mirror of https://github.com/istio/istio.io.git
119 lines
18 KiB
HTML
119 lines
18 KiB
HTML
<!DOCTYPE html><html lang="en" itemscope itemtype="https://schema.org/WebPage" style="overflow-y: scroll;"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="title" content="Integrating Services into the Mesh"><meta name="og:title" content="Integrating Services into the Mesh"><meta name="og:image" content="/v0.1/img/logo.png"/><meta name="description" content="This task shows you how to integrate your applications with the Istio service mesh."><meta name="og:description" content="This task shows you how to integrate your applications with the Istio service mesh."><title>Istioldie 0.1 / Integrating Services into the Mesh</title><script> window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)};ga.l=+new Date; ga('create', 'UA-98480406-2', 'auto'); ga('send', 'pageview'); </script> <script async src='https://www.google-analytics.com/analytics.js'></script><link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'><link rel="alternate" type="application/rss+xml" title="Istio Blog RSS" href="/v0.1/feed.xml"><link rel="apple-touch-icon" href="/v0.1/favicons/apple-touch-icon.png" sizes="180x180"><link rel="icon" type="image/png" href="/v0.1/favicons/android-chrome-96x96.png" sizes="96x96" ><link rel="icon" type="image/png" href="/v0.1/favicons/favicon-32x32.png" sizes="32x32"><link rel="icon" type="image/png" href="/v0.1/favicons/favicon-16x16.png" sizes="16x16"><link rel="manifest" href="/v0.1/favicons/manifest.json"><link rel="mask-icon" href="/v0.1/favicons/safari-pinned-tab.svg" color="#2DA6B0"><meta name="msapplication-TileColor" content="#ffffff"><meta name="msapplication-TileImage" content="/v0.1/favicons/mstile-150x150.png"><link href="//maxcdn.bootstrapcdn.com/bootstrap/3.3.1/css/bootstrap.min.css" rel="stylesheet"><link rel="stylesheet" href="/v0.1/css/all.css"><link rel="stylesheet" href="/v0.1/css/prism.css"><link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.4.0/css/font-awesome.min.css"> <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js"></script></head><body class="language-unknown"><div class="nav-hero-container" style="z-index: 200000;"><nav id="header-nav" class="navbar navbar-inverse" role="navigation"><div class="container"><div class="row"><div class="col-md-11 nofloat center-block "><div class="navbar-header"> <button type="button" class="hamburger navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar-collapse-1" aria-expanded="false"> <span class="sr-only">Toggle navigation</span> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> </button> <a class="navbar-brand" href="/v0.1/"><div> <img src="/v0.1/img/logo.png" alt="Istio" width="36px" height="54px"/> <span class="brand-name">Istioldie 0.1</span></div></a></div><div class="collapse navbar-collapse" id="navbar-collapse-1"><ul class="nav navbar-nav navbar-right"><li><a href="/v0.1/about/" >About</a></li><li><a href="/v0.1/docs/" class='current'>Docs</a></li><li><a href="/v0.1/blog/" >Blog</a></li><li><a href="/v0.1/community/" >Community</a></li><li><a href="/v0.1/faq/" >FAQ</a></li><li class="dropdown"> <a class="dropdown-toggle" data-toggle="dropdown" href=""> <i class='fa fa-lg fa-cog'></i> <span class="caret"></span> </a><ul class="dropdown-menu"><h6 class="dropdown-header">Other versions of this site</h6><li> <a href="https://istio.io">Current Release</a></li><li> <a href="https://preliminary.istio.io">Next Release</a></li><li> <a href="https://archive.istio.io">Older Releases</a></li></ul></li><li><form name="cse" id="searchbox_demo" class="navbar-form navbar-right" role="search"> <input type="hidden" name="cx" value="013699703217164175118:iwwf17ikgf4" /> <input type="hidden" name="ie" value="utf-8" /> <input type="hidden" name="hl" value="en" /><div class="form-group"><div class="input-group"> <input name="q" class="form-control" type="text" size="30" /><div class="input-group-addon"> <span class="btn-search glyphicon glyphicon-search"></span></div></div></div></form> <script type="text/javascript" src="https://www.google.com/cse/brand?form=searchbox_demo"></script></li></ul></div></div></div></div></nav></div><div class="container"><div class="row"><div class="col-md-11 nofloat center-block" style="margin-top: 3px;"><ul class="col-sm-10 nav nav-tabs"><li role="presentation" ><a href="/v0.1/docs/index.html">Welcome</a></li><li role="presentation" ><a href="/v0.1/docs/concepts/index.html">Concepts</a></li><li role="presentation" class='active'><a href="/v0.1/docs/tasks/index.html">Tasks</a></li><li role="presentation" ><a href="/v0.1/docs/samples/index.html">Samples</a></li><li role="presentation" ><a href="/v0.1/docs/reference/index.html">Reference</a></li></ul></div></div></div><script src="/v0.1/js/navtree.js"></script><div class="container docs"><div class="row"><div class="col-md-11 nofloat center-block"><div class="row"><div id="sidebar-container" class="col-sm-3"><ul class="doc-side-nav"><li><h5 class='doc-side-nav-title'>Tasks</h5></li><script type="text/javascript"> var docs = []; docs.push({path: [ "basic-access-control.md", ], url: "/docs/tasks/basic-access-control.html", title: "Enabling Simple Access Control", order: 90, overview: "This task shows how to use Istio to control access to a service."}); docs.push({path: [ "egress.md", ], url: "/docs/tasks/egress.html", title: "Enabling Egress Traffic", order: 40, overview: "Describes how to configure Istio to route traffic from services in the mesh to external services."}); docs.push({path: [ "fault-injection.md", ], url: "/docs/tasks/fault-injection.html", title: "Fault Injection", order: 60, overview: "This task shows how to inject delays and test the resiliency of your application."}); docs.push({path: [ "index.md", ], url: "/docs/tasks/index.html", title: "Tasks", order: 20, overview: "Tasks show you how to do a single specific targeted activity with the Istio system."}); docs.push({path: [ "ingress.md", ], url: "/docs/tasks/ingress.html", title: "Enabling Ingress Traffic", order: 30, overview: "Describes how to configure Istio to expose a service outside of the service mesh."}); docs.push({path: [ "installing-istio.md", ], url: "/docs/tasks/installing-istio.html", title: "Installing Istio", order: 10, overview: "This task shows you how to setup the Istio service mesh."}); docs.push({path: [ "integrating-services-into-istio.md", ], url: "/docs/tasks/integrating-services-into-istio.html", title: "Integrating Services into the Mesh", order: 20, overview: "This task shows you how to integrate your applications with the Istio service mesh."}); docs.push({path: [ "istio-auth.md", ], url: "/docs/tasks/istio-auth.html", title: "Testing Istio Auth", order: 100, overview: "This task shows you how to verify and test Istio-Auth."}); docs.push({path: [ "metrics-logs.md", ], url: "/docs/tasks/metrics-logs.html", title: "Collecting Metrics and Logs", order: 110, overview: "This task shows you how to configure Mixer to collect metrics and logs from Envoy instances."}); docs.push({path: [ "rate-limiting.md", ], url: "/docs/tasks/rate-limiting.html", title: "Enabling Rate Limits", order: 80, overview: "This task shows you how to use Istio to dynamically limit the traffic to a service."}); docs.push({path: [ "request-routing.md", ], url: "/docs/tasks/request-routing.html", title: "Configuring Request Routing", order: 50, overview: "This task shows you how to configure dynamic request routing based on weights and HTTP headers."}); docs.push({path: [ "request-timeouts.md", ], url: "/docs/tasks/request-timeouts.html", title: "Setting Request Timeouts", order: 70, overview: "This task shows you how to setup request timeouts in Envoy using Istio."}); docs.push({path: [ "zipkin-tracing.md", ], url: "/docs/tasks/zipkin-tracing.html", title: "Distributed Request Tracing", order: 120, overview: "How to configure the proxies to send tracing requests to Zipkin"}); genNavBarTree(docs) </script></ul></div><div id="tab-container" class="col-xs-1 tab-neg-margin pull-left"> <a id="sidebar-tab" class="glyphicon glyphicon-chevron-left" href="javascript:void 0;"></a></div><div id="content-container" class="thin-left-border col-sm-9 markdown"><div id="toc" class="toc"></div><div id="doc-content"><h1>Integrating Services into the Mesh</h1><p>This task shows how to integrate applications on Kubernetes with Istio. You’ll learn how to inject the Envoy sidecar into deployments using <a href="/v0.1/docs/reference/commands/istioctl.html#istioctl-kube-inject">istioctl kube-inject</a></p><h2 id="before-you-begin">Before you begin</h2><p>This task assumes you have deployed Istio on Kubernetes. If you have not done so, please first complete the <a href="./installing-istio.html">Installation Steps</a>.</p><h2 id="injecting-envoy-sidecar-into-a-deployment">Injecting Envoy sidecar into a deployment</h2><p>Example deployment and service to demonstrate this task. Save this as <code>apps.yaml</code>.</p><pre><code class="language-yaml">apiVersion: v1
|
||
kind: Service
|
||
metadata:
|
||
name: service-one
|
||
labels:
|
||
app: service-one
|
||
spec:
|
||
ports:
|
||
- port: 80
|
||
targetPort: 8080
|
||
name: http
|
||
selector:
|
||
app: service-one
|
||
---
|
||
apiVersion: extensions/v1beta1
|
||
kind: Deployment
|
||
metadata:
|
||
name: service-one
|
||
spec:
|
||
replicas: 1
|
||
template:
|
||
metadata:
|
||
labels:
|
||
app: service-one
|
||
spec:
|
||
containers:
|
||
- name: app
|
||
image: gcr.io/google_containers/echoserver:1.4
|
||
ports:
|
||
- containerPort: 8080
|
||
---
|
||
apiVersion: v1
|
||
kind: Service
|
||
metadata:
|
||
name: service-two
|
||
labels:
|
||
app: service-two
|
||
spec:
|
||
ports:
|
||
- port: 80
|
||
targetPort: 8080
|
||
name: http-status
|
||
selector:
|
||
app: service-two
|
||
---
|
||
apiVersion: extensions/v1beta1
|
||
kind: Deployment
|
||
metadata:
|
||
name: service-two
|
||
spec:
|
||
replicas: 1
|
||
template:
|
||
metadata:
|
||
labels:
|
||
app: service-two
|
||
spec:
|
||
containers:
|
||
- name: app
|
||
image: gcr.io/google_containers/echoserver:1.4
|
||
ports:
|
||
- containerPort: 8080
|
||
</code></pre><p><a href="https://kubernetes.io/docs/concepts/services-networking/service/">Kubernetes Services</a> are required for properly functioning Istio service. Service ports must be named and these names must begin with <em>http</em> or <em>grpc</em> prefix to take advantage of Istio’s L7 routing features, e.g. <code>name: http-foo</code> or <code>name: http</code> is good. <em>Services with non-named ports or with ports that do not have a <em>http</em> or <em>grpc</em> prefix will be routed as L4 traffic.</em></p><p>Submit a YAML resource to API server with injected Envoy sidecar. Any one of the following methods will work.</p><pre><code class="language-bash">kubectl apply -f <(istioctl kube-inject -f apps.yaml)
|
||
</code></pre><p>Make a request from the client (service-one) to the server (service-two).</p><pre><code class="language-bash">CLIENT=$(kubectl get pod -l app=service-one -o jsonpath='{.items[0].metadata.name}')
|
||
SERVER=$(kubectl get pod -l app=service-two -o jsonpath='{.items[0].metadata.name}')
|
||
|
||
kubectl exec -it ${CLIENT} -c app -- curl service-two:80 | grep x-request-id
|
||
</code></pre><pre><code class="language-bash">x-request-id=a641eff7-eb82-4a4f-b67b-53cd3a03c399
|
||
</code></pre><p>Verify traffic is intercepted by the Envoy sidecar. Compare <code>x-request-id</code> in the HTTP response with the sidecar’s access logs. <code>x-request-id</code> is random. The IP in the outbound request logs is service-two pod’s IP.</p><p>Outbound request on client pod’s proxy.</p><pre><code class="language-bash">kubectl logs ${CLIENT} proxy | grep a641eff7-eb82-4a4f-b67b-53cd3a03c399
|
||
</code></pre><pre><code class="language-bash">[2017-05-01T22:08:39.310Z] "GET / HTTP/1.1" 200 - 0 398 3 3 "-" "curl/7.47.0" "a641eff7-eb82-4a4f-b67b-53cd3a03c399" "service-two" "10.4.180.7:8080"
|
||
</code></pre><p>Inbound request on server pod’s proxy.</p><pre><code class="language-bash">kubectl logs ${SERVER} proxy | grep a641eff7-eb82-4a4f-b67b-53cd3a03c399
|
||
</code></pre><pre><code class="language-bash">[2017-05-01T22:08:39.310Z] "GET / HTTP/1.1" 200 - 0 398 2 0 "-" "curl/7.47.0" "a641eff7-eb82-4a4f-b67b-53cd3a03c399" "service-two" "127.0.0.1:8080"
|
||
</code></pre><p>The Envoy sidecar does <em>not</em> intercept container-to-container traffic within the same pod when traffic is routed via localhost. This is by design.</p><pre><code class="language-bash">kubectl exec -it ${SERVER} -c app -- curl localhost:8080 | grep x-request-id
|
||
</code></pre><h2 id="understanding-what-happened">Understanding what happened</h2><p><code>istioctl kube-inject</code> injects additional containers into YAML resource on the client <em>before</em> submitting to the Kubernetes API server. This will eventually be replaced by server-side injection via admission controller. Use</p><pre><code class="language-bash">kubectl get deployment service-one -o yaml
|
||
</code></pre><p>to inspect the modified deployment and look for the following:</p><ul><li><p>A proxy container which includes the Envoy proxy and agent to manage local proxy configuration.</p></li><li><p>An <a href="https://kubernetes.io/docs/concepts/workloads/pods/init-containers/">init-container</a> to program <a href="https://en.wikipedia.org/wiki/Iptables">iptables</a>.</p></li></ul><p>The proxy container runs with a specific UID so that the iptables can differentiate outbound traffic from the proxy itself from the applications which are redirected to proxy.</p><pre><code class="language-yaml">- args:
|
||
- proxy
|
||
- sidecar
|
||
- "-v"
|
||
- "2"
|
||
env:
|
||
-
|
||
name: POD_NAME
|
||
valueFrom:
|
||
fieldRef:
|
||
apiVersion: v1
|
||
fieldPath: metadata.name
|
||
-
|
||
name: POD_NAMESPACE
|
||
valueFrom:
|
||
fieldRef:
|
||
apiVersion: v1
|
||
fieldPath: metadata.namespace
|
||
-
|
||
name: POD_IP
|
||
valueFrom:
|
||
fieldRef:
|
||
apiVersion: v1
|
||
fieldPath: status.podIP
|
||
image: "docker.io/istio/proxy:<...tag... >"
|
||
imagePullPolicy: Always
|
||
name: proxy
|
||
securityContext:
|
||
runAsUser: 1337
|
||
|
||
</code></pre><p>iptables is used to transparently redirect all inbound and outbound traffic to the proxy. An init-container is used for two reasons:</p><ol><li><p>iptables requires <a href="http://man7.org/linux/man-pages/man7/capabilities.7.html">NET_CAP_ADMIN</a>.</p></li><li><p>The sidecar iptable rules are fixed and don’t need to be updated after pod creation. The proxy container is responsible for dynamically routing traffic.</p><pre><code class="language-json">{
|
||
"name":"init",
|
||
"image":"docker.io/istio/init:<..tag...>",
|
||
"args":[ "-p", "15001", "-u", "1337" ],
|
||
"imagePullPolicy":"Always",
|
||
"securityContext":{
|
||
"capabilities":{
|
||
"add":[
|
||
"NET_ADMIN"
|
||
]
|
||
}
|
||
}
|
||
},
|
||
</code></pre></li></ol><h2 id="cleanup">Cleanup</h2><p>Delete the example services and deployment.</p><pre><code class="language-bash">kubectl delete -f apps.yaml
|
||
</code></pre><h2 id="whats-next">What’s next</h2><ul><li><p>Review full documentation for <a href="/v0.1/docs/reference/commands/istioctl.html#istioctl-kube-inject">istioctl kube-inject</a></p></li><li><p>See the <a href="/v0.1/docs/samples/bookinfo.html">BookInfo</a> sample for a more complete example of applications integrated on Kubernetes with Istio.</p></li></ul></div></div></div></div></div></div><script src="/v0.1/js/sidemenu.js"></script><footer><div class="container"><div class="row"><div class="col-md-2"></div><div class="col-md-3 col-sm-4 col-xs-12 center-block"><ul class="toggle"><p class="header">Docs</p><li><a href="/v0.1/docs/">Welcome</a></li><li><a href="/v0.1/docs/concepts">Concepts</a></li><li><a href="/v0.1/docs/tasks">Tasks</a></li><li><a href="/v0.1/docs/samples">Samples</a></li><li><a href="/v0.1/docs/reference">Reference</a></li></ul></div><hr class="footer-sections" /><div class="col-md-3 col-sm-4 col-xs-12 center-block"><ul class="toggle"><p class="header">Resources</p><li><a href="/v0.1/faq">Frequently Asked Questions</a></li><li><a href="/v0.1/troubleshooting">Troubleshooting Guide</a></li><li><a href="/v0.1/bugs">Report a Bug</a></li><li><a href="https://github.com/istio/istio.github.io/issues/new?title=Issue with _docs/tasks/integrating-services-into-istio.md">Report a Doc Issue</a></li><li><a href="https://github.com/istio/istio.github.io/edit/master/_docs/tasks/integrating-services-into-istio.md">Edit This Page on GitHub</a></li></ul></div><hr class="footer-sections" /><div class="col-md-3 col-sm-4 col-xs-12 center-block"><ul class="toggle"><p class="header">Community</p><li><a href="https://groups.google.com/forum/#!forum/istio-users" target="_blank"><span class="group">User</span></a> | <a href="https://groups.google.com/forum/#!forum/istio-dev" target="_blank">Dev Mailing Lists</a></li><li><a href="https://twitter.com/IstioMesh" target="_blank"><span class="twitter">Twitter</span></a></li><li><a href="https://github.com/istio/istio" target="_blank"><span class="github">GitHub</span></a></li></ul></div><div class="col-md-1"></div></div><div class="row"><p class="description small text-center"> Copyright © 2017 Istio Authors<br> Istio 0.1<br> Archived on 20-Jul-2017</p></div></div></footer><script src="https://cdnjs.cloudflare.com/ajax/libs/jquery-validate/1.15.0/jquery.validate.min.js"></script> <script src="/v0.1/js/jquery.form.min.js"></script> <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.1/js/bootstrap.min.js"></script> <script src="/v0.1/js/slick.min.js"></script> <script src="/v0.1/js/jquery.visible.min.js"></script> <script src="/v0.1/js/common.js" type="text/javascript" charset="utf-8"></script> <script src="/v0.1/js/buttons.js"></script> <script src="/v0.1/js/search.js"></script> <script src="/v0.1/js/prism.js"></script></body></html>
|