istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.10/zh/blog/2019/data-plane-setup/index.html

204 lines
36 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!doctype html><html lang=zh itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="揭开 Istio Sidecar 注入模型的神秘面纱"><meta name=description content="揭秘 Istio 是如何将其数据平面组件添加到现有 deployment。"><meta name=author content="Manish Chugtu"><meta name=keywords content="microservices,services,mesh,kubernetes,sidecar-injection,traffic-management"><meta property="og:title" content="揭开 Istio Sidecar 注入模型的神秘面纱"><meta property="og:type" content="website"><meta property="og:description" content="揭秘 Istio 是如何将其数据平面组件添加到现有 deployment。"><meta property="og:url" content="/v1.10/zh/blog/2019/data-plane-setup/"><meta property="og:image" content="https://raw.githubusercontent.com/istio/istio.io/master/static/img/istio-whitelogo-bluebackground-framed.svg"><meta property="og:image:alt" content="Istio Logo"><meta property="og:image:width" content="1024"><meta property="og:image:height" content="1024"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary"><meta name=twitter:site content="@IstioMesh"><meta name=twitter:creator content="@chugtum"><title>Istioldie 1.10 / 揭开 Istio Sidecar 注入模型的神秘面纱</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}
gtag('js',new Date());gtag('config','UA-98480406-2');</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.10/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.10/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.10/feed.xml><link rel="shortcut icon" href=/v1.10/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.10/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.10/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.10/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.10/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.10/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.10/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.10/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.10/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.10/favicons/android-192x192.png sizes=192x192><link rel=manifest href=/v1.10/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><link rel=stylesheet href=/v1.10/css/all.css><link rel=preconnect href=https://fonts.gstatic.com><link rel=stylesheet href="https://fonts.googleapis.com/css2?family=Barlow:ital,wght@0,400;0,500;0,600;0,700;1,600&display=swap"><script src=/v1.10/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.10";const docTitle="揭开 Istio Sidecar 注入模型的神秘面纱";const iconFile="\/v1.10/img/icons.svg";const buttonCopy='复制到剪切板';const buttonPrint='打印';const buttonDownload='下载';</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.10/js/all.min.js data-manual defer></script><header class=main-navigation><nav class="main-navigation-wrapper container-l"><div class=main-navigation-header><a id=brand href=/v1.10/zh/><span class=logo><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371 7.869 7.869.0 013.066-4.178 9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></span></a><button id=hamburger class=main-navigation-toggle aria-label="Open navigation"><svg class="icon menu-hamburger"><use xlink:href="/v1.10/img/icons.svg#menu-hamburger"/></svg></button>
<button id=menu-close class=main-navigation-toggle aria-label="Close navigation"><svg class="icon menu-close"><use xlink:href="/v1.10/img/icons.svg#menu-close"/></svg></button></div><div id=header-links class=main-navigation-links-wrapper><ul class=main-navigation-links><li class=main-navigation-links-item><a class="main-navigation-links-link has-dropdown"><span>关于</span><svg class="icon dropdown-arrow"><use xlink:href="/v1.10/img/icons.svg#dropdown-arrow"/></svg></a><ul class=main-navigation-links-dropdown><li class=main-navigation-links-dropdown-item><a href=/v1.10/zh/about/service-mesh class=main-navigation-links-link>服务网格</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.10/zh/about/solutions class=main-navigation-links-link>解决方案</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.10/zh/about/case-studies class=main-navigation-links-link>案例学习</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.10/zh/about/ecosystem class=main-navigation-links-link>生态系统</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.10/zh/about/deployment class=main-navigation-links-link>部署</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.10/zh/about/faq class=main-navigation-links-link>FAQ</a></li></ul></li><li class=main-navigation-links-item><a href=/v1.10/zh/blog/ class=main-navigation-links-link><span>博客</span></a></li><li class=main-navigation-links-item><a href=/v1.10/zh/news/ class=main-navigation-links-link><span>新闻</span></a></li><li class=main-navigation-links-item><a href=/v1.10/zh/get-involved/ class=main-navigation-links-link><span>加入我们</span></a></li><li class=main-navigation-links-item><a href=/v1.10/zh/docs/ class=main-navigation-links-link><span>文档</span></a></li></ul><div class=main-navigation-footer><button id=search-show class=search-show title="搜索 istio.io" aria-label=搜索><svg class="icon magnifier"><use xlink:href="/v1.10/img/icons.svg#magnifier"/></svg></button>
<a href=/v1.10/zh/docs/setup/getting-started class="btn btn--primary" id=try-istio>试用 Istio</a></div></div><form id=search-form class=search name=cse role=search><input type=hidden name=cx value=002184991200833970123:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=zh>
<input type=hidden id=search-page-url value=/zh/search>
<input id=search-textbox class="search-textbox form-control" name=q type=search aria-label="搜索 istio.io" placeholder=搜索>
<button id=search-close title=取消搜索 type=reset aria-label=取消搜索><svg class="icon menu-close"><use xlink:href="/v1.10/img/icons.svg#menu-close"/></svg></button></form></nav></header><div class=banner-container></div><article class=post itemscope itemtype=http://schema.org/BlogPosting><div class=header-content><h1>揭开 Istio Sidecar 注入模型的神秘面纱</h1><p>揭秘 Istio 是如何将其数据平面组件添加到现有 deployment。</p></div><p class=post-author>Jan 31, 2019 <span>|</span> By Manish Chugtu</p><div><p>Istio 服务网格体系结构的简单概述总是从控制平面和数据平面开始。</p><p><a href=/v1.10/zh/docs/ops/deployment/architecture/>Istio 的文档</a> :</p><figure><aside class="callout quote"><div class=quote-text><p>Istio 服务网格在逻辑上分为数据平面和控制平面。</p><p>数据平面由一组部署为 sidecar 的智能代理Envoy组成。这些代理与 Mixer、通用策略和遥测中心协调并控制微服务之间的所有网络通信。</p><p>控制平面管理并配置从代理到路由的流量。此外,控制平面配置 Mixer 以执行策略和收集遥测数据。</p></div></aside></figure><figure style=width:40%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:80%><a data-skipendnotes=true href=/v1.10/zh/blog/2019/data-plane-setup/arch-2.svg title="Istio Architecture"><img class=element-to-stretch src=/v1.10/zh/blog/2019/data-plane-setup/arch-2.svg alt="基于 Istio 的应用程序的总体架构。"></a></div><figcaption>Istio Architecture</figcaption></figure><p>重要的是要理解向应用程序 pod 中注入边车是自动进行的,尽管也可以手动注入。流量从应用服务流向 sidecar而开发人员无需关心它。一旦将应用程序连接到 Istio 服务网格,开发者便可以开始使用并获得服务网格中的所有效益。但是,数据平面管道是如何发生的,以及无缝迁移工作的真正要求是什么?在本文中,我们将深入研究 Sidecar 注入模型的细节,以非常清楚地理解 Sidecar 注入的工作原理。</p><h2 id=sidecar-injection>Sidecar 注入</h2><p>简单来说Sidecar 注入会将额外容器的配置添加到 Pod 模板中。Istio 服务网格目前所需的容器有:</p><p><code>istio-init</code>
<a href=https://kubernetes.io/docs/concepts/workloads/pods/init-containers/>init 容器</a>用于设置 iptables 规则,以便将入站/出站流量通过 sidecar 代理。初始化容器与应用程序容器在以下方面有所不同:</p><ul><li>它在启动应用容器之前运行,并一直运行直至完成。</li><li>如果有多个初始化容器,则每个容器都应在启动下一个容器之前成功完成。</li></ul><p>因此,您可以看到,对于不需要成为实际应用容器一部分的设置或初始化作业来说,这种容器是多么的完美。在这种情况下,<code>istio-init</code> 就是这样做并设置了 <code>iptables</code> 规则。</p><p><code>istio-proxy</code>
这个容器是真正的 sidecar 代理(基于 Envoy</p><h3 id=manual-injection>手动注入</h3><p>在手动注入方法中,可以使用 <a href=/v1.10/zh/docs/reference/commands/istioctl><code>istioctl</code></a> 修改容器模板并添加前面提到的两个容器的配置。不论是手动注入还是自动注入Istio 都从 <code>istio-sidecar-injector</code> 和的 <code>istio</code> 两个 Configmap 对象中获取配置。</p><p>我们先来看看 <code>istio-sidecar-injector</code> Configmap 的配置,了解一下其中的内容。</p><pre><code class=language-bash data-expandlinks=true data-outputis=yaml data-repo=istio>$ kubectl -n istio-system get configmap istio-sidecar-injector -o=jsonpath=&#39;{.data.config}&#39;
以下代码片段来自 output
policy: enabled
template: |-
initContainers:
- name: istio-init
image: docker.io/istio/proxy_init:1.0.2
args:
- &#34;-p&#34;
- [[ .MeshConfig.ProxyListenPort ]]
- &#34;-u&#34;
- 1337
.....
imagePullPolicy: IfNotPresent
securityContext:
capabilities:
add:
- NET_ADMIN
restartPolicy: Always
containers:
- name: istio-proxy
image: [[ if (isset .ObjectMeta.Annotations &#34;sidecar.istio.io/proxyImage&#34;) -]]
&#34;[[ index .ObjectMeta.Annotations &#34;sidecar.istio.io/proxyImage&#34; ]]&#34;
[[ else -]]
docker.io/istio/proxyv2:1.0.2
[[ end -]]
args:
- proxy
- sidecar
.....
env:
.....
- name: ISTIO_META_INTERCEPTION_MODE
value: [[ or (index .ObjectMeta.Annotations &#34;sidecar.istio.io/interceptionMode&#34;) .ProxyConfig.InterceptionMode.String ]]
imagePullPolicy: IfNotPresent
securityContext:
readOnlyRootFilesystem: true
[[ if eq (or (index .ObjectMeta.Annotations &#34;sidecar.istio.io/interceptionMode&#34;) .ProxyConfig.InterceptionMode.String) &#34;TPROXY&#34; -]]
capabilities:
add:
- NET_ADMIN
restartPolicy: Always
.....
</code></pre><p>如您所见configmap 包含了 <code>istio-init</code> 初始化容器和 <code>istio-proxy</code> 代理容器的配置。该配置包括容器镜像的名称以及拦截模式,权限要求等参数。</p><p>从安全的角度来看,重要的是要注意 <code>istio-init</code> 需要 <code>NET_ADMIN</code> 权限来修改 pod 命名空间中的 <code>iptables</code>,如果 <code>istio-proxy</code><code>TPROXY</code> 模式,也需要这一权限。由于该仅限于 pod 的命名空间,因此应该没有问题。但是,我们注意到最近的 open-shift 版本可能会出现一些问题,因此需要一种解决方法。本文结尾处提到了一个这样的选择。</p><p>要修改当前的 Pod 模板以进行 sidecar 注入,您可以:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ istioctl kube-inject -f demo-red.yaml | kubectl apply -f -
</code></pre><p>或者</p><p>要使用修改后的 Configmap 或本地 Configmap</p><ul><li><p>从 configmap 创建 <code>inject-config.yaml</code><code>mesh-config.yaml</code></p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl -n istio-system get configmap istio-sidecar-injector -o=jsonpath=&#39;{.data.config}&#39; &gt; inject-config.yaml
$ kubectl -n istio-system get configmap istio -o=jsonpath=&#39;{.data.mesh}&#39; &gt; mesh-config.yaml
</code></pre></li><li><p>修改现有的 pod 模板,在这个例子中是,<code>demo-red.yaml</code></p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ istioctl kube-inject --injectConfigFile inject-config.yaml --meshConfigFile mesh-config.yaml --filename demo-red.yaml --output demo-red-injected.yaml
</code></pre></li><li><p>提交 <code>demo-red-injected.yaml</code></p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f demo-red-injected.yaml
</code></pre></li></ul><p>如上所示,我们使用 <code>sidecar-injector</code> 和网格配置创建了一个新模板,然后使用 <code>kubectl</code> 应用该新模板。如果我们查看注入后的 YAML 文件,它具有 Istio 特定容器的配置,如上所述。一旦我们应用注入后的 YAML 文件,我们将看到两个容器正在运行。其中一个是实际的应用程序容器,另一个是 <code>istio-proxy</code> sidecar。</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl get pods | grep demo-red
demo-red-pod-8b5df99cc-pgnl7 2/2 Running 0 3d
</code></pre><p>这里没有 3 个 Pod因为 <code>istio-init</code> 容器是一个 init 类型的容器,它在完成应做的操作后退出,其用于在 pod 中设置 <code>iptable</code> 规则。为了确认 init 容器已退出,让我们看一下 <code>kubectl describe</code> 的输出:</p><pre><code class=language-bash data-expandlinks=true data-outputis=yaml data-repo=istio>$ kubectl describe pod demo-red-pod-8b5df99cc-pgnl7
以下代码片段来自 output
Name: demo-red-pod-8b5df99cc-pgnl7
Namespace: default
.....
Labels: app=demo-red
pod-template-hash=8b5df99cc
version=version-red
Annotations: sidecar.istio.io/status={&#34;version&#34;:&#34;3c0b8d11844e85232bc77ad85365487638ee3134c91edda28def191c086dc23e&#34;,&#34;initContainers&#34;:[&#34;istio-init&#34;],&#34;containers&#34;:[&#34;istio-proxy&#34;],&#34;volumes&#34;:[&#34;istio-envoy&#34;,&#34;istio-certs...
Status: Running
IP: 10.32.0.6
Controlled By: ReplicaSet/demo-red-pod-8b5df99cc
Init Containers:
istio-init:
Container ID: docker://bef731eae1eb3b6c9d926cacb497bb39a7d9796db49cd14a63014fc1a177d95b
Image: docker.io/istio/proxy_init:1.0.2
Image ID: docker-pullable://docker.io/istio/proxy_init@sha256:e16a0746f46cd45a9f63c27b9e09daff5432e33a2d80c8cc0956d7d63e2f9185
.....
State: Terminated
Reason: Completed
.....
Ready: True
Containers:
demo-red:
Container ID: docker://8cd9957955ff7e534376eb6f28b56462099af6dfb8b9bc37aaf06e516175495e
Image: chugtum/blue-green-image:v3
Image ID: docker-pullable://docker.io/chugtum/blue-green-image@sha256:274756dbc215a6b2bd089c10de24fcece296f4c940067ac1a9b4aea67cf815db
State: Running
Started: Sun, 09 Dec 2018 18:12:31 -0800
Ready: True
istio-proxy:
Container ID: docker://ca5d690be8cd6557419cc19ec4e76163c14aed2336eaad7ebf17dd46ca188b4a
Image: docker.io/istio/proxyv2:1.0.2
Image ID: docker-pullable://docker.io/istio/proxyv2@sha256:54e206530ba6ca9b3820254454e01b7592e9f986d27a5640b6c03704b3b68332
Args:
proxy
sidecar
.....
State: Running
Started: Sun, 09 Dec 2018 18:12:31 -0800
Ready: True
.....
</code></pre><p>从输出中可以看出,<code>istio-init</code> 容器的 <code>State</code><code>Terminated</code>,而 <code>Reason</code><code>Completed</code>。只有两个容器是运行的,主应用程序 <code>demo-red</code> 容器和 <code>istio-proxy</code> 容器。</p><h3 id=automatic-injection>自动注入</h3><p>在大多数情况下,您不想在每次部署应用程序时都使用 <a href=/v1.10/zh/docs/reference/commands/istioctl><code>istioctl</code></a> 命令手动注入边车,而是希望 Istio 自动将 sidecar 注入到您的 pod 中。这是推荐的方法,要使自动注入生效,您只需要用 <code>istio-injection=enabled</code> 标记想部署应用程序的命名空间。</p><p>贴上标签后Istio 会自动为您在该命名空间中部署的所有 pod 注入 sidecar。下面的例子里<code>istio-dev</code> 命名空间中部署的 pod 被自动注入了 sidecar</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl get namespaces --show-labels
NAME STATUS AGE LABELS
default Active 40d &lt;none&gt;
istio-dev Active 19d istio-injection=enabled
istio-system Active 24d &lt;none&gt;
kube-public Active 40d &lt;none&gt;
kube-system Active 40d &lt;none&gt;
</code></pre><p>但它是如何工作的呢?要深入了解这一点,我们需要理解 Kubernetes 准入控制器。</p><p><a href=https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/>来自 Kubernetes 文档:</a></p><div><aside class="callout tip"><div class=content>准入控制器是一段代码,用于在对象持久化之前但请求已经过身份验证和授权之后,拦截对 Kubernetes API 服务器的请求。您可以定义两种类型的 Admission WebhookValidating 和 Mutating。Validating 类型的 Webhook 可以根据自定义的准入策略决定是否拒绝请求Mutating 类型的 Webhook 可以根据自定义配置来对请求进行编辑。</div></aside></div><p>对于 sidecar 自动注入Istio 依赖于 <code>Mutating Admission Webhook</code>。让我们来看看 <code>istio-sidecar-injector</code> 中的配置详情。</p><pre><code class=language-bash data-expandlinks=true data-outputis=yaml data-repo=istio>$ kubectl get mutatingwebhookconfiguration istio-sidecar-injector -o yaml
以下代码片段来自 output
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{&#34;apiVersion&#34;:&#34;admissionregistration.k8s.io/v1beta1&#34;,&#34;kind&#34;:&#34;MutatingWebhookConfiguration&#34;,&#34;metadata&#34;:{&#34;annotations&#34;:{},&#34;labels&#34;:{&#34;app&#34;:&#34;istio-sidecar-injector&#34;,&#34;chart&#34;:&#34;sidecarInjectorWebhook-1.0.1&#34;,&#34;heritage&#34;:&#34;Tiller&#34;,&#34;release&#34;:&#34;istio-remote&#34;},&#34;name&#34;:&#34;istio-sidecar-injector&#34;,&#34;namespace&#34;:&#34;&#34;},&#34;webhooks&#34;:[{&#34;clientConfig&#34;:{&#34;caBundle&#34;:&#34;&#34;,&#34;service&#34;:{&#34;name&#34;:&#34;istio-sidecar-injector&#34;,&#34;namespace&#34;:&#34;istio-system&#34;,&#34;path&#34;:&#34;/inject&#34;}},&#34;failurePolicy&#34;:&#34;Fail&#34;,&#34;name&#34;:&#34;sidecar-injector.istio.io&#34;,&#34;namespaceSelector&#34;:{&#34;matchLabels&#34;:{&#34;istio-injection&#34;:&#34;enabled&#34;}},&#34;rules&#34;:[{&#34;apiGroups&#34;:[&#34;&#34;],&#34;apiVersions&#34;:[&#34;v1&#34;],&#34;operations&#34;:[&#34;CREATE&#34;],&#34;resources&#34;:[&#34;pods&#34;]}]}]}
creationTimestamp: 2018-12-10T08:40:15Z
generation: 2
labels:
app: istio-sidecar-injector
chart: sidecarInjectorWebhook-1.0.1
heritage: Tiller
release: istio-remote
name: istio-sidecar-injector
.....
webhooks:
- clientConfig:
service:
name: istio-sidecar-injector
namespace: istio-system
path: /inject
name: sidecar-injector.istio.io
namespaceSelector:
matchLabels:
istio-injection: enabled
rules:
- apiGroups:
- &#34;&#34;
apiVersions:
- v1
operations:
- CREATE
resources:
- pods
</code></pre><p>在这里,您可以看到与标签 <code>istio-injection:enabled</code> 相匹配的 webhook <code>namespaceSelector</code> 标签。在这种情况下,您还会看到在创建容器时要完成的操作和资源。当 <code>apiserver</code> 接收到与其中一个规则匹配的请求时,<code>apiserver</code> 会根据 <code>clientconfig</code> 配置中指定的 <code>name: istio-sidecar-injector</code> 键值对,向 webhook 服务发送准入审查请求。我们应该能够看到该服务正在 <code>istio-system</code> 命名空间中运行。</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl get svc --namespace=istio-system | grep sidecar-injector
istio-sidecar-injector ClusterIP 10.102.70.184 &lt;none&gt; 443/TCP 24d
</code></pre><p>最终,该配置与手动注入中的配置几乎相同。只是它是在 pod 创建过程中自动完成的,因此您不会看到部署中的更改。您需要使用 <code>kubectl describe</code> 来查看 sidecar 代理和 init 代理。</p><p>sidecar 自动注入不仅取决于 webhook 的 <code>namespaceSelector</code> 机制,还取决于默认注入策略和每个 pod 自身注解。</p><p>如果你再次查看 <code>istio-sidecar-injector</code> ConfigMap它将定义默认的注入策略。在这个示例中它是默认启用的。</p><pre><code class=language-bash data-expandlinks=true data-outputis=yaml data-repo=istio>$ kubectl -n istio-system get configmap istio-sidecar-injector -o=jsonpath=&#39;{.data.config}&#39;
以下代码片段来自 output
policy: enabled
template: |-
initContainers:
- name: istio-init
image: &#34;gcr.io/istio-release/proxy_init:1.0.2&#34;
args:
- &#34;-p&#34;
- [[ .MeshConfig.ProxyListenPort ]]
</code></pre><p>您还可以在 pod 模板中使用注解 <code>sidecar.istio.io/inject</code> 覆盖默认策略。以下示例展示如何为 <code>Deployment</code> 中的 pod 禁用 sidecar 自动注入。</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: ignored
spec:
template:
metadata:
annotations:
sidecar.istio.io/inject: &#34;false&#34;
spec:
containers:
- name: ignored
image: tutum/curl
command: [&#34;/bin/sleep&#34;,&#34;infinity&#34;]
</code></pre><p>此示例显示了许多变量这取决于是否在命名空间、ConfigMap 和 pod 中控制 sidecar 自动注入,它们是:</p><ul><li>webhook <code>namespaceSelector</code><code>istio-injection: enabled</code></li><li>默认策略(在 ConfigMap <code>istio-sidecar-injector</code> 中配置)</li><li>每个 pod 的重载注解(<code>sidecar.istio.io/inject</code></li></ul><p><a href=/v1.10/zh/docs/ops/common-problems/injection/>注入状态表</a>根据上述变量的值清晰显示了最终注入状态。</p><h2 id=traffic-flow-from-application-container-to-sidecar-proxy>从应用容器到 Sidecar 代理的流量</h2><p>既然我们已经清楚了如何将 sidecar 容器和 init 容器注入到应用清单中,那么 sidecar 代理如何捕获容器之间的入站和出站流量?我们曾简要提到过,这是通过在 pod 命名空间中设置 <code>iptable</code> 规则来完成的,而规则又是由 <code>istio-init</code> 容器完成的。现在,是时候验证命名空间中实际更新的内容了。</p><p>让我们进入上一节中部署的应用程序 pod 命名空间,并查看已配置的 iptables。我们将展示一个使用 <code>nsenter</code> 的例子。或者,您也可以通过特权模式进入容器并查看相同的信息。对于无法访问节点的人来说,使用 <code>exec</code> 进入 sidecar 并运行 <code>iptables</code> 更实用。</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ docker inspect b8de099d3510 --format &#39;{{ .State.Pid }}&#39;
4125
</code></pre><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ nsenter -t 4215 -n iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N ISTIO_INBOUND
-N ISTIO_IN_REDIRECT
-N ISTIO_OUTPUT
-N ISTIO_REDIRECT
-A PREROUTING -p tcp -j ISTIO_INBOUND
-A OUTPUT -p tcp -j ISTIO_OUTPUT
-A ISTIO_INBOUND -p tcp -m tcp --dport 80 -j ISTIO_IN_REDIRECT
-A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-ports 15001
-A ISTIO_OUTPUT ! -d 127.0.0.1/32 -o lo -j ISTIO_REDIRECT
-A ISTIO_OUTPUT -m owner --uid-owner 1337 -j RETURN
-A ISTIO_OUTPUT -m owner --gid-owner 1337 -j RETURN
-A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN
-A ISTIO_OUTPUT -j ISTIO_REDIRECT
-A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15001
</code></pre><p>上面的输出清楚地表明,端口 80 的所有入站流量(即我们的 <code>red-demo</code> 应用正在监听的端口)现在已被 <code>REDIRECTED</code> 到端口 15001<code>istio-proxy</code> 的端口,一个 Envoy 代理正在监听的端口。对于出站流量也是如此。</p><p>本文已经快结束了。我们希望本文有助于您弄清 Istio 是如何将 Sidecar 代理注入到现有部署中以及 Istio 是如何将流量路由到代理。</p><div><aside class="callout idea"><div class=type><svg class="large-icon"><use xlink:href="/v1.10/img/icons.svg#callout-idea"/></svg></div><div class=content>更新:现在似乎可以选择使用新的 CNI 来代替 <code>istio-init</code>,其移除了对 init 容器和相关特权的要求。<a href=https://github.com/istio/cni><code>istio-cni</code></a> 插件设置了 pod 的网络来满足此要求,以代替 Istio 当前通过 <code>istio-init</code> 注入 pod 的方法。</div></aside></div></div><nav class=pagenav><div class=left><a title="评估加入 Egress gateway 对性能造成的影响。" href=/v1.10/zh/blog/2019/egress-performance/ class=next-link><svg class="icon left-arrow"><use xlink:href="/v1.10/img/icons.svg#left-arrow"/></svg>Egress gateway 性能测试</a></div><div class=right><a title="使用 AppSwitch 解决应用程序启动顺序和启动延迟。" href=/v1.10/zh/blog/2019/appswitch/ class=next-link>使用 AppSwitch 进行 Sidestepping 依赖性排序<svg class="icon right-arrow"><use xlink:href="/v1.10/img/icons.svg#right-arrow"/></svg></a></div></nav></article><footer class=footer><div class="footer-wrapper container-l"><div class="user-links footer-links"><a class=channel title="Istio 的代码在 GitHub 上开发" href=https://github.com/istio/community aria-label=GitHub><svg class="icon github"><use xlink:href="/v1.10/img/icons.svg#github"/></svg></a><a class=channel title="如果您想深入了解 Istio 的技术细节,请查看我们日益完善的设计文档" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><svg class="icon drive"><use xlink:href="/v1.10/img/icons.svg#drive"/></svg></a><a class=channel title="在 Slack 上与 Istio 社区交互讨论开发问题(仅限邀请)" href=https://slack.istio.io aria-label=slack><svg class="icon slack"><use xlink:href="/v1.10/img/icons.svg#slack"/></svg></a><a class=channel title="Stack Overflow 中列举了针对实际问题以及部署、配置和使用 Istio 的各项回答" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><svg class="icon stackoverflow"><use xlink:href="/v1.10/img/icons.svg#stackoverflow"/></svg></a><a class=channel title="关注我们的 Twitter 来获取最新信息" href=https://twitter.com/IstioMesh aria-label=Twitter><svg class="icon twitter"><use xlink:href="/v1.10/img/icons.svg#twitter"/></svg></a></div><hr class=footer-separator role=separator><div class="info footer-info"><a class=logo href=/v1.10/zh/><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371 7.869 7.869.0 013.066-4.178 9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></a><div class=footer-languages><a tabindex=-1 role=menuitem lang=en id=switch-lang-en class=footer-languages-item>English</a>
<a tabindex=-1 role=menuitem lang=zh id=switch-lang-zh class="footer-languages-item active"><svg class="icon tick"><use xlink:href="/v1.10/img/icons.svg#tick"/></svg>中文</a></div></div><ul class=footer-policies><li class=footer-policies-item><a class=footer-policies-link href=https://policies.google.com/privacy>隐私政策</a> |
<a class=footer-policies-link href=https://github.com/istio/istio.io/edit/release-1.10/content/zh/blog/2019/data-plane-setup/index.md>在 GitHub 上编辑此页</a></li></ul><div class=footer-base><span class=footer-base-copyright>&copy; 2021 Istio Authors.</span>
<span class=footer-base-version>部分内容可能滞后于英文版本,同步工作正在进行中<br>Version
Istio 归档
1.10.3</span><ul class=footer-base-releases><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link role=menuitem onclick="navigateToUrlOrRoot('https://istio.io/blog\/2019\/data-plane-setup\/');return false;">当前版本</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link role=menuitem onclick="navigateToUrlOrRoot('https://preliminary.istio.io/blog\/2019\/data-plane-setup\/');return false;">下个版本</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link role=menuitem href=https://istio.io/archive>旧版本</a></li></ul></div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title=回到顶部><svg class="icon top"><use xlink:href="/v1.10/img/icons.svg#top"/></svg></button></div></body></html>
Reference in New Issue View Git Blame Copy Permalink