共计 21128 个字符,预计需要花费 53 分钟才能阅读完成。
为了利用 Istio 的所有性能,网格中的 Pod 必须运行 Istio Sidecar 代理。上面介绍了两种将 Istio Sidecar 注入到容器中的办法:手动应用 istioctl 命令或通过在容器的命名空间中启用主动 Istio Sidecar 注入。
- 手动注入间接批改配置(如部署),并将代理配置注入其中。
- 在 Pod 的命名空间中启用后,主动注入会应用准入控制器在 Pod 创立时注入代理配置。
手动注入
要手动注入部署,请应用istioctl kube-inject:
istioctl kube-inject -f samples/sleep/sleep.yaml | kubectl apply -f -默认状况下,这将应用集群内配置。或者,能够应用配置的本地副原本实现注入。
kubectl -n istio-system get configmap istio-sidecar-injector -o=jsonpath='{.data.config}' > inject-config.yaml
kubectl -n istio-system get configmap istio-sidecar-injector -o=jsonpath='{.data.values}' > inject-values.yaml
kubectl -n istio-system get configmap istio -o=jsonpath='{.data.mesh}' > mesh-config.yaml在输出文件上运行 kube-inject 并进行部署。
istioctl kube-inject
--injectConfigFile inject-config.yaml
--meshConfigFile mesh-config.yaml
--valuesFile inject-values.yaml
--filename samples/sleep/sleep.yaml
| kubectl apply -f -主动注入
应用 Istio 提供的 mutating webhook admission controller,能够将 Sidecar 主动增加到实用的 Kubernetes Pod 中。
当您在名称空间上设置 istio-injection = enabled 标签并且启用了注入 Webhook 时,在该名称空间中创立的所有新容器都将主动增加一个 sidecar。
请留神,与手动注入不同,主动注入产生在容器级。您不会看到部署自身的任何变动。相同,您须要查看各个 Pod(通过 kubectl describe)以查看注入的代理。
istio-sidecar-injector-controller 依据在istio-sidecar-injector ConfigMap 中定义的模板来进行注入。咱们查看一下具体内容:
$ kubectl describe configmap istio-sidecar-injector -n istio-system
Name: istio-sidecar-injector
Namespace: istio-system
Labels: install.operator.istio.io/owning-resource=installed-state
install.operator.istio.io/owning-resource-namespace=istio-system
istio.io/rev=default
operator.istio.io/component=Pilot
operator.istio.io/managed=Reconcile
operator.istio.io/version=1.7.3
release=istio
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"v1","data":{"config":"policy: enablednalwaysInjectSelector:n []nneverInjectSelector:n []ninjectedAnnotations:nntem...
Data
====
config:
----
policy: enabled
alwaysInjectSelector:
[]
neverInjectSelector:
[]
injectedAnnotations:
template: |
rewriteAppHTTPProbe: {{valueOrDefault .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe false}}
initContainers:
{{if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }}
{{if .Values.istio_cni.enabled -}}
- name: istio-validation
{{else -}}
- name: istio-init
{{end -}}
{{- if contains "/" .Values.global.proxy_init.image}}
image: "{{.Values.global.proxy_init.image}}"
{{- else}}
image: "{{.Values.global.hub}}/{{.Values.global.proxy_init.image}}:{{.Values.global.tag}}"
{{- end}}
args:
- istio-iptables
- "-p"
- 15001
- "-z"
- "15006"
- "-u"
- 1337
- "-m"
- "{{annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode}}"
- "-i"
- "{{annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges}}"
- "-x"
- "{{annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges}}"
- "-b"
- "{{annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*`}}"
- "-d"
{{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}
- "15090,15021,{{excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
{{- else}}
- "15090,15021"
{{- end}}
{{if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "")"") -}}
- "-q"
- "{{annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts}}"
{{end -}}
{{if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "")"") -}}
- "-o"
- "{{annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts}}"
{{end -}}
{{if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}}
- "-k"
- "{{index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`}}"
{{end -}}
{{if .Values.istio_cni.enabled -}}
- "--run-validation"
- "--skip-rule-apply"
{{end -}}
imagePullPolicy: "{{valueOrDefault .Values.global.imagePullPolicy `Always`}}"
{{- if .ProxyConfig.ProxyMetadata}}
env:
{{- range $key, $value := .ProxyConfig.ProxyMetadata}}
- name: {{$key}}
value: "{{$value}}"
{{- end}}
{{- end}}
{{- if .Values.global.proxy_init.resources}}
resources:
{{toYaml .Values.global.proxy_init.resources | indent 4}}
{{- else}}
resources: {}
{{- end}}
securityContext:
allowPrivilegeEscalation: {{.Values.global.proxy.privileged}}
privileged: {{.Values.global.proxy.privileged}}
capabilities:
{{- if not .Values.istio_cni.enabled}}
add:
- NET_ADMIN
- NET_RAW
{{- end}}
drop:
- ALL
{{- if not .Values.istio_cni.enabled}}
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
{{- else}}
readOnlyRootFilesystem: true
runAsGroup: 1337
runAsUser: 1337
runAsNonRoot: true
{{- end}}
restartPolicy: Always
{{end -}}
{{- if eq .Values.global.proxy.enableCoreDump true}}
- name: enable-core-dump
args:
- -c
- sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
command:
- /bin/sh
{{- if contains "/" .Values.global.proxy_init.image}}
image: "{{.Values.global.proxy_init.image}}"
{{- else}}
image: "{{.Values.global.hub}}/{{.Values.global.proxy_init.image}}:{{.Values.global.tag}}"
{{- end}}
imagePullPolicy: "{{valueOrDefault .Values.global.imagePullPolicy `Always`}}"
resources: {}
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- SYS_ADMIN
drop:
- ALL
privileged: true
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
{{end}}
containers:
- name: istio-proxy
{{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
image: "{{annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image}}"
{{- else}}
image: "{{.Values.global.hub}}/{{.Values.global.proxy.image}}:{{.Values.global.tag}}"
{{- end}}
ports:
- containerPort: 15090
protocol: TCP
name: http-envoy-prom
args:
- proxy
- sidecar
- --domain
- $(POD_NAMESPACE).svc.{{.Values.global.proxy.clusterDomain}}
- --serviceCluster
{{if ne ""(index .ObjectMeta.Labels"app") -}}
- "{{index .ObjectMeta.Labels `app`}}.$(POD_NAMESPACE)"
{{else -}}
- "{{valueOrDefault .DeploymentMeta.Name `istio-proxy`}}.{{valueOrDefault .DeploymentMeta.Namespace `default`}}"
{{end -}}
- --proxyLogLevel={{annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel}}
- --proxyComponentLogLevel={{annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel}}
{{- if .Values.global.sts.servicePort}}
- --stsPort={{.Values.global.sts.servicePort}}
{{- end}}
{{- if .Values.global.trustDomain}}
- --trust-domain={{.Values.global.trustDomain}}
{{- end}}
{{- if .Values.global.logAsJson}}
- --log_as_json
{{- end}}
{{- if gt .ProxyConfig.Concurrency.GetValue 0}}
- --concurrency
- "{{.ProxyConfig.Concurrency.GetValue}}"
{{- end -}}
{{- if .Values.global.proxy.lifecycle}}
lifecycle:
{{toYaml .Values.global.proxy.lifecycle | indent 4}}
{{- else if .Values.global.proxy.holdApplicationUntilProxyStarts}}
lifecycle:
postStart:
exec:
command:
- pilot-agent
- wait
{{- end}}
env:
- name: JWT_POLICY
value: {{.Values.global.jwtPolicy}}
- name: PILOT_CERT_PROVIDER
value: {{.Values.global.pilotCertProvider}}
- name: CA_ADDR
{{- if .Values.global.caAddress}}
value: {{.Values.global.caAddress}}
{{- else}}
value: istiod{{- if not (eq .Values.revision "") }}-{{.Values.revision}}{{- end}}.{{.Values.global.istioNamespace}}.svc:15012
{{- end}}
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: CANONICAL_SERVICE
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-name']
- name: CANONICAL_REVISION
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-revision']
- name: PROXY_CONFIG
value: |
{{protoToJSON .ProxyConfig}}
- name: ISTIO_META_POD_PORTS
value: |-
[{{- $first := true}}
{{- range $index1, $c := .Spec.Containers}}
{{- range $index2, $p := $c.Ports}}
{{- if (structToJSON $p) }}
{{if not $first}},{{end}}{{structToJSON $p}}
{{- $first = false}}
{{- end}}
{{- end}}
{{- end}}
]
- name: ISTIO_META_APP_CONTAINERS
value: "{{- range $index, $container := .Spec.Containers}}{{- if ne $index 0}},{{- end}}{{$container.Name}}{{- end}}"
- name: ISTIO_META_CLUSTER_ID
value: "{{valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes`}}"
- name: ISTIO_META_INTERCEPTION_MODE
value: "{{or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
{{- if .Values.global.network}}
- name: ISTIO_META_NETWORK
value: "{{.Values.global.network}}"
{{- end}}
{{if .ObjectMeta.Annotations}}
- name: ISTIO_METAJSON_ANNOTATIONS
value: |
{{toJSON .ObjectMeta.Annotations}}
{{end}}
{{- if .DeploymentMeta.Name}}
- name: ISTIO_META_WORKLOAD_NAME
value: {{.DeploymentMeta.Name}}
{{end}}
{{- if and .TypeMeta.APIVersion .DeploymentMeta.Name}}
- name: ISTIO_META_OWNER
value: kubernetes://apis/{{.TypeMeta.APIVersion}}/namespaces/{{valueOrDefault .DeploymentMeta.Namespace `default`}}/{{toLower .TypeMeta.Kind}}s/{{.DeploymentMeta.Name}}
{{- end}}
{{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
- name: ISTIO_BOOTSTRAP_OVERRIDE
value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
{{- end}}
{{- if .Values.global.meshID}}
- name: ISTIO_META_MESH_ID
value: "{{.Values.global.meshID}}"
{{- else if .Values.global.trustDomain}}
- name: ISTIO_META_MESH_ID
value: "{{.Values.global.trustDomain}}"
{{- end}}
{{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
{{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
- name: {{$key}}
value: "{{$value}}"
{{- end}}
{{- end}}
{{- range $key, $value := .ProxyConfig.ProxyMetadata}}
- name: {{$key}}
value: "{{$value}}"
{{- end}}
imagePullPolicy: "{{valueOrDefault .Values.global.imagePullPolicy `Always`}}"
{{if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
readinessProbe:
httpGet:
path: /healthz/ready
port: 15021
initialDelaySeconds: {{annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds}}
periodSeconds: {{annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds}}
failureThreshold: {{annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold}}
{{end -}}
securityContext:
allowPrivilegeEscalation: {{.Values.global.proxy.privileged}}
capabilities:
{{if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
add:
{{if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}
- NET_ADMIN
{{- end}}
{{if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}}
- NET_BIND_SERVICE
{{- end}}
{{- end}}
drop:
- ALL
privileged: {{.Values.global.proxy.privileged}}
readOnlyRootFilesystem: {{not .Values.global.proxy.enableCoreDump}}
runAsGroup: 1337
fsGroup: 1337
{{if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
runAsNonRoot: false
runAsUser: 0
{{- else -}}
runAsNonRoot: true
runAsUser: 1337
{{- end}}
resources:
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
requests:
{{if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
cpu: "{{index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`}}"
{{end}}
{{if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
memory: "{{index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`}}"
{{end}}
{{- end}}
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
limits:
{{if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
cpu: "{{index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`}}"
{{end}}
{{if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
memory: "{{index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`}}"
{{end}}
{{- end}}
{{- else}}
{{- if .Values.global.proxy.resources}}
{{toYaml .Values.global.proxy.resources | indent 4}}
{{- end}}
{{- end}}
volumeMounts:
{{- if eq .Values.global.pilotCertProvider "istiod"}}
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
{{- end}}
- mountPath: /var/lib/istio/data
name: istio-data
{{if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
- mountPath: /etc/istio/custom-bootstrap
name: custom-bootstrap-volume
{{- end}}
# SDS channel between istioagent and Envoy
- mountPath: /etc/istio/proxy
name: istio-envoy
{{- if eq .Values.global.jwtPolicy "third-party-jwt"}}
- mountPath: /var/run/secrets/tokens
name: istio-token
{{- end}}
{{- if .Values.global.mountMtlsCerts}}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- mountPath: /etc/certs/
name: istio-certs
readOnly: true
{{- end}}
- name: istio-podinfo
mountPath: /etc/istio/pod
{{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
- mountPath: {{directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates}}
name: lightstep-certs
readOnly: true
{{- end}}
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`}}
{{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
- name: "{{$index}}"
{{toYaml $value | indent 4}}
{{end}}
{{- end}}
{{- if .ProxyConfig.ProxyMetadata.ISTIO_META_DNS_CAPTURE}}
dnsConfig:
options:
- name: "ndots"
value: "4"
{{- end}}
volumes:
{{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
- name: custom-bootstrap-volume
configMap:
name: {{annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` ""}}
{{- end}}
# SDS channel between istioagent and Envoy
- emptyDir:
medium: Memory
name: istio-envoy
- name: istio-data
emptyDir: {}
- name: istio-podinfo
downwardAPI:
items:
- path: "labels"
fieldRef:
fieldPath: metadata.labels
- path: "annotations"
fieldRef:
fieldPath: metadata.annotations
{{- if eq .Values.global.jwtPolicy "third-party-jwt"}}
- name: istio-token
projected:
sources:
- serviceAccountToken:
path: istio-token
expirationSeconds: 43200
audience: {{.Values.global.sds.token.aud}}
{{- end}}
{{- if eq .Values.global.pilotCertProvider "istiod"}}
- name: istiod-ca-cert
configMap:
name: istio-ca-root-cert
{{- end}}
{{- if .Values.global.mountMtlsCerts}}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- name: istio-certs
secret:
optional: true
{{if eq .Spec.ServiceAccountName ""}}
secretName: istio.default
{{else -}}
secretName: {{printf "istio.%s" .Spec.ServiceAccountName}}
{{end -}}
{{- end}}
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume`}}
{{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
- name: "{{$index}}"
{{toYaml $value | indent 2}}
{{end}}
{{end}}
{{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
- name: lightstep-certs
secret:
optional: true
secretName: lightstep.cacert
{{- end}}
{{- if .Values.global.podDNSSearchNamespaces}}
dnsConfig:
searches:
{{- range .Values.global.podDNSSearchNamespaces}}
- {{render .}}
{{- end}}
{{- end}}
podRedirectAnnot:
{{- if and (.Values.istio_cni.enabled) (not .Values.istio_cni.chained) }}
{{if isset .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`}}
k8s.v1.cni.cncf.io/networks: "{{index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`}}, istio-cni"
{{- else}}
k8s.v1.cni.cncf.io/networks: "istio-cni"
{{- end}}
{{- end}}
sidecar.istio.io/interceptionMode: "{{annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode}}"
traffic.sidecar.istio.io/includeOutboundIPRanges: "{{annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges}}"
traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges}}"
traffic.sidecar.istio.io/includeInboundPorts: "{{annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) }}"
traffic.sidecar.istio.io/excludeInboundPorts: "{{excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
{{if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "")"") }}
traffic.sidecar.istio.io/includeOutboundPorts: "{{annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts}}"
{{- end}}
{{if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }}
traffic.sidecar.istio.io/excludeOutboundPorts: "{{annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts}}"
{{- end}}
traffic.sidecar.istio.io/kubevirtInterfaces: "{{index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`}}"
{{- if .Values.global.imagePullSecrets}}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets}}
- name: {{.}}
{{- end}}
{{- end}}
values:
----
{
"global": {
"arch": {
"amd64": 2,
"ppc64le": 2,
"s390x": 2
},
"caAddress": "","centralIstiod": false,"configValidation": true,"controlPlaneSecurityEnabled": true,"createRemoteSvcEndpoints": false,"defaultNodeSelector": {},"defaultPodDisruptionBudget": {"enabled": true},
"defaultResources": {
"requests": {"cpu": "10m"}
},
"enableHelmTest": false,
"enabled": true,
"hub": "docker.io/istio",
"imagePullPolicy": "","imagePullSecrets": [],"istioNamespace":"istio-system","istiod": {"enableAnalysis": false},
"jwtPolicy": "third-party-jwt",
"logAsJson": false,
"logging": {"level": "default:info"},
"meshExpansion": {
"enabled": false,
"useILB": false
},
"meshID": "","meshNetworks": {},"mountMtlsCerts": false,"multiCluster": {"clusterName":"",
"enabled": false
},
"namespace": "istio-system",
"network": "","omitSidecarInjectorConfigMap": false,"oneNamespace": false,"operatorManageWebhooks": false,"pilotCertProvider":"istiod","policyNamespace":"istio-system","priorityClassName":"",
"proxy": {
"autoInject": "enabled",
"clusterDomain": "cluster.local",
"componentLogLevel": "misc:error",
"enableCoreDump": false,
"excludeIPRanges": "","excludeInboundPorts":"",
"excludeOutboundPorts": "","holdApplicationUntilProxyStarts": false,"image":"proxyv2","includeIPRanges":"*","logLevel":"warning","privileged": false,"readinessFailureThreshold": 30,"readinessInitialDelaySeconds": 1,"readinessPeriodSeconds": 2,"resources": {"limits": {"cpu":"2000m","memory":"1024Mi"},"requests": {"cpu":"100m","memory":"128Mi"}
},
"statusPort": 15020,
"tracer": "zipkin"
},
"proxy_init": {
"image": "proxyv2",
"resources": {
"limits": {
"cpu": "2000m",
"memory": "1024Mi"
},
"requests": {
"cpu": "10m",
"memory": "10Mi"
}
}
},
"remotePilotAddress": "","remotePolicyAddress":"",
"remoteTelemetryAddress": "","sds": {"token": {"aud":"istio-ca"}
},
"sts": {"servicePort": 0},
"tag": "1.7.3",
"telemetryNamespace": "istio-system",
"tracer": {
"datadog": {"address": "$(HOST_IP):8126"
},
"lightstep": {"accessToken": "","address":""},
"stackdriver": {
"debug": false,
"maxNumberOfAnnotations": 200,
"maxNumberOfAttributes": 200,
"maxNumberOfMessageEvents": 200
},
"zipkin": {"address": ""}
},
"trustDomain": "cluster.local",
"useMCP": false
},
"istio_cni": {"enabled": false},
"revision": "","sidecarInjectorWebhook": {"alwaysInjectSelector": [],"enableNamespacesByDefault": false,"injectLabel":"istio-injection","injectedAnnotations": {},"neverInjectSelector": [],"objectSelector": {"autoInject": true,"enabled": false},
"rewriteAppHTTPProbe": true
}
}通过配置文件,蕴含以下内容:
全局设置
蕴含 tracing,是否启用 istio-cni 等配置项。
template
包含 istio-init,istio-proxy 和 enable-core-dump 容器模板。
policy
默认为 enabled。对于 Policy 有以下两种可能值:
disabled:sidecar 注入器默认不会注入到 pod 中。增加 pod 模板定义中的注解sidecar.istio.io/inject值为 true 会启用注入性能。enabled:sidecar 注入器默认会注入到 pod 中。增加 pod 模板定义中的注解sidecar.istio.io/inject值为 false 会禁止注入性能。
从利用容器到 Sidecar 代理的流量
既然咱们曾经分明了如何将 sidecar 容器和 init 容器注入到利用清单中,那么 sidecar 代理如何捕捉容器之间的入站和出站流量?咱们曾简要提到过,这是通过在 pod 命名空间中设置 iptable 规定来实现的,而规定又是由 istio-init 容器实现的。
istio-iptables -p PORT -u UID -g GID [-m mode] [-b ports] [-d ports] [-i CIDR] [-x CIDR] [-h]
-p: 指定重定向所有 TCP 流量的 Envoy 端口(默认为 $ENVOY_PORT = 15001)-u: 指定未利用重定向的用户的 UID。通常,这是代理容器的 UID(默认为 $ENVOY_USER 的 uid,istio_proxy 的 uid 或 1337)-g: 指定未利用重定向的用户的 GID。(与 -u param 雷同的默认值)-m: 指定入站连贯重定向到 Envoy 的模式,“REDIRECT”或“TPROXY”(默认为 $ISTIO_INBOUND_INTERCEPTION_MODE)
-b: 逗号分隔的入站端口列表,其流量将重定向到 Envoy(可选)。应用通配符“*”示意重定向所有端口。为空时示意禁用所有入站重定向(默认为 $ISTIO_INBOUND_PORTS)-d: 指定要从重定向到 Envoy 中排除(可选)的入站端口列表,以逗号格局分隔。应用通配符“*”示意重定向所有入站流量(默认为 $ISTIO_LOCAL_EXCLUDE_PORTS)-i: 指定重定向到 Envoy(可选)的 IP 地址范畴,以逗号分隔的 CIDR 格局列表。应用通配符“*”示意重定向所有出站流量。空列表将禁用所有出站重定向(默认为 $ISTIO_SERVICE_CIDR)-x: 指定将从重定向中排除的 IP 地址范畴,以逗号分隔的 CIDR 格局列表。应用通配符“*”示意重定向所有出站流量(默认为 $ISTIO_SERVICE_EXCLUDE_CIDR)。-z: 所有进入 pod/VM 的 TCP 流量应被重定向到的端口咱们通过一个helloworld 示例我的项目,init 容器执行了如下命令:
- istio-iptables
- -p
- "15001"
- -z
- "15006"
- -u
- "1337"
- -m
- REDIRECT
- -i
- '*'
- -x
- ""
- -b
- '*'
- -d
- 15090,15021,15020联合下面的规定,能够看出,除 15090,15021,15020 端口外,所有出站流量都被重定向到 15001 端口,所有入站流量都被重定向到 15006 端口。
正文完
