准备环境
准备namespace
kubectl create ns demo
kubectl label namespace demo istio-injection=enabled
准备负载
负载1
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Service
metadata:
name: demo1
namespace: demo
spec:
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
app: demo1
type: ClusterIP
---
apiVersion: v1
kind: Pod
metadata:
labels:
app: demo1
name: demo1
namespace: demo
spec:
containers:
- image: nginx
imagePullPolicy: IfNotPresent
name: app
restartPolicy: Always
EOF
负载2
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Service
metadata:
name: demo2
namespace: demo
spec:
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
app: demo2
type: ClusterIP
---
apiVersion: v1
kind: Pod
metadata:
labels:
app: demo2
name: demo2
namespace: demo
spec:
containers:
- image: nginx
imagePullPolicy: IfNotPresent
name: app
restartPolicy: Always
EOF
负载3
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Service
metadata:
name: demo3
namespace: demo
spec:
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
app: demo3
type: ClusterIP
---
apiVersion: v1
kind: Pod
metadata:
labels:
app: demo3
name: demo3
namespace: demo
spec:
containers:
- image: nginx
imagePullPolicy: IfNotPresent
name: app
restartPolicy: Always
EOF
负载4
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Service
metadata:
name: demo4
namespace: default
spec:
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
app: demo4
type: ClusterIP
---
apiVersion: v1
kind: Pod
metadata:
labels:
app: demo4
name: demo4
namespace: default
spec:
containers:
- image: nginx
imagePullPolicy: IfNotPresent
name: app
restartPolicy: Always
EOF
检查sidecar配置
不设置sidecar
执行如下命令查看配置
istioctl proxy-config clusters -n demo demo1
得到
SERVICE FQDN PORT SUBSET DIRECTION TYPE DESTINATION RULE
80 - inbound ORIGINAL_DST
BlackHoleCluster - - - STATIC
InboundPassthroughClusterIpv4 - - - ORIGINAL_DST
PassthroughCluster - - - ORIGINAL_DST
activator-service.knative-serving.svc.cluster.local 80 - outbound EDS
activator-service.knative-serving.svc.cluster.local 81 - outbound EDS
activator-service.knative-serving.svc.cluster.local 443 - outbound EDS
activator-service.knative-serving.svc.cluster.local 8008 - outbound EDS
activator-service.knative-serving.svc.cluster.local 9090 - outbound EDS
agent - - - STATIC
autoscaler-bucket-00-of-01.knative-serving.svc.cluster.local 8080 - outbound EDS
autoscaler-hpa.knative-serving.svc.cluster.local 8008 - outbound EDS
autoscaler-hpa.knative-serving.svc.cluster.local 9090 - outbound EDS
autoscaler.knative-serving.svc.cluster.local 8008 - outbound EDS
autoscaler.knative-serving.svc.cluster.local 8080 - outbound EDS
autoscaler.knative-serving.svc.cluster.local 9090 - outbound EDS
controller.knative-serving.svc.cluster.local 8008 - outbound EDS
controller.knative-serving.svc.cluster.local 9090 - outbound EDS
demo1.demo.svc.cluster.local 80 - outbound EDS
demo2.demo.svc.cluster.local 80 - outbound EDS
demo3.demo.svc.cluster.local 80 - outbound EDS
demo4.default.svc.cluster.local 80 - outbound EDS
istio-egressgateway.istio-system.svc.cluster.local 80 - outbound EDS
istio-egressgateway.istio-system.svc.cluster.local 443 - outbound EDS
istio-ingressgateway.istio-system.svc.cluster.local 80 - outbound EDS
istio-ingressgateway.istio-system.svc.cluster.local 443 - outbound EDS
istio-ingressgateway.istio-system.svc.cluster.local 15021 - outbound EDS
istio-ingressgateway.istio-system.svc.cluster.local 15443 - outbound EDS
istio-ingressgateway.istio-system.svc.cluster.local 31400 - outbound EDS
istiod.istio-system.svc.cluster.local 443 - outbound EDS
istiod.istio-system.svc.cluster.local 15010 - outbound EDS
istiod.istio-system.svc.cluster.local 15012 - outbound EDS
istiod.istio-system.svc.cluster.local 15014 - outbound EDS
knative-local-gateway.istio-system.svc.cluster.local 80 - outbound EDS
kube-dns.kube-system.svc.cluster.local 53 - outbound EDS
kube-dns.kube-system.svc.cluster.local 9153 - outbound EDS
kubernetes.default.svc.cluster.local 443 - outbound EDS
net-istio-webhook.knative-serving.svc.cluster.local 443 - outbound EDS
net-istio-webhook.knative-serving.svc.cluster.local 8008 - outbound EDS
net-istio-webhook.knative-serving.svc.cluster.local 9090 - outbound EDS
operator-webhook.default.svc.cluster.local 443 - outbound EDS
operator-webhook.default.svc.cluster.local 8008 - outbound EDS
operator-webhook.default.svc.cluster.local 9090 - outbound EDS
prometheus_stats - - - STATIC
sds-grpc - - - STATIC
webhook.knative-serving.svc.cluster.local 443 - outbound EDS
webhook.knative-serving.svc.cluster.local 8008 - outbound EDS
webhook.knative-serving.svc.cluster.local 9090 - outbound EDS
xds-grpc - - - STATIC
zipkin - - - STRICT_DNS
设置全局sidecar
设置只加载当前namespace下的配置的sidecar
cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: default
namespace: istio-system
spec:
egress:
- hosts:
- "./*"
cat EOF
执行如下命令查看配置
istioctl proxy-config clusters -n demo demo1
得到
SERVICE FQDN PORT SUBSET DIRECTION TYPE DESTINATION RULE
80 - inbound ORIGINAL_DST
BlackHoleCluster - - - STATIC
InboundPassthroughClusterIpv4 - - - ORIGINAL_DST
PassthroughCluster - - - ORIGINAL_DST
agent - - - STATIC
demo1.demo.svc.cluster.local 80 - outbound EDS
demo2.demo.svc.cluster.local 80 - outbound EDS
demo3.demo.svc.cluster.local 80 - outbound EDS
prometheus_stats - - - STATIC
sds-grpc - - - STATIC
xds-grpc - - - STATIC
zipkin - - - STRICT_DNS
设置namespace级sidecar
设置只加载当前namespace下的配置
cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: default
namespace: demo
spec:
egress:
- hosts:
- "./demo1.demo.svc.cluster.local"
- "./demo2.demo.svc.cluster.local"
EOF
执行如下命令查看配置
istioctl proxy-config clusters -n demo demo1
得到
SERVICE FQDN PORT SUBSET DIRECTION TYPE DESTINATION RULE
80 - inbound ORIGINAL_DST
BlackHoleCluster - - - STATIC
InboundPassthroughClusterIpv4 - - - ORIGINAL_DST
PassthroughCluster - - - ORIGINAL_DST
agent - - - STATIC
demo1.demo.svc.cluster.local 80 - outbound EDS
demo2.demo.svc.cluster.local 80 - outbound EDS
prometheus_stats - - - STATIC
sds-grpc - - - STATIC
xds-grpc - - - STATIC
zipkin - - - STRICT_DNS
设置workload级sidecar
cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: demo1
namespace: demo
spec:
workloadSelector:
labels:
app: demo1
egress:
- hosts:
- "./demo1.demo.svc.cluster.local"
EOF
执行如下命令查看配置
istioctl proxy-config clusters -n demo demo1
得到
SERVICE FQDN PORT SUBSET DIRECTION TYPE DESTINATION RULE
80 - inbound ORIGINAL_DST
BlackHoleCluster - - - STATIC
InboundPassthroughClusterIpv4 - - - ORIGINAL_DST
PassthroughCluster - - - ORIGINAL_DST
agent - - - STATIC
demo1.demo.svc.cluster.local 80 - outbound EDS
prometheus_stats - - - STATIC
sds-grpc - - - STATIC
xds-grpc - - - STATIC
zipkin - - - STRICT_DNS
