k8s之Istio ServiceEntry实例(1)
由于默认情况下,来自 Istio-enable Pod 的所有出站流量都会重定向到其 Sidecar 代理,集群外部 URL 的可访问性取决于代理的配置。默认情况下,Istio 将 Envoy 代理配置为允许传递未知服务的请求。尽管这为入门 Istio 带来了方便,但是,通常情况下,配置更严格的控制是更可取的
·
修改evony默认策略
- REGISTRY_ONLY:只有注册过的服务才能访问
- ALLOW_ANY:对网格内访问网格外不做限制
# 运行以下命令以确认meshConfig.outboundTrafficPolicy.mode设置为ALLOW_ANY或被省略,您应该看到ALLOW_ANY或没有任何输出(默认为ALLOW_ANY)
kubectl get istiooperator installed-state -n istio-system -o jsonpath='{.spec.meshConfig.outboundTrafficPolicy.mode}'
# 如果你显式地设置了 REGISTRY_ONLY 模式,例如,通过使用更改后的设置重新运行原始的istioctl install命令:
istioctl install <flags-you-used-to-install-Istio> --set meshConfig.outboundTrafficPolicy.mode=ALLOW_ANY
istioctl install --set profile=demo -y --set meshConfig.outboundTrafficPolicy.mode=ALLOW_ANY
# 将 global.outboundTrafficPolicy.mode 选项从 ALLOW_ANY模式 改为 REGISTRY_ONLY 模式
istioctl install <flags-you-used-to-install-Istio> \
--set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY
istioctl install --set profile=demo -y --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY
istioctl manifest generate --set profile=demo --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY | kubectl apply -f -
# kubectl edit istiooperator installed-state -n istio-system -o yaml #不好使,安装后了,修改没用
meshConfig:
accessLogFile: /dev/stdout
defaultConfig:
proxyMetadata: {}
enablePrometheusMerge: true
outboundTrafficPolicy: #添加这个
mode: REGISTRY_ONLY
# 部署一个sleep测试访问外部情况
[root@k8s-master-1 istio-1.12.6]# istioctl kube-inject -f samples/sleep/sleep.yaml | kubectl apply -f -
serviceaccount/sleep created
service/sleep created
deployment.apps/sleep created
# 可以发现修改成REGISTRY_ONLY后,网格内的流量都出不去了
[root@k8s-master-1 istio-1.12.6]# kubectl exec sleep-786dd8679-5mvrg -c sleep -- curl -sI http://httpbin.org/hearders
HTTP/1.1 502 Bad Gateway
date: Fri, 29 Apr 2022 04:13:20 GMT
server: envoy
transfer-encoding: chunked
REGISTRY_ONLY网格内默认策略
当将mode修改为:REGISTRY_ONLY后
kubectl apply -f - <<EOF
apiVersion: v1
kind: Service
metadata:
name: busybox
spec:
type: ClusterIP
selector:
app: httpd
ports:
- name: httpd
port: 80
targetPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: busybox
spec:
replicas: 1
selector:
matchLabels:
app: httpd
template:
metadata:
labels:
app: httpd
spec:
containers:
- name: busybox
image: busybox:1.28
imagePullPolicy: IfNotPresent
command: ["/bin/sh","-c","echo 'this is busybox-httpd' > /var/www/index.html;httpd -f -h /var/www"]
ports:
- containerPort: 80
EOF
# 查看pod
[root@k8s-master-1 istio-1.12.6]# kubectl get pods
NAME READY STATUS RESTARTS AGE
busybox-5c7ff54796-f6l5m 2/2 Running 0 4s
sleep-786dd8679-vfmtz 2/2 Running 0 14m
# 使用sleep来访问外部服务
[root@k8s-master-1 istio-1.12.6]# kubectl exec sleep-786dd8679-vfmtz -- curl -sI http://www.baidu.com
Defaulting container name to sleep.
Use 'kubectl describe pod/sleep-786dd8679-vfmtz -n default' to see all of the containers in this pod.
HTTP/1.1 502 Bad Gateway
date: Fri, 29 Apr 2022 11:25:55 GMT
server: envoy
transfer-encoding: chunked
# 使用sleep来访问busybox,可见REGISTRY_ONLY默认运行集群内个个网格之间互相访问
[root@k8s-master-1 istio-1.12.6]# kubectl exec sleep-786dd8679-vfmtz -- curl -sI http://busybox.default.svc.cluster.local
Defaulting container name to sleep.
Use 'kubectl describe pod/sleep-786dd8679-vfmtz -n default' to see all of the containers in this pod.
HTTP/1.1 200 OK
content-type: text/html
date: Fri, 29 Apr 2022 11:25:25 GMT
accept-ranges: bytes
last-modified: Fri, 29 Apr 2022 11:23:44 GMT
content-length: 22
x-envoy-upstream-service-time: 0
server: envoy
访问外部HTTP
kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: httpbin-ext
spec:
hosts:
- httpbin.org
ports:
- number: 80 # 访问httpbin.org:80
name: http
protocol: HTTP
resolution: DNS # 使用DNS解析
location: MESH_EXTERNAL
EOF
# 可见当定义service entry后,网格内的容器再来访问这些已经定义好的服务,就可访问了
[root@k8s-master-1 istio-1.12.6]# kubectl exec sleep-786dd8679-5mvrg -c sleep -- curl -sI http://httpbin.org/headers
HTTP/1.1 200 OK
date: Fri, 29 Apr 2022 04:26:13 GMT
content-type: application/json
content-length: 1192
server: envoy
access-control-allow-origin: *
access-control-allow-credentials: true
x-envoy-upstream-service-time: 584
访问外部HTTPS
# 访问测试
[root@k8s-master-1 istio-1.12.6]# kubectl exec busybox-5c7ff54796-f6l5m -c busybox -- wget --no-check-certificate https://www.baidu.com
Connecting to www.baidu.com (14.215.177.38:443)
wget: got bad TLS record (len:0) while expecting handshake record
wget: error getting response: Connection reset by peer
command terminated with exit code 1
[root@k8s-master-1 istio-1.12.6]# kubectl apply -f - <<EOF
> apiVersion: networking.istio.io/v1alpha3
> kind: ServiceEntry
> metadata:
> name: google
> spec:
> hosts:
> - www.baidu.com
> ports:
> - number: 443
> name: https
> protocol: HTTPS
> resolution: DNS
> location: MESH_EXTERNAL
> EOF
serviceentry.networking.istio.io/google created
# 添加外部HTTPS方式到网格内
kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: google
spec:
hosts:
- www.baidu.com
ports:
- number: 443
name: https
protocol: HTTPS
resolution: DNS
location: MESH_EXTERNAL
EOF
# 访问测试,可见将HTTPS添加到网格内后,即可正常访问
[root@k8s-master-1 istio-1.12.6]# kubectl exec busybox-5c7ff54796-f6l5m -c busybox -- wget --no-check-certificate https://www.baidu.com
Connecting to www.baidu.com (14.215.177.38:443)
index.html 100% |*******************************| 2443 0:00:00 ETA
管理到外部服务的流量
# 测试yaml
kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: httpbin-ext
spec:
hosts:
- httpbin.org
ports:
- number: 80 # 访问httpbin.org:80
name: http
protocol: HTTP
resolution: DNS # 使用DNS解析
location: MESH_EXTERNAL
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: httpbin-ext
spec:
hosts:
- httpbin.org
http:
- timeout: 3s # 设置调用外部服务 httpbin.org 的超时时间为3秒,即我调用外部服务后,如果3秒内未返回结果,即认为超时
route:
- destination:
host: httpbin.org
weight: 100
EOF
http://www.httpbin.org/delay/5
# 当前能正常访问
[root@k8s-master-1 istio-1.12.6]# kubectl exec sleep-786dd8679-vfmtz -c sleep -- curl -sSI httpbin.org
HTTP/1.1 200 OK
date: Fri, 29 Apr 2022 11:58:22 GMT
content-type: text/html; charset=utf-8
content-length: 9593
server: envoy
access-control-allow-origin: *
access-control-allow-credentials: true
x-envoy-upstream-service-time: 513
# 设置httpbin延迟5秒后,返回结果,因为时间超过3秒了,故而会认为超时
[root@k8s-master-1 istio-1.12.6]# kubectl exec sleep-786dd8679-vfmtz -c sleep -- curl -sSI httpbin.org/delay/5
HTTP/1.1 504 Gateway Timeout
content-length: 24
content-type: text/plain
date: Fri, 29 Apr 2022 11:59:52 GMT
server: envoy
直接访问外部服务
- 如果要让特定范围的 IP 完全绕过 Istio,则可以配置 Envoy sidecars 以防止它们拦截外部请求。要设置绕过 Istio,请更改
global.proxy.includeIPRanges或global.proxy.excludeIPRangesconfiguration option,并使用kubectl apply命令更新istio-sidecar-injector配置。也可以通过设置相应的注解)在pod上进行配置,例如traffic.sidecar.istio.io / includeOutboundIPRanges。istio-sidecar-injector配置的更新,影响的是新部署应用的 pod - 与 Envoy 转发流量到外部服务不同,后者使用
ALLOW_ANY流量策略来让 Istio sidecar 代理将调用传递给未知服务, 该方法完全绕过了 sidecar,从而实质上禁用了指定 IP 的所有 Istio 功能。你不能像ALLOW_ANY方法那样为特定的目标增量添加 service entries。 因此,仅当出于性能或其他原因无法使用边车配置外部访问时,才建议使用此配置方法
# 确定具体放行,kubeadm方式安装的
kubectl describe pod kube-apiserver -n kube-system | grep 'service-cluster-ip-range'
# 二进制安装的
[root@k8s-master-1 istio-1.12.6]# grep "service-cluster-ip" /usr/lib/systemd/system/kube-apiserver.service
--service-cluster-ip-range=10.0.0.0/16 \
# 使用平台的 IP 范围更新 istio-sidecar-injector 的配置。比如,如果 IP 范围是 10.0.0.1/24,则使用一下命令
istioctl install <flags-you-used-to-install-Istio> --set values.global.proxy.includeIPRanges="10.0.0.1/24"
K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容
更多推荐
0
0- 0
已为社区贡献43条内容
所有评论(0)