istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.1/help/ops/traffic-management/proxy-cmd/index.html

246 lines
36 KiB
HTML
Raw Permalink Blame History

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content=#466BB0><meta name=title content="Debugging Envoy and Pilot"><meta name=description content="Describes tools and techniques to diagnose Envoy configuration issues related to traffic management."><meta name=keywords content=microservices,services,mesh,debug,proxy,status,config,pilot,envoy><meta property=og:title content="Debugging Envoy and Pilot"><meta property=og:type content=website><meta property=og:description content="Describes tools and techniques to diagnose Envoy configuration issues related to traffic management."><meta property=og:url content=/v1.1/help/ops/traffic-management/proxy-cmd/><meta property=og:image content=/v1.1/img/istio-whitelogo-bluebackground-framed.svg><meta property=og:image:alt content="Istio Logo"><meta property=og:image:width content=112><meta property=og:image:height content=150><meta property=og:site_name content=Istio><meta name=twitter:card content=summary><meta name=twitter:site content=@IstioMesh><title>Istioldie 1.1 / Debugging Envoy and Pilot</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}
gtag('js',new Date());gtag('config','UA-98480406-2');</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.1/feed.xml><link rel="shortcut icon" href=/v1.1/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.1/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.1/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.1/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.1/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.1/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.1/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.1/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.1/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.1/favicons/android-192x192.png sizes=192x192><link rel=manifest href=/v1.1/manifest.json><meta name=apple-mobile-web-app-title content=Istio><meta name=application-name content=Istio><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Work+Sans:400|Chivo:400|Work+Sans:500,300,600,300italic,400italic,500italic,600italic|Chivo:500,300,600,300italic,400italic,500italic,600italic"><link rel=stylesheet href=/v1.1/css/all.css></head><body class="language-unknown archive-site"><script src=/v1.1/js/themes_init.min.js></script><script>const branchName="release-1.1";const docTitle="Debugging Envoy and Pilot";const iconFile="\/v1.1/img/icons.svg";const buttonCopy='Copy to clipboard';const buttonPrint='Print';const buttonDownload='Download';</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.1/js/all.min.js data-manual defer></script><header><nav><a id=brand href=/v1.1/><span class=logo><svg viewBox="0 0 300 300"><circle cx="150" cy="150" r="146" stroke-width="2" /><path d="M65 240H225L125 270z"/><path d="M65 230l60-10V110z"/><path d="M135 220l90 10L135 30z"/></svg></span><span class=name>Istioldie 1.1</span></a><div id=hamburger><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#hamburger"/></svg></div><div id=header-links><a title="Learn how to deploy, use, and operate Istio." href=/v1.1/docs/>Docs</a>
<a title="Posts about using Istio." href=/v1.1/blog/2019/announcing-1.1.9/>Blog</a>
<span title="A bunch of resources to help you deploy, configure and use Istio.">Help</span>
<a title="Get a bit more in-depth info about the Istio project." href=/v1.1/about/>About</a><div class=menu><button id=gearDropdownButton class=menu-trigger title="Options and settings" aria-label="Options and Settings" aria-controls=gearDropdownContent><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#gear"/></svg></button><div id=gearDropdownContent class=menu-content aria-labelledby=gearDropdownButton role=menu><a tabindex=-1 role=menuitem lang=en id=switch-lang-en class=active>English</a>
<a tabindex=-1 role=menuitem lang=zh id=switch-lang-zh>中文</a><div role=separator></div><a tabindex=-1 role=menuitem class=active id=light-theme-item>Light Theme</a>
<a tabindex=-1 role=menuitem id=dark-theme-item>Dark Theme</a><div role=separator></div><a tabindex=-1 role=menuitem id=syntax-coloring-item>Color Examples</a><div role=separator></div><h6>Other versions of this site</h6><a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://istio.io/help\/ops\/traffic-management\/proxy-cmd\/');return false;">Current Release</a>
<a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://preliminary.istio.io/help\/ops\/traffic-management\/proxy-cmd\/');return false;">Next Release</a>
<a tabindex=-1 role=menuitem href=https://archive.istio.io>Older Releases</a></div></div><button id=search-show title="Search this site" aria-label=Search><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#magnifier"/></svg></button></div><form id=search-form name=cse role=search><input type=hidden name=cx value=013699703217164175118:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/v1.1/search.html>
<input id=search-textbox class=form-control name=q type=search aria-label="Search this site">
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#cancel-x"/></svg></button></form></nav></header><main class=primary><div id=sidebar-container class="sidebar-container sidebar-offcanvas"><nav id=sidebar aria-label="Section Navigation"><div class=directory><div class=card><div id=header0 class=header title="A bunch of resources to help you deploy, configure and use Istio."><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#help"/></svg>Need Help?</div><div class="body default" aria-labelledby=header0><ul role=tree aria-expanded=true aria-labelledby=header0><li role=treeitem aria-label="Operations Guide"><button class=show aria-hidden=true></button><a title="Hints, tips, tricks about running an Istio mesh." href=/v1.1/help/ops/>Operations Guide</a><ul role=group aria-expanded=true><li role=none><a role=treeitem title="Describes how to use component-level logging to get insights into a running component's behavior." href=/v1.1/help/ops/component-logging/>Component Logging</a></li><li role=none><a role=treeitem title="Describes how to use ControlZ to get insight into individual running components." href=/v1.1/help/ops/controlz/>Component Introspection</a></li><li role=none><a role=treeitem title="How to do low-level debugging of Istio components." href=/v1.1/help/ops/component-debugging/>Component Debugging</a></li><li role=treeitem aria-label="Traffic Management"><button class=show aria-hidden=true></button><a title="Helps you manage the networking aspects of a running mesh." href=/v1.1/help/ops/traffic-management/>Traffic Management</a><ul role=group aria-expanded=true class=leaf-section><li role=none><a role=treeitem title="An introduction to Istio networking operational aspects." href=/v1.1/help/ops/traffic-management/introduction/>Introduction to Network Operations</a></li><li role=none><a role=treeitem title="Provides specific deployment and configuration guidelines." href=/v1.1/help/ops/traffic-management/deploy-guidelines/>Deployment and Configuration Guidelines</a></li><li role=none><a role=treeitem title="Describes common networking issues and how to recognize and avoid them." href=/v1.1/help/ops/traffic-management/troubleshooting/>Troubleshooting Networking Issues</a></li><li role=none><span role=treeitem class=current title="Describes tools and techniques to diagnose Envoy configuration issues related to traffic management.">Debugging Envoy and Pilot</span></li><li role=none><a role=treeitem title="Information on how to enable and understand Locality Load Balancing." href=/v1.1/help/ops/traffic-management/locality-load-balancing/>Locality Load Balancing</a></li></ul></li><li role=treeitem aria-label=Security><button aria-hidden=true></button><a title="Helps you manage the security aspects of a running mesh." href=/v1.1/help/ops/security/>Security</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Demonstrates how to debug authorization." href=/v1.1/help/ops/security/debugging-authorization/>Debugging Authorization</a></li><li role=none><a role=treeitem title="What to do if Citadel is not behaving properly." href=/v1.1/help/ops/security/repairing-citadel/>Repairing Citadel</a></li><li role=none><a role=treeitem title="What to do if you suspect problems with Istio keys and certificates." href=/v1.1/help/ops/security/keys-and-certs/>Keys and Certificates</a></li><li role=none><a role=treeitem title="What to do if mutual TLS authentication isn't working." href=/v1.1/help/ops/security/mutual-tls/>Mutual TLS</a></li><li role=none><a role=treeitem title="Authorization is enabled, but requests make it through anyway." href=/v1.1/help/ops/security/authorization-permissive/>Authorization Too Permissive</a></li><li role=none><a role=treeitem title="Authorization is enabled and no requests make it through to the service." href=/v1.1/help/ops/security/authorization-restrictive/>Authorization Too Restrictive</a></li><li role=none><a role=treeitem title="What to do if end-user authentication doesn't work." href=/v1.1/help/ops/security/end-user-auth/>End User Authentication</a></li><li role=none><a role=treeitem title="Learn how to extend the lifetime of the Istio self-signed root certificate." href=/v1.1/help/ops/security/root-transition/>Extending Self-Signed Certificate Lifetime</a></li></ul></li><li role=treeitem aria-label=Telemetry><button aria-hidden=true></button><a title="Helps you manage telemetry collection and visualization in a running mesh." href=/v1.1/help/ops/telemetry/>Telemetry</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Diagnose problems where metrics are not being collected." href=/v1.1/help/ops/telemetry/missing-metrics/>Missing Metrics</a></li><li role=none><a role=treeitem title="Dealing with Grafana issues." href=/v1.1/help/ops/telemetry/grafana/>Grafana</a></li><li role=none><a role=treeitem title="Fine-grained control of Envoy statistics." href=/v1.1/help/ops/telemetry/envoy-stats/>Envoy Statistics</a></li></ul></li><li role=treeitem aria-label="Installation and Setup"><button aria-hidden=true></button><a title="Helps you diagnose and repair Istio installations." href=/v1.1/help/ops/setup/>Installation and Setup</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Provides a general overview of Istio's use of Kubernetes webhooks and the related issues that can arise." href=/v1.1/help/ops/setup/webhook/>Dynamic Admission Webhooks Overview</a></li><li role=none><a role=treeitem title="Describes Istio's use of Kubernetes webhooks for server-side configuration validation." href=/v1.1/help/ops/setup/validation/>Configuration Validation Webhook</a></li><li role=none><a role=treeitem title="Describes Istio's use of Kubernetes webhooks for automatic sidecar injection." href=/v1.1/help/ops/setup/injection/>Sidecar Injection Webhook</a></li><li role=none><a role=treeitem title="Describes how to check which capabilities are allowed for your pods." href=/v1.1/help/ops/setup/required-pod-capabilities/>Required Pod Capabilities</a></li><li role=none><a role=treeitem title="Shows how to do health checking for Istio services." href=/v1.1/help/ops/setup/app-health-check/>Health Checking of Istio Services</a></li></ul></li><li role=none><a role=treeitem title="Advice on tackling common problems with Istio." href=/v1.1/help/ops/misc/>Miscellaneous</a></li></ul></li><li role=treeitem aria-label=FAQ><button aria-hidden=true></button><a title="Frequently Asked Questions about Istio." href=/v1.1/help/faq/>FAQ</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="General Q &amp; A." href=/v1.1/help/faq/general/>General</a></li><li role=none><a role=treeitem title="Setup Q &amp; A." href=/v1.1/help/faq/setup/>Setup</a></li><li role=none><a role=treeitem title="Security Q &amp; A." href=/v1.1/help/faq/security/>Security</a></li><li role=none><a role=treeitem title="Mixer Q &amp; A." href=/v1.1/help/faq/mixer/>Mixer</a></li><li role=none><a role=treeitem title="Metrics and Logs Q &amp; A." href=/v1.1/help/faq/metrics-and-logs/>Metrics and Logs</a></li><li role=none><a role=treeitem title="Distributed Tracing Q &amp; A." href=/v1.1/help/faq/distributed-tracing/>Distributed Tracing</a></li><li role=none><a role=treeitem title="Traffic Management Q &amp; A." href=/v1.1/help/faq/traffic-management/>Traffic Management</a></li></ul></li><li role=none><a role=treeitem title="A glossary of common Istio terms." href=/v1.1/help/glossary/>Glossary</a></li></ul></div></div></div></nav></div><div class=article-container><button tabindex=-1 id=sidebar-toggler title="Toggle the navigation bar"><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#pull"/></svg></button><nav aria-label=Breadcrumb><ol><li><a href=/v1.1/ title="Connect, secure, control, and observe services.">Istio</a></li><li><a href=/v1.1/help/ title="A bunch of resources to help you deploy, configure and use Istio.">Help</a></li><li><a href=/v1.1/help/ops/ title="Hints, tips, tricks about running an Istio mesh.">Operations Guide</a></li><li><a href=/v1.1/help/ops/traffic-management/ title="Helps you manage the networking aspects of a running mesh.">Traffic Management</a></li><li>Debugging Envoy and Pilot</li></ol></nav><article aria-labelledby=title><div class=title-area><div><h1 id=title>Debugging Envoy and Pilot</h1><p class=byline><span title="1395 words"><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#clock"/></svg><span>&nbsp;</span>7 minute read</span></p></div></div><nav class=toc-inlined aria-label="Table of Contents"><div><hr><ol><li role=none aria-label="Get an overview of your mesh"><a href=#get-an-overview-of-your-mesh>Get an overview of your mesh</a><li role=none aria-label="Retrieve diffs between Envoy and Istio Pilot"><a href=#retrieve-diffs-between-envoy-and-istio-pilot>Retrieve diffs between Envoy and Istio Pilot</a><li role=none aria-label="Deep dive into Envoy configuration"><a href=#deep-dive-into-envoy-configuration>Deep dive into Envoy configuration</a><li role=none aria-label="Inspecting Bootstrap configuration"><a href=#inspecting-bootstrap-configuration>Inspecting Bootstrap configuration</a><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol><hr></div></nav><p>Istio provides two very valuable commands to help diagnose traffic management configuration problems,
the <a href=/v1.1/docs/reference/commands/istioctl/#istioctl-proxy-status><code>proxy-status</code></a>
and <a href=/v1.1/docs/reference/commands/istioctl/#istioctl-proxy-config><code>proxy-config</code></a> commands. The <code>proxy-status</code> command
allows you to get an overview of your mesh and identify the proxy causing the problem. Then <code>proxy-config</code> can be used
to inspect Envoy configuration and diagnose the issue.</p><p>If you want to try the commands described below, you can either:</p><ul><li>Have a Kubernetes cluster with Istio and Bookinfo installed (e.g use <code>istio.yaml</code> as described in
<a href=/v1.1/docs/setup/kubernetes/install/kubernetes/#installation-steps>installation steps</a> and
<a href=/v1.1/docs/examples/bookinfo/#if-you-are-running-on-kubernetes>Bookinfo installation steps</a>).</li></ul><p>OR</p><ul><li>Use similar commands against your own application running in a Kubernetes cluster.</li></ul><h2 id=get-an-overview-of-your-mesh>Get an overview of your mesh</h2><p>The <code>proxy-status</code> command allows you to get an overview of your mesh. If you suspect one of your sidecars isn&rsquo;t
receiving configuration or is out of sync then <code>proxy-status</code> will tell you this.</p><pre><code class=language-bash data-expandlinks=true>$ istioctl proxy-status
PROXY CDS LDS EDS RDS PILOT VERSION
details-v1-6dcc6fbb9d-wsjz4.default SYNCED SYNCED SYNCED (100%) SYNCED istio-pilot-75bdf98789-tfdvh 1.1.2
istio-egressgateway-c49694485-l9d5l.istio-system SYNCED SYNCED SYNCED (100%) NOT SENT istio-pilot-75bdf98789-tfdvh 1.1.2
istio-ingress-6458b8c98f-7ks48.istio-system SYNCED SYNCED SYNCED (100%) NOT SENT istio-pilot-75bdf98789-n2kqh 1.1.2
istio-ingressgateway-7d6874b48f-qxhn5.istio-system SYNCED SYNCED SYNCED (100%) SYNCED istio-pilot-75bdf98789-n2kqh 1.1.2
productpage-v1-6c886ff494-hm7zk.default SYNCED SYNCED SYNCED (100%) STALE istio-pilot-75bdf98789-n2kqh 1.1.2
ratings-v1-5d9ff497bb-gslng.default SYNCED SYNCED SYNCED (100%) SYNCED istio-pilot-75bdf98789-n2kqh 1.1.2
reviews-v1-55d4c455db-zjj2m.default SYNCED SYNCED SYNCED (100%) SYNCED istio-pilot-75bdf98789-n2kqh 1.1.2
reviews-v2-686bbb668-99j76.default SYNCED SYNCED SYNCED (100%) SYNCED istio-pilot-75bdf98789-tfdvh 1.1.2
reviews-v3-7b9b5fdfd6-4r52s.default SYNCED SYNCED SYNCED (100%) SYNCED istio-pilot-75bdf98789-n2kqh 1.1.2
</code></pre><p>If a proxy is missing from this list it means that it is not currently connected to a Pilot instance so will not be
receiving any configuration.</p><ul><li><code>SYNCED</code> means that Envoy has acknowledged the last configuration Pilot has sent to it.</li><li><code>SYNCED (100%)</code> means that Envoy has successfully synced all of the endpoints in the cluster.</li><li><code>NOT SENT</code> means that Pilot hasn&rsquo;t sent anything to Envoy. This usually is because Pilot has nothing to send.</li><li><code>STALE</code> means that Pilot has sent an update to Envoy but has not received an acknowledgement. This usually indicates
a networking issue between Envoy and Pilot or a bug with Istio itself.</li></ul><h2 id=retrieve-diffs-between-envoy-and-istio-pilot>Retrieve diffs between Envoy and Istio Pilot</h2><p>The <code>proxy-status</code> command can also be used to retrieve a diff between the configuration Envoy has loaded and the
configuration Pilot would send, by providing a proxy ID. This can help you determine exactly what is out of sync and
where the issue may lie.</p><pre><code class=language-bash data-expandlinks=true data-outputis=json>$ istioctl proxy-status details-v1-6dcc6fbb9d-wsjz4.default
--- Pilot Clusters
+++ Envoy Clusters
@@ -374,36 +374,14 @@
&#34;edsClusterConfig&#34;: {
&#34;edsConfig&#34;: {
&#34;ads&#34;: {
}
},
&#34;serviceName&#34;: &#34;outbound|443||public-cr0bdc785ce3f14722918080a97e1f26be-alb1.kube-system.svc.cluster.local&#34;
- },
- &#34;connectTimeout&#34;: &#34;1.000s&#34;,
- &#34;circuitBreakers&#34;: {
- &#34;thresholds&#34;: [
- {
-
- }
- ]
- }
- }
- },
- {
- &#34;cluster&#34;: {
- &#34;name&#34;: &#34;outbound|53||kube-dns.kube-system.svc.cluster.local&#34;,
- &#34;type&#34;: &#34;EDS&#34;,
- &#34;edsClusterConfig&#34;: {
- &#34;edsConfig&#34;: {
- &#34;ads&#34;: {
-
- }
- },
- &#34;serviceName&#34;: &#34;outbound|53||kube-dns.kube-system.svc.cluster.local&#34;
},
&#34;connectTimeout&#34;: &#34;1.000s&#34;,
&#34;circuitBreakers&#34;: {
&#34;thresholds&#34;: [
{
}
Listeners Match
Routes Match
</code></pre><p>Here you can see that the listeners and routes match but the clusters are out of sync.</p><h2 id=deep-dive-into-envoy-configuration>Deep dive into Envoy configuration</h2><p>The <code>proxy-config</code> command can be used to see how a given Envoy instance is configured. This can then be used to
pinpoint any issues you are unable to detect by just looking through your Istio configuration and custom resources.
To get a basic summary of clusters, listeners or routes for a given pod use the command as follows (changing clusters
for listeners or routes when required):</p><pre><code class=language-bash data-expandlinks=true>$ istioctl proxy-config clusters -n istio-system istio-ingressgateway-7d6874b48f-qxhn5
SERVICE FQDN PORT SUBSET DIRECTION TYPE
BlackHoleCluster - - - STATIC
details.default.svc.cluster.local 9080 - outbound EDS
heapster.kube-system.svc.cluster.local 80 - outbound EDS
istio-citadel.istio-system.svc.cluster.local 8060 - outbound EDS
istio-citadel.istio-system.svc.cluster.local 10514 - outbound EDS
istio-egressgateway.istio-system.svc.cluster.local 80 - outbound EDS
...
</code></pre><p>In order to debug Envoy you need to understand Envoy clusters/listeners/routes/endpoints and how they all interact.
We will use the <code>proxy-config</code> command with the <code>-o json</code> and filtering flags to follow Envoy as it determines where
to send a request from the <code>productpage</code> pod to the <code>reviews</code> pod at <code>reviews:9080</code>.</p><ol><li><p>If you query the listener summary on a pod you will notice Istio generates the following listeners:</p><ul><li>A listener on <code>0.0.0.0:15001</code> that receives all traffic into and out of the pod, then hands the request over to
a virtual listener.</li><li>A virtual listener per service IP, per each non-HTTP for outbound TCP/HTTPS traffic.</li><li>A virtual listener on the pod IP for each exposed port for inbound traffic.</li><li>A virtual listener on <code>0.0.0.0</code> per each HTTP port for outbound HTTP traffic.</li></ul><pre><code class=language-bash data-expandlinks=true>$ istioctl proxy-config listeners productpage-v1-6c886ff494-7vxhs
ADDRESS PORT TYPE
172.21.252.250 15005 TCP &lt;--+
172.21.252.250 15011 TCP |
172.21.79.56 42422 TCP |
172.21.160.5 443 TCP |
172.21.157.6 443 TCP |
172.21.117.222 443 TCP |
172.21.0.10 53 TCP |
172.21.126.131 443 TCP | Receives outbound non-HTTP traffic for relevant IP:PORT pair from listener `0.0.0.0_15001`
172.21.160.5 31400 TCP |
172.21.81.159 9102 TCP |
172.21.0.1 443 TCP |
172.21.126.131 80 TCP |
172.21.119.8 443 TCP |
172.21.112.64 80 TCP |
172.21.179.54 443 TCP |
172.21.165.197 443 TCP &lt;--+
0.0.0.0 9090 HTTP &lt;-+
0.0.0.0 8060 HTTP |
0.0.0.0 15010 HTTP |
0.0.0.0 15003 HTTP |
0.0.0.0 15004 HTTP |
0.0.0.0 10514 HTTP | Receives outbound HTTP traffic for relevant port from listener `0.0.0.0_15001`
0.0.0.0 15007 HTTP |
0.0.0.0 8080 HTTP |
0.0.0.0 9091 HTTP |
0.0.0.0 9080 HTTP |
0.0.0.0 80 HTTP &lt;-+
0.0.0.0 15001 TCP // Receives all inbound and outbound traffic to the pod from IP tables and hands over to virtual listener
172.30.164.190 9080 HTTP // Receives all inbound traffic on 9080 from listener `0.0.0.0_15001`
</code></pre></li><li><p>From the above summary you can see that every sidecar has a listener bound to <code>0.0.0.0:15001</code> which is where
IP tables routes all inbound and outbound pod traffic to. This listener has <code>useOriginalDst</code> set to true which means
it hands the request over to the listener that best matches the original destination of the request.
If it can&rsquo;t find any matching virtual listeners it sends the request to the <code>PassthroughCluster</code> which connects to the destination directly.</p><pre><code class=language-bash data-expandlinks=true data-outputis=json>$ istioctl proxy-config listeners productpage-v1-6c886ff494-7vxhs --port 15001 -o json
[
{
&#34;name&#34;: &#34;virtual&#34;,
&#34;address&#34;: {
&#34;socketAddress&#34;: {
&#34;address&#34;: &#34;0.0.0.0&#34;,
&#34;portValue&#34;: 15001
}
},
&#34;filterChains&#34;: [
{
&#34;filters&#34;: [
{
&#34;name&#34;: &#34;envoy.tcp_proxy&#34;,
&#34;config&#34;: {
&#34;cluster&#34;: &#34;PassthroughCluster&#34;,
&#34;stat_prefix&#34;: &#34;PassthroughCluster&#34;
}
}
]
}
],
&#34;useOriginalDst&#34;: true
}
]
</code></pre></li><li><p>Our request is an outbound HTTP request to port <code>9080</code> this means it gets handed off to the <code>0.0.0.0:9080</code> virtual
listener. This listener then looks up the route configuration in its configured RDS. In this case it will be looking
up route <code>9080</code> in RDS configured by Pilot (via ADS).</p><pre><code class=language-bash data-expandlinks=true data-outputis=json>$ istioctl proxy-config listeners productpage-v1-6c886ff494-7vxhs -o json --address 0.0.0.0 --port 9080
...
&#34;rds&#34;: {
&#34;config_source&#34;: {
&#34;ads&#34;: {}
},
&#34;route_config_name&#34;: &#34;9080&#34;
}
...
</code></pre></li><li><p>The <code>9080</code> route configuration only has a virtual host for each service. Our request is heading to the reviews
service so Envoy will select the virtual host to which our request matches a domain. Once matched on domain Envoy
looks for the first route that matches the request. In this case we don&rsquo;t have any advanced routing so there is only
one route that matches on everything. This route tells Envoy to send the request to the
<code>outbound|9080||reviews.default.svc.cluster.local</code> cluster.</p><pre><code class=language-bash data-expandlinks=true data-outputis=json>$ istioctl proxy-config routes productpage-v1-6c886ff494-7vxhs --name 9080 -o json
[
{
&#34;name&#34;: &#34;9080&#34;,
&#34;virtualHosts&#34;: [
{
&#34;name&#34;: &#34;reviews.default.svc.cluster.local:9080&#34;,
&#34;domains&#34;: [
&#34;reviews.default.svc.cluster.local&#34;,
&#34;reviews.default.svc.cluster.local:9080&#34;,
&#34;reviews&#34;,
&#34;reviews:9080&#34;,
&#34;reviews.default.svc.cluster&#34;,
&#34;reviews.default.svc.cluster:9080&#34;,
&#34;reviews.default.svc&#34;,
&#34;reviews.default.svc:9080&#34;,
&#34;reviews.default&#34;,
&#34;reviews.default:9080&#34;,
&#34;172.21.152.34&#34;,
&#34;172.21.152.34:9080&#34;
],
&#34;routes&#34;: [
{
&#34;match&#34;: {
&#34;prefix&#34;: &#34;/&#34;
},
&#34;route&#34;: {
&#34;cluster&#34;: &#34;outbound|9080||reviews.default.svc.cluster.local&#34;,
&#34;timeout&#34;: &#34;0.000s&#34;
},
...
</code></pre></li><li><p>This cluster is configured to retrieve the associated endpoints from Pilot (via ADS). So Envoy will then use the
<code>serviceName</code> field as a key to look up the list of Endpoints and proxy the request to one of them.</p><pre><code class=language-bash data-expandlinks=true data-outputis=json>$ istioctl proxy-config clusters productpage-v1-6c886ff494-7vxhs --fqdn reviews.default.svc.cluster.local -o json
[
{
&#34;name&#34;: &#34;outbound|9080||reviews.default.svc.cluster.local&#34;,
&#34;type&#34;: &#34;EDS&#34;,
&#34;edsClusterConfig&#34;: {
&#34;edsConfig&#34;: {
&#34;ads&#34;: {}
},
&#34;serviceName&#34;: &#34;outbound|9080||reviews.default.svc.cluster.local&#34;
},
&#34;connectTimeout&#34;: &#34;1.000s&#34;,
&#34;circuitBreakers&#34;: {
&#34;thresholds&#34;: [
{}
]
}
}
]
</code></pre></li><li><p>To see the endpoints currently available for this cluster use the <code>proxy-config</code> endpoints command.</p><pre><code class=language-bash data-expandlinks=true data-outputis=json>$ istioctl proxy-config endpoints productpage-v1-6c886ff494-7vxhs --cluster &#34;outbound|9080||reviews.default.svc.cluster.local&#34;
ENDPOINT STATUS CLUSTER
172.17.0.17:9080 HEALTHY outbound|9080||reviews.default.svc.cluster.local
172.17.0.18:9080 HEALTHY outbound|9080||reviews.default.svc.cluster.local
172.17.0.5:9080 HEALTHY outbound|9080||reviews.default.svc.cluster.local
</code></pre></li></ol><h2 id=inspecting-bootstrap-configuration>Inspecting Bootstrap configuration</h2><p>So far we have looked at configuration retrieved (mostly) from Pilot, however Envoy requires some bootstrap configuration that
includes information like where Pilot can be found. To view this use the following command:</p><pre><code class=language-bash data-expandlinks=true data-outputis=json>$ istioctl proxy-config bootstrap -n istio-system istio-ingressgateway-7d6874b48f-qxhn5
{
&#34;bootstrap&#34;: {
&#34;node&#34;: {
&#34;id&#34;: &#34;router~172.30.86.14~istio-ingressgateway-7d6874b48f-qxhn5.istio-system~istio-system.svc.cluster.local&#34;,
&#34;cluster&#34;: &#34;istio-ingressgateway&#34;,
&#34;metadata&#34;: {
&#34;POD_NAME&#34;: &#34;istio-ingressgateway-7d6874b48f-qxhn5&#34;,
&#34;istio&#34;: &#34;sidecar&#34;
},
&#34;buildVersion&#34;: &#34;0/1.8.0-dev//RELEASE&#34;
},
...
</code></pre><nav id=see-also><h2>See also</h2><div class=see-also><div class=entry><p class=link><a data-skipendnotes=true href=/v1.1/help/ops/security/debugging-authorization/>Debugging Authorization</a></p><p class=desc>Demonstrates how to debug authorization.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.1/docs/setup/kubernetes/additional-setup/cni/>Install Istio with the Istio CNI plugin</a></p><p class=desc>Install and use Istio with the Istio CNI plugin, allowing operators to deploy services with lower privilege.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.1/docs/concepts/policies-and-telemetry/>Policies and Telemetry</a></p><p class=desc>Describes the policy enforcement and telemetry mechanisms.</p></div></div></nav></article><nav class=pagenav><div class=left><a title="Describes common networking issues and how to recognize and avoid them." href=/v1.1/help/ops/traffic-management/troubleshooting/><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#left-arrow"/></svg>Troubleshooting Networking Issues</a></div><div class=right><a title="Information on how to enable and understand Locality Load Balancing." href=/v1.1/help/ops/traffic-management/locality-load-balancing/>Locality Load Balancing<svg class="icon"><use xlink:href="/v1.1/img/icons.svg#right-arrow"/></svg></a></div></nav><div id=endnotes-container aria-hidden=true><h2>Links</h2><ol id=endnotes></ol></div></div><div class=toc-container><nav class=toc aria-label="Table of Contents"><div id=toc><ol><li role=none aria-label="Get an overview of your mesh"><a href=#get-an-overview-of-your-mesh>Get an overview of your mesh</a><li role=none aria-label="Retrieve diffs between Envoy and Istio Pilot"><a href=#retrieve-diffs-between-envoy-and-istio-pilot>Retrieve diffs between Envoy and Istio Pilot</a><li role=none aria-label="Deep dive into Envoy configuration"><a href=#deep-dive-into-envoy-configuration>Deep dive into Envoy configuration</a><li role=none aria-label="Inspecting Bootstrap configuration"><a href=#inspecting-bootstrap-configuration>Inspecting Bootstrap configuration</a><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol></div></nav></div></main><footer><div class=user-links><a class=channel title="Go download Istio 1.1.9 now" href=https://github.com/istio/istio/releases/tag/1.1.9 aria-label="Download Istio"><span>download</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#download"/></svg>
</a><a class=channel title="Join the Istio discussion board to participate in discussions and get help troubleshooting problems" href=https://discuss.istio.io aria-label="Istio discussion board"><span>discuss</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#discourse"/></svg></a>
<a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><span>stack overflow</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#stackoverflow"/></svg></a>
<a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><span>twitter</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#twitter"/></svg></a><div class=tag>for everyone</div></div><div class=info><p class=copyright>Istio Archive
1.1.9<br>&copy; 2019 Istio Authors, <a href=https://policies.google.com/privacy>Privacy Policy</a><br>Archived on June 18, 2019</p></div><div class=dev-links><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><span>github</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#github"/></svg></a>
<a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://istio.slack.com aria-label=slack><span>slack</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#slack"/></svg></a>
<a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><span>drive</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#drive"/></svg></a>
<a class=channel title="If you'd like to contribute to the Istio project, consider participating in our working groups" href=https://github.com/istio/community/blob/master/WORKING-GROUPS.md aria-label="working groups"><span>working groups</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#working-groups"/></svg></a><div class=tag>for developers</div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top"><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#top"/></svg></button></div></body></html>
Reference in New Issue View Git Blame Copy Permalink