1.8 KiB
| title | description | weight |
|---|---|---|
| Component Debugging | How to do low-level debugging of Istio components. | 25 |
You can gain insights into what individual components are doing by inspecting their logs or peering inside via introspection. If that's insufficient, the steps below explain how to get under the hood.
With istioctl
istioctl allows you to inspect the current xDS of a given Envoy from its admin interface (locally) or from Pilot using the proxy-config or pc command.
For example, to retrieve the configured clusters in an Envoy via the admin interface run the following command:
{{< text bash >}} $ istioctl proxy-config endpoint clusters {{< /text >}}
To retrieve endpoints for a given pod in the application namespace from Pilot, run the following command:
{{< text bash >}} $ istioctl proxy-config pilot -n application eds {{< /text >}}
The proxy-config command also allows you to retrieve the state of the entire mesh from Pilot using the following command:
{{< text bash >}} $ istioctl proxy-config pilot mesh ads {{< /text >}}
With GDB
To debug Istio with gdb, you will need to run the debug images of Envoy / Mixer / Pilot. A recent gdb and the golang extensions (for Mixer/Pilot or other golang components) is required.
-
kubectl exec -it PODNAME -c [proxy | mixer | pilot] -
Find process ID: ps ax
-
gdb -p PID binary
-
For go: info goroutines, goroutine x bt
With Tcpdump
Tcpdump doesn't work in the sidecar pod - the container doesn't run as root. However any other container in the same pod will see all the packets, since the
network namespace is shared. iptables will also see the pod-wide configuration.
Communication between Envoy and the app happens on 127.0.0.1, and is not encrypted.