.5"><a href="../images/hook-connect.jpg" data-lightbox="65385957-0d0c-4a18-b370-9af15636e649" data-title="hook-connect &#x539F;&#x7406;&#x793A;&#x610F;&#x56FE;"><img src="../images/hook-connect.jpg" alt="hook-connect &#x539F;&#x7406;&#x793A;&#x610F;&#x56FE;"></a><figcaption>&#x56FE; 7.3.4.5&#xFF1A;hook-connect &#x539F;&#x7406;&#x793A;&#x610F;&#x56FE;</figcaption></figure>
<p>&#x65E0;&#x8BBA;&#x91C7;&#x7528;&#x54EA;&#x79CD;&#x900F;&#x660E;&#x52AB;&#x6301;&#x65B9;&#x6848;&#xFF0C;&#x5747;&#x9700;&#x8981;&#x89E3;&#x51B3;&#x83B7;&#x53D6;&#x771F;&#x5B9E;&#x76EE;&#x7684; IP/&#x7AEF;&#x53E3;&#x7684;&#x95EE;&#x9898;&#xFF0C;&#x4F7F;&#x7528; iptables &#x65B9;&#x6848;&#x901A;&#x8FC7; getsockopt &#x65B9;&#x5F0F;&#x83B7;&#x53D6;&#xFF0C;tproxy &#x53EF;&#x4EE5;&#x76F4;&#x63A5;&#x8BFB;&#x53D6;&#x76EE;&#x7684;&#x5730;&#x5740;&#xFF0C;&#x901A;&#x8FC7;&#x4FEE;&#x6539;&#x8C03;&#x7528;&#x63A5;&#x53E3;&#xFF0C;hook connect &#x65B9;&#x6848;&#x8BFB;&#x53D6;&#x65B9;&#x5F0F;&#x7C7B;&#x4F3C;&#x4E8E;tproxy&#x3002;</p>
<p>&#x5B9E;&#x73B0;&#x900F;&#x660E;&#x52AB;&#x6301;&#x540E;&#xFF0C;&#x5728;&#x5185;&#x6838;&#x7248;&#x672C;&#x6EE1;&#x8DB3;&#x8981;&#x6C42;&#xFF08;4.16&#x4EE5;&#x4E0A;&#xFF09;&#x7684;&#x524D;&#x63D0;&#x4E0B;&#xFF0C;&#x901A;&#x8FC7; sockmap &#x53EF;&#x4EE5;&#x7F29;&#x77ED;&#x62A5;&#x6587;&#x7A7F;&#x8D8A;&#x8DEF;&#x5F84;&#xFF0C;&#x8FDB;&#x800C;&#x6539;&#x5584; outbound &#x65B9;&#x5411;&#x7684;&#x8F6C;&#x53D1;&#x6027;&#x80FD;&#x3002;</p>
<h2 id="&#x53C2;&#x8003;">&#x53C2;&#x8003;</h2>
<ul>
<li><a href="https://istio.io/docs/ops/diagnostic-tools/proxy-cmd/" target="_blank">Debugging Envoy and Istiod - istio.io</a></li>
<li><a href="https://istio.io/latest/zh/blog/2019/data-plane-setup/" target="_blank">&#x63ED;&#x5F00; Istio Sidecar &#x6CE8;&#x5165;&#x6A21;&#x578B;&#x7684;&#x795E;&#x79D8;&#x9762;&#x7EB1; - istio.io</a></li>
<li><a href="https://mosn.io/docs/products/structure/traffic-hijack/" target="_blank">MOSN &#x4F5C;&#x4E3A; Sidecar &#x4F7F;&#x7528;&#x65F6;&#x7684;&#x6D41;&#x91CF;&#x52AB;&#x6301;&#x65B9;&#x6848; - mosn.io</a></li>
<li><a href="https://jimmysong.io/blog/sidecar-injection-iptables-and-traffic-routing/" target="_blank">Istio &#x4E2D;&#x7684; Sidecar &#x6CE8;&#x5165;&#x3001;&#x900F;&#x660E;&#x6D41;&#x91CF;&#x52AB;&#x6301;&#x53CA;&#x6D41;&#x91CF;&#x8DEF;&#x7531;&#x8FC7;&#x7A0B;&#x8BE6;&#x89E3; - jimmysong.io</a></li>
</ul>
<footer class="page-footer"><span class="copyright">Copyright &#xA9; 2017-2022 | Distributed under <a href="https://creativecommons.org/licenses/by-nc-sa/4.0/deed.zh" target="_blank">CC BY 4.0</a> | <a href="https://jimmysong.io" target="_blank">jimmysong.io</a> all right reserved.</span><span class="footer-modification"> Updated at
2022-09-16 03:51:48
</span></footer>
</section>
</div>
<div class="search-results">
<div class="has-results">
<h1 class="search-results-title"><span class='search-results-count'></span> results matching "<span class='search-query'></span>"</h1>
<ul class="search-results-list"></ul>
</div>
<div class="no-results">
<h1 class="search-results-title">No results matching "<span class='search-query'></span>"</h1>
</div>
</div>
</div>
</div>
</div>
</div>
<a href="sidecar-spec-in-istio.html" class="navigation navigation-prev " aria-label="Previous page: Istio 中 sidecar 的注入规范">
<i class="fa fa-angle-left"></i>
</a>
<a href="istio-traffic-routing.html" class="navigation navigation-next " aria-label="Next page: Istio 中的流量路由过程详解">
<i class="fa fa-angle-right"></i>
</a>
</div>
<script>
var gitbook = gitbook || [];
gitbook.push(function() {
gitbook.page.hasChanged({"page":{"title":"Sidecar 的注入与透明流量劫持","level":"7.3.4","depth":2,"next":{"title":"Istio 中的流量路由过程详解","level":"7.3.5","depth":2,"path":"usecases/istio-traffic-routing.md","ref":"usecases/istio-traffic-routing.md","articles":[]},"previous":{"title":"Istio 中 sidecar 的注入规范","level":"7.3.3","depth":2,"path":"usecases/sidecar-spec-in-istio.md","ref":"usecases/sidecar-spec-in-istio.md","articles":[]},"dir":"ltr"},"config":{"plugins":["github","codesnippet","splitter","page-toc-button","image-captions","editlink","back-to-top-button","-lunr","-search","search-plus","github-buttons@2.1.0","favicon@^0.0.2","tbfed-pagefooter@^0.0.1","3-ba","theme-default","-highlight","prism","prism-themes","lightbox","ga","sitemap-general","hide-element","expandable-chapters-small","insert-logo","adsense"],"styles":{"ebook":"styles/ebook.css","epub":"styles/epub.css","mobi":"styles/mobi.css","pdf":"styles/pdf.css","print":"styles/print.css","website":"styles/website.css"},"pluginsConfig":{"tbfed-pagefooter":{"copyright":"Copyright © 2017-2022 | Distributed under <a href=https://creativecommons.org/licenses/by-nc-sa/4.0/deed.zh>CC BY 4.0</a> | <a href=https://jimmysong.io>jimmysong.io</a>","modify_label":" Updated at ","modify_format":"YYYY-MM-DD HH:mm:ss"},"prism":{"css":["prism-themes/themes/prism-ghcolors.css"]},"github":{"url":"https://github.com/rootsongjc/kubernetes-handbook"},"editlink":{"label":"编辑本页","multilingual":false,"base":"https://github.com/rootsongjc/kubernetes-handbook/blob/master/"},"splitter":{},"adsense":{"client":"ca-pub-4029167986768912","slot":"2445941692","format":"auto","element":".page-inner section","position":"bottom"},"codesnippet":{},"sitemap-general":{"prefix":"https://jimmysong.io/kubernetes-handbook/"},"hide-element":{"elements":[".gitbook-link"]},"fontsettings":{"theme":"white","family":"sans","size":2},"favicon":{"shortcut":"favicon.ico","bookmark":"favicon.ico"},"lightbox":{"jquery":true,"sameUuid":false},"page-toc-button":{},"back-to-top-button":{},"prism-themes":{},"github-buttons":{"repo":"rootsongjc/kubernetes-handbook","types":["star"],"size":"small"},"3-ba":{"configuration":"auto","token":"11f7d254cfa4e0ca44b175c66d379ecc"},"expandable-chapters-small":{},"ga":{"configuration":"auto","token":"UA-93485976-1"},"sharing":{"facebook":true,"twitter":true,"google":false,"weibo":false,"instapaper":false,"vk":false,"all":["facebook","google","twitter","weibo","instapaper"]},"theme-default":{"showLevel":true,"styles":{"ebook":"styles/ebook.css","epub":"styles/epub.css","mobi":"styles/mobi.css","pdf":"styles/pdf.css","print":"styles/print.css","website":"styles/website.css"}},"insert-logo":{"style":"background: none; max-height: 100px; min-height: 30px","url":"https://jimmysong.io/images/logo-black-text.png"},"search-plus":{},"image-captions":{"caption":"图 _PAGE_LEVEL_._PAGE_IMAGE_NUMBER__CAPTION_","variable_name":"_pictures"}},"theme":"default","author":"宋净超Jimmy Song","pdf":{"pageNumbers":true,"fontSize":12,"fontFamily":"Arial","paperSize":"a4","chapterMark":"pagebreak","pageBreaksBefore":"/","margin":{"right":62,"left":62,"top":56,"bottom":56}},"structure":{"langs":"LANGS.md","readme":"README.md","glossary":"GLOSSARY.md","summary":"SUMMARY.md"},"variables":{"_pictures":[{"backlink":"cloud-native/kubernetes-and-cloud-native-app-overview.html#fig2.4.1","level":"2.4","list_caption":"Figure: 云计算演进历程","alt":"云计算演进历程","nro":1,"url":"../images/cloud-computing-evolution-road.jpg","index":1,"caption_template":"图 _PAGE_LEVEL_._PAGE_IMAGE_NUMBER__CAPTION_","label":"云计算演进历程","attributes":{},"skip":false,"key":"2.4.1"},{"backlink":"cloud-native/kubernetes-and-cloud-native-app-overview.html#fig2.4.2","level":"2.4","list_caption":"Figure: 来自 Twitter @MarcWilczek","alt":"来自 Twitter @MarcWilczek","nro":2,"url":"../images/cloud-native-comes-of-age.jpg","index":2,"caption_template":"图 _PAGE_LEVEL_._PAGE_IMAGE_NUMBER__CAPTION_","label":"来自 Twitter @MarcWilczek
});
</script>
</div>
<script src="../gitbook/gitbook.js"></script>
<script src="../gitbook/theme.js"></script>
<script src="../gitbook/gitbook-plugin-github/plugin.js"></script>
<script src="../gitbook/gitbook-plugin-splitter/splitter.js"></script>
<script src="../gitbook/gitbook-plugin-page-toc-button/plugin.js"></script>
<script src="../gitbook/gitbook-plugin-editlink/plugin.js"></script>
<script src="../gitbook/gitbook-plugin-back-to-top-button/plugin.js"></script>
<script src="../gitbook/gitbook-plugin-search-plus/jquery.mark.min.js"></script>
<script src="../gitbook/gitbook-plugin-search-plus/search.js"></script>
<script src="../gitbook/gitbook-plugin-github-buttons/plugin.js"></script>
<script src="../gitbook/gitbook-plugin-3-ba/plugin.js"></script>
<script src="../gitbook/gitbook-plugin-lightbox/js/lightbox.min.js"></script>
<script src="../gitbook/gitbook-plugin-ga/plugin.js"></script>
<script src="../gitbook/gitbook-plugin-hide-element/plugin.js"></script>
<script src="../gitbook/gitbook-plugin-expandable-chapters-small/expandable-chapters-small.js"></script>
<script src="../gitbook/gitbook-plugin-insert-logo/plugin.js"></script>
<script src="../gitbook/gitbook-plugin-adsense/plugin.js"></script>
<script src="../gitbook/gitbook-plugin-sharing/buttons.js"></script>
<script src="../gitbook/gitbook-plugin-fontsettings/fontsettings.js"></script>
</body>
</html>