istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.20/zh/blog/2019/monitoring-external-service.../index.html

238 lines
34 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!doctype html><html lang=zh itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=X-UA-Compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="监控被阻止的和透传的外部服务流量"><meta name=description content="如何使用 Istio 去监控被阻止的和透传的外部服务流量。"><meta name=author content="Neeraj Poddar (Aspen Mesh)"><meta name=keywords content="microservices,services,mesh,monitoring,blackhole,passthrough"><meta property="og:title" content="监控被阻止的和透传的外部服务流量"><meta property="og:type" content="website"><meta property="og:description" content="如何使用 Istio 去监控被阻止的和透传的外部服务流量。"><meta property="og:url" content="/v1.20/zh/blog/2019/monitoring-external-service-traffic/"><meta property="og:image" content="https://raw.githubusercontent.com/istio/istio.io/master/static/img/istio-social.png"><meta property="og:image:alt" content="The Istio sailboat logo"><meta property="og:image:width" content="4096"><meta property="og:image:height" content="2048"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary_large_image"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.20 / 监控被阻止的和透传的外部服务流量</title>
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments)}gtag("js",new Date),gtag("config","UA-98480406-2")</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.20/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.20/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.20/feed.xml><link rel="shortcut icon" href=/v1.20/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.20/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.20/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.20/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.20/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.20/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.20/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.20/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.20/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.20/favicons/android-192x192.png sizes=192x192><link rel=icon type=image/svg+xml href=/v1.20/favicons/favicon.svg><link rel=icon type=image/png href=/v1.20/favicons/favicon.png><link rel=mask-icon href=/v1.20/favicons/safari-pinned-tab.svg color=#466BB0><link rel=manifest href=/v1.20/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><meta name=msapplication-config content="/browserconfig.xml"><meta name=msapplication-TileColor content="#466BB0"><meta name=theme-color content="#466BB0"><link rel=stylesheet href=/v1.20/css/all.css><link rel=preconnect href=https://fonts.googleapis.com><link rel=preconnect href=https://fonts.gstatic.com crossorigin><link rel=stylesheet href="https://fonts.googleapis.com/css2?family=Barlow:ital,wght@0,400;0,500;0,600;0,700;1,400;1,600&display=swap"><script src=/v1.20/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.20",docTitle="监控被阻止的和透传的外部服务流量",iconFile="/v1.20//img/icons.svg",buttonCopy="复制到剪切板",buttonPrint="打印",buttonDownload="下载"</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.20/js/all.min.js data-manual defer></script><header class=main-navigation><nav class="main-navigation-wrapper container-l"><div class=main-navigation-header><a id=brand href=/v1.20/zh/ aria-label=logotype><span class=logo><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></span>
</a><button id=hamburger class=main-navigation-toggle aria-label="Open navigation">
<svg class="icon menu-hamburger"><use xlink:href="/v1.20/img/icons.svg#menu-hamburger"/></svg>
</button>
<button id=menu-close class=main-navigation-toggle aria-label="Close navigation"><svg class="icon menu-close"><use xlink:href="/v1.20/img/icons.svg#menu-close"/></svg></button></div><div id=header-links class=main-navigation-links-wrapper><ul class=main-navigation-links><li class=main-navigation-links-item><a class="main-navigation-links-link has-dropdown"><span>关于</span><svg class="icon dropdown-arrow"><use xlink:href="/v1.20/img/icons.svg#dropdown-arrow"/></svg></a><ul class=main-navigation-links-dropdown><li class=main-navigation-links-dropdown-item><a href=/v1.20/zh/about/service-mesh class=main-navigation-links-link>服务网格</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.20/zh/about/solutions class=main-navigation-links-link>解决方案</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.20/zh/about/case-studies class=main-navigation-links-link>案例学习</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.20/zh/about/ecosystem class=main-navigation-links-link>生态系统</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.20/zh/about/deployment class=main-navigation-links-link>部署</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.20/zh/about/faq class=main-navigation-links-link>FAQ</a></li></ul></li><li class=main-navigation-links-item><a href=/v1.20/zh/blog/ class=main-navigation-links-link><span>博客</span></a></li><li class=main-navigation-links-item><a href=/v1.20/zh/news/ class=main-navigation-links-link><span>新闻</span></a></li><li class=main-navigation-links-item><a href=/v1.20/zh/get-involved/ class=main-navigation-links-link><span>加入我们</span></a></li><li class=main-navigation-links-item><a href=/v1.20/zh/docs/ class=main-navigation-links-link><span>文档</span></a></li></ul><div class=main-navigation-footer><button id=search-show class=search-show title='搜索 istio.io' aria-label=搜索><svg class="icon magnifier"><use xlink:href="/v1.20/img/icons.svg#magnifier"/></svg></button>
<a href=/v1.20/zh/docs/setup/getting-started class="btn btn--primary" id=try-istio>试用 Istio</a></div></div><form id=search-form class=search name=cse role=search><input type=hidden name=cx value=002184991200833970123:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=zh>
<input type=hidden id=search-page-url value=/zh/search>
<input id=search-textbox class="search-textbox form-control" name=q type=search aria-label='搜索 istio.io' placeholder=搜索>
<button id=search-close title=取消搜索 type=reset aria-label=取消搜索><svg class="icon menu-close"><use xlink:href="/v1.20/img/icons.svg#menu-close"/></svg></button></form></nav></header><div class=banner-container></div><article class=post itemscope itemtype=http://schema.org/BlogPosting><div class=header-content><h1>监控被阻止的和透传的外部服务流量</h1><p>如何使用 Istio 去监控被阻止的和透传的外部服务流量。</p></div><p class=post-author>Sep 28, 2019 <span>| </span>By Neeraj Poddar - Aspen Mesh</p><div><aside class="callout warning"><div class=type><svg class="large-icon"><use xlink:href="/v1.20/img/icons.svg#callout-warning"/></svg></div><div class=content>该博客文章是在 Istio 1.3 的版本下编写的,因此其中某些内容现在可能已过时。</div></aside></div><div><p>了解,控制和保护外部服务访问权限是你能够从 Istio 这样的服务网格中获得的主要好处之一。
从安全和操作的角度来看,监控哪些外部服务流量被阻止是非常重要的;因为如果程序试图与不合适的服务进行通信,它们可能会出现错误配置或安全漏洞。
同样,如果你现在有允许任何外部服务访问的策略,那么你可以根据对流量的监控,逐步地添加明确的 Istio 配置来限制访问并提高集群的安全性。
在任何情况下,通过遥测了解这种流量都非常有帮助,因为你可以根据它来创建警报和仪表板,并更好地了解安全状况。
这是 Istio 的生产用户强烈要求的功能,我们很高兴在版本 1.3 中添加了对此功能的支持。</p><p>为了实现此功能Istio 的<a href=/v1.20/zh/docs/reference/config/policy-and-telemetry/metrics>默认监控指标</a>增加了显式标签,以捕获被阻止和透传的外部服务流量。
这篇博客将介绍如何使用这些增强指标来监视所有外部服务流量。</p><p>Istio 控制平面使用了预定义集群 BlackHoleCluster 和 Passthrough 来配置 sidecar 代理,它们的作用分别是阻止和通过所有流量。
为了了解这些集群,让我们先从外部和内部服务在 Istio 服务网格的意义开始。</p><h2 id=external-and-internal-services>外部和内部服务</h2><p>内部服务被定义为平台中的一部分并被视为在网格中。对于内部服务默认情况下Istio 控制平面为 sidecars 提供所有必需的配置。
例如,在 Kubernetes 集群中Istio 会为所有 Kubernetes 服务配置 sidecar以保留所有能够与其他服务通信的服务的默认 Kubernetes 行为。</p><p>外部服务是不属于平台的服务,即不在网格内的服务。
对于外部服务Istio 提供了两个选项,一个是阻止所有外部服务访问(通过将 <code>global.outboundTrafficPolicy.mode</code> 设置
<code>REGISTRY_ONLY</code> 启用), 另一个是允许所有对外部服务的访问(通过将 <code>global.outboundTrafficPolicy.mode</code> 设置为 <code>ALLOW_ANY</code> 启用)。
从 Istio 1.3 开始,此设置的默认选项是允许所有外部服务访问。此选项可以通过<a href=/v1.20/zh/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig-OutboundTrafficPolicy-Mode>网格配置</a>进行配置。</p><p>这就是使用 BlackHole 和 Passthrough 集群的地方。</p><h2 id=what-are-black-hole-and-pass-through-clusters>什么是 BlackHole 和 Passthrough 集群?</h2><ul><li><p><strong>BlackHoleCluster</strong> - 当将 <code>global.outboundTrafficPolicy.mode</code> 设置为 <code>REGISTRY_ONLY</code>BlackHoleCluster 是
在 Envoy 配置中创建的虚拟集群。在这种模式下,除非为每个服务显式添加了
<a href=/v1.20/zh/docs/reference/config/networking/service-entry>service entries</a>,否则
所有到外部服务的流量都会被阻止。为了实现此目的,
将使用了 <a href=https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/service_discovery#original-destination>original destination</a> 且在 <code>0.0.0.0:15001</code> 的默认虚拟出站监听器设置为以 BlackHoleCluster 为静态集群的 TCP 代理。
BlackHoleCluster 的配置如下所示:</p><pre><code class=language-json data-expandlinks=true data-repo=istio>{
&#34;name&#34;: &#34;BlackHoleCluster&#34;,
&#34;type&#34;: &#34;STATIC&#34;,
&#34;connectTimeout&#34;: &#34;10s&#34;
}
</code></pre><p>如你所见,这个集群是静态的且没有任何的 endpoints所以所有的流量都会被丢弃。
此外Istio 会为平台服务的每个端口/协议组合创建唯一的监听器,如果对同一端口上的外部服务发出了请求,则监听器将会取代虚拟监听器。
在这种情况下Envoy 中每个虚拟路由的路由配置都会被扩展,以添加 BlackHoleCluster如下所示</p><pre><code class=language-json data-expandlinks=true data-repo=istio>{
&#34;name&#34;: &#34;block_all&#34;,
&#34;domains&#34;: [
&#34;*&#34;
],
&#34;routes&#34;: [
{
&#34;match&#34;: {
&#34;prefix&#34;: &#34;/&#34;
},
&#34;directResponse&#34;: {
&#34;status&#34;: 502
}
}
]
}
</code></pre><p>该路由被设置为响应码是 502 的<a href=https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/route/route_components.proto#envoy-api-field-route-route-direct-response>直接响应</a>,这意味着如果没有其他路由匹配,则 Envoy 代理将直接返回 502 HTTP 状态代码。</p></li><li><p><strong>PassthroughCluster</strong> - 当将 <code>global.outboundTrafficPolicy.mode</code> 设置为 <code>ALLOW_ANY</code> 时,
PassthroughCluster 是在 Envoy 配置中创建的虚拟集群。在此模式下,允许流向外部服务的所有流量。
为了实现此目的,将使用 <code>SO_ORIGINAL_DST</code> 且监听 <code>0.0.0.0:15001</code> 的默认虚拟出站监听器设置为 TCP 代理,并将 PassthroughCluster 作为静态集群。
PassthroughCluster 的配置如下所示:</p><pre><code class=language-json data-expandlinks=true data-repo=istio>{
&#34;name&#34;: &#34;PassthroughCluster&#34;,
&#34;type&#34;: &#34;ORIGINAL_DST&#34;,
&#34;connectTimeout&#34;: &#34;10s&#34;,
&#34;lbPolicy&#34;: &#34;ORIGINAL_DST_LB&#34;,
&#34;circuitBreakers&#34;: {
&#34;thresholds&#34;: [
{
&#34;maxConnections&#34;: 102400,
&#34;maxRetries&#34;: 1024
}
]
}
}
</code></pre><p>该集群使用<a href=https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/service_discovery#original-destination>原始目标负载均衡策略</a>
该策略将 Envoy 配置为将流量发送到原始目标,即透传。</p><p>与 BlackHoleCluster 类似,对于每个基于端口/协议的监听器,虚拟路由配置都会添加 PassthroughCluster 以作为默认路由:</p><pre><code class=language-json data-expandlinks=true data-repo=istio>{
&#34;name&#34;: &#34;allow_any&#34;,
&#34;domains&#34;: [
&#34;*&#34;
],
&#34;routes&#34;: [
{
&#34;match&#34;: {
&#34;prefix&#34;: &#34;/&#34;
},
&#34;route&#34;: {
&#34;cluster&#34;: &#34;PassthroughCluster&#34;
}
}
]
}
</code></pre></li></ul><p>在 Istio 1.3 之前,没有流量报告,即使流量报告到达这些群集,也没有报告明确的标签设置,从而导致流经网格的流量缺乏可见性。</p><p>下一节将介绍如何利用此增强功能,因为发出的指标和标签取决于是否命中了虚拟出站或显式端口/协议监听器。</p><h2 id=using-the-augmented-metrics>使用增强指标</h2><p>要捕获两种情况BlackHole 或 Passthrough中的所有外部服务流量你将需要监控 <code>istio_requests_total</code><code>istio_tcp_connections_closed_total</code> 指标。
根据 Envoy 监听器的类型,即被调用的 TCP 代理或 HTTP 代理,将增加相应的指标。</p><p>此外,如果使用 TCP 代理监听器以查看被 BlackHole 阻止或被 Passthrough 透传的外部服务的 IP 地址,
则需要将 <code>destination_ip</code> 标签添加到 <code>istio_tcp_connections_closed_total</code> 指标。
在这种情况下,不会捕获外部服务的主机名。默认情况下不添加此标签,但是可以通过扩展 Istio 配置以生成属性和 Prometheus 处理程序,轻松地添加此标签。
如果你有许多服务的 IP 地址不稳定,则应注意时序的基数爆炸。</p><h3 id=pass-through-cluster-metrics>PassthroughCluster 指标</h3><p>本节将说明基于被 Envoy 调用的监听器类型的指标和发出的标签。</p><ul><li><p>HTTP 代理监听器: 当外部服务的端口与集群中定义的服务端口之一相同时,就会触发这种情况。
在这种情况下,当命中 PassthroughCluster 时,指标 <code>istio_requests_total</code> 会增加类似以下内容:</p><pre><code class=language-json data-expandlinks=true data-repo=istio>{
&#34;metric&#34;: {
&#34;__name__&#34;: &#34;istio_requests_total&#34;,
&#34;connection_security_policy&#34;: &#34;unknown&#34;,
&#34;destination_app&#34;: &#34;unknown&#34;,
&#34;destination_principal&#34;: &#34;unknown&#34;,
&#34;destination_service&#34;: &#34;httpbin.org&#34;,
&#34;destination_service_name&#34;: &#34;PassthroughCluster&#34;,
&#34;destination_service_namespace&#34;: &#34;unknown&#34;,
&#34;destination_version&#34;: &#34;unknown&#34;,
&#34;destination_workload&#34;: &#34;unknown&#34;,
&#34;destination_workload_namespace&#34;: &#34;unknown&#34;,
&#34;instance&#34;: &#34;100.96.2.183:42422&#34;,
&#34;job&#34;: &#34;istio-mesh&#34;,
&#34;permissive_response_code&#34;: &#34;none&#34;,
&#34;permissive_response_policyid&#34;: &#34;none&#34;,
&#34;reporter&#34;: &#34;source&#34;,
&#34;request_protocol&#34;: &#34;http&#34;,
&#34;response_code&#34;: &#34;200&#34;,
&#34;response_flags&#34;: &#34;-&#34;,
&#34;source_app&#34;: &#34;sleep&#34;,
&#34;source_principal&#34;: &#34;unknown&#34;,
&#34;source_version&#34;: &#34;unknown&#34;,
&#34;source_workload&#34;: &#34;sleep&#34;,
&#34;source_workload_namespace&#34;: &#34;default&#34;
},
&#34;value&#34;: [
1567033080.282,
&#34;1&#34;
]
}
</code></pre><p>请注意,标签 <code>destination_service_name</code> 设置为 PassthroughCluster以表明已命中该集群<code>destination_service</code> 设置为外部服务的主机。</p></li><li><p>TCP 代理虚拟监听器 - 如果外部服务端口未映射到集群中任何基于 HTTP 的服务端口,则将调用此监听器,
并且会增加指标 <code>istio_tcp_connections_closed_total</code>:</p><pre><code class=language-json data-expandlinks=true data-repo=istio>{
&#34;status&#34;: &#34;success&#34;,
&#34;data&#34;: {
&#34;resultType&#34;: &#34;vector&#34;,
&#34;result&#34;: [
{
&#34;metric&#34;: {
&#34;__name__&#34;: &#34;istio_tcp_connections_closed_total&#34;,
&#34;connection_security_policy&#34;: &#34;unknown&#34;,
&#34;destination_app&#34;: &#34;unknown&#34;,
&#34;destination_ip&#34;: &#34;52.22.188.80&#34;,
&#34;destination_principal&#34;: &#34;unknown&#34;,
&#34;destination_service&#34;: &#34;unknown&#34;,
&#34;destination_service_name&#34;: &#34;PassthroughCluster&#34;,
&#34;destination_service_namespace&#34;: &#34;unknown&#34;,
&#34;destination_version&#34;: &#34;unknown&#34;,
&#34;destination_workload&#34;: &#34;unknown&#34;,
&#34;destination_workload_namespace&#34;: &#34;unknown&#34;,
&#34;instance&#34;: &#34;100.96.2.183:42422&#34;,
&#34;job&#34;: &#34;istio-mesh&#34;,
&#34;reporter&#34;: &#34;source&#34;,
&#34;response_flags&#34;: &#34;-&#34;,
&#34;source_app&#34;: &#34;sleep&#34;,
&#34;source_principal&#34;: &#34;unknown&#34;,
&#34;source_version&#34;: &#34;unknown&#34;,
&#34;source_workload&#34;: &#34;sleep&#34;,
&#34;source_workload_namespace&#34;: &#34;default&#34;
},
&#34;value&#34;: [
1567033761.879,
&#34;1&#34;
]
}
]
}
}
</code></pre><p>在这种情况下,<code>destination_service_name</code> 设置为 PassthroughCluster<code>destination_ip</code> 设置为外部服务的 IP 地址。
标签 <code>destination_ip</code> 可用于执行反向 DNS 查找并获取外部服务的主机名。
在通过该集群时,还将更新其他与 TCP 相关的指标,例如 <code>istio_tcp_connections_opened_total</code>
<code>istio_tcp_received_bytes_total</code><code>istio_tcp_sent_bytes_total</code></p></li></ul><h3 id=black-hole-cluster-metrics>BlackHoleCluster 指标</h3><p>与 PassthroughCluster 类似,本节将说明基于被 Envoy 调用的监听器类型的指标和发出的标签。</p><ul><li><p>HTTP 代理监听器: 这种情况发生在外部服务的端口与群集中定义的服务端口之一相同时。
在这种情况下,如果命中了 BlackHoleCluster标签 <code>istio_requests_total</code> 会增加类似以下的内容:</p><pre><code class=language-json data-expandlinks=true data-repo=istio>{
&#34;metric&#34;: {
&#34;__name__&#34;: &#34;istio_requests_total&#34;,
&#34;connection_security_policy&#34;: &#34;unknown&#34;,
&#34;destination_app&#34;: &#34;unknown&#34;,
&#34;destination_principal&#34;: &#34;unknown&#34;,
&#34;destination_service&#34;: &#34;httpbin.org&#34;,
&#34;destination_service_name&#34;: &#34;BlackHoleCluster&#34;,
&#34;destination_service_namespace&#34;: &#34;unknown&#34;,
&#34;destination_version&#34;: &#34;unknown&#34;,
&#34;destination_workload&#34;: &#34;unknown&#34;,
&#34;destination_workload_namespace&#34;: &#34;unknown&#34;,
&#34;instance&#34;: &#34;100.96.2.183:42422&#34;,
&#34;job&#34;: &#34;istio-mesh&#34;,
&#34;permissive_response_code&#34;: &#34;none&#34;,
&#34;permissive_response_policyid&#34;: &#34;none&#34;,
&#34;reporter&#34;: &#34;source&#34;,
&#34;request_protocol&#34;: &#34;http&#34;,
&#34;response_code&#34;: &#34;502&#34;,
&#34;response_flags&#34;: &#34;-&#34;,
&#34;source_app&#34;: &#34;sleep&#34;,
&#34;source_principal&#34;: &#34;unknown&#34;,
&#34;source_version&#34;: &#34;unknown&#34;,
&#34;source_workload&#34;: &#34;sleep&#34;,
&#34;source_workload_namespace&#34;: &#34;default&#34;
},
&#34;value&#34;: [
1567034251.717,
&#34;1&#34;
]
}
</code></pre><p>请注意,标签 <code>destination_service_name</code> 设置为 BlackHoleCluster<code>destination_service</code> 设置为外部服务的主机名。
在这种情况下,响应码应始终为 502。</p></li><li><p>TCP 代理虚拟监听器 - 如果外部服务端口未映射到集群中任何基于 HTTP 的服务端口,则会调用此监听器,
并增加指标 <code>istio_tcp_connections_closed_total</code></p><pre><code class=language-json data-expandlinks=true data-repo=istio>{
&#34;metric&#34;: {
&#34;__name__&#34;: &#34;istio_tcp_connections_closed_total&#34;,
&#34;connection_security_policy&#34;: &#34;unknown&#34;,
&#34;destination_app&#34;: &#34;unknown&#34;,
&#34;destination_ip&#34;: &#34;52.22.188.80&#34;,
&#34;destination_principal&#34;: &#34;unknown&#34;,
&#34;destination_service&#34;: &#34;unknown&#34;,
&#34;destination_service_name&#34;: &#34;BlackHoleCluster&#34;,
&#34;destination_service_namespace&#34;: &#34;unknown&#34;,
&#34;destination_version&#34;: &#34;unknown&#34;,
&#34;destination_workload&#34;: &#34;unknown&#34;,
&#34;destination_workload_namespace&#34;: &#34;unknown&#34;,
&#34;instance&#34;: &#34;100.96.2.183:42422&#34;,
&#34;job&#34;: &#34;istio-mesh&#34;,
&#34;reporter&#34;: &#34;source&#34;,
&#34;response_flags&#34;: &#34;-&#34;,
&#34;source_app&#34;: &#34;sleep&#34;,
&#34;source_principal&#34;: &#34;unknown&#34;,
&#34;source_version&#34;: &#34;unknown&#34;,
&#34;source_workload&#34;: &#34;sleep&#34;,
&#34;source_workload_namespace&#34;: &#34;default&#34;
},
&#34;value&#34;: [
1567034481.03,
&#34;1&#34;
]
}
</code></pre><p>请注意,标签 <code>destination_ip</code> 表示外部服务的 IP 地址,而 <code>destination_service_name</code> 设置为 BlackHoleCluster表示此流量已被网格阻止。
有趣的是,对于 BlackHole 集群,由于未建立任何连接,因此其他与 TCP 相关的指标(例如 <code>istio_tcp_connections_opened_total</code>)不会增加。</p></li></ul><p>监控这些指标可以帮助管理员轻松了解其集群中的应用程序接收的所有外部服务。</p></div><nav class=pagenav><div class=left><a title=将需要隔离的环境部署到单独的网格中,并通过网格联邦启用网格间通信。 href=/v1.20/zh/blog/2019/isolated-clusters/ class=next-link><svg class="icon left-arrow"><use xlink:href="/v1.20/img/icons.svg#left-arrow"/></svg>用于隔离和边界保护的多网格部署</a></div><div class=right><a title="使用 Istio 实现零代码改动保护多云 Kubernetes 应用。" href=/v1.20/zh/blog/2019/app-identity-and-access-adapter/ class=next-link>APP 身份和访问适配器<svg class="icon right-arrow"><use xlink:href="/v1.20/img/icons.svg#right-arrow"/></svg></a></div></nav></article><footer class=footer><div class="footer-wrapper container-l"><div class="user-links footer-links"><a class=channel title='Istio 的代码在 GitHub 上开发' href=https://github.com/istio/community aria-label=GitHub><svg class="icon github"><use xlink:href="/v1.20/img/icons.svg#github"/></svg>
</a><a class=channel title='如果您想深入了解 Istio 的技术细节,请查看我们日益完善的设计文档' href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><svg class="icon drive"><use xlink:href="/v1.20/img/icons.svg#drive"/></svg>
</a><a class=channel title='在 Slack 上与 Istio 社区交互讨论开发问题(仅限邀请)' href=https://slack.istio.io aria-label=slack><svg class="icon slack"><use xlink:href="/v1.20/img/icons.svg#slack"/></svg>
</a><a class=channel title='Stack Overflow 中列举了针对实际问题以及部署、配置和使用 Istio 的各项回答' href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><svg class="icon stackoverflow"><use xlink:href="/v1.20/img/icons.svg#stackoverflow"/></svg>
</a><a class=channel title='关注我们的 Twitter 来获取最新信息' href=https://twitter.com/IstioMesh aria-label=Twitter><svg class="icon twitter"><use xlink:href="/v1.20/img/icons.svg#twitter"/></svg></a></div><hr class=footer-separator role=separator><div class="info footer-info"><a class=logo href=/v1.20/zh/ aria-label=logotype><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></a><div class=footer-languages><a tabindex=-1 lang=en id=switch-lang-en class=footer-languages-item>English
</a><a tabindex=-1 lang=zh id=switch-lang-zh class="footer-languages-item active"><svg class="icon tick"><use xlink:href="/v1.20/img/icons.svg#tick"/></svg>
中文</a></div></div><ul class=footer-policies><li class=footer-policies-item><a class=footer-policies-link href=https://www.linuxfoundation.org/legal/terms>条款
</a>|
<a class=footer-policies-link href=https://www.linuxfoundation.org/legal/privacy-policy>隐私政策
</a>|
<a class=footer-policies-link href=https://www.linuxfoundation.org/legal/trademark-usage>商标
</a>|
<a class=footer-policies-link href=https://github.com/istio/istio.io/edit/release-1.20/content/zh/index>在 GitHub 上编辑此页</a></li></ul><div class=footer-base><span class=footer-base-copyright>&copy; 2024 the Istio Authors.</span>
<span class=footer-base-version>部分内容可能滞后于英文版本,同步工作正在进行中<br>版本
Istio 归档
1.20.3</span><ul class=footer-base-releases><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://istio.io/blog/2019/monitoring-external-service-traffic/"),!1'>当前版本</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://preliminary.istio.io/blog/2019/monitoring-external-service-traffic/"),!1'>下个版本</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link href=https://istio.io/archive>旧版本</a></li></ul></div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title=回到顶部 tabindex=-1><svg class="icon top"><use xlink:href="/v1.20/img/icons.svg#top"/></svg></button></div></body></html>
Reference in New Issue View Git Blame Copy Permalink