Istio的Ingress与Egress网关

一、认识Ingress

在Istio的流量控制中，Ingress可以理解为前端应用的一个代理网格，当被转发到代理容器的流量到达服务前，会先经过该服务的Ingress Gateway，之后；再有Ingress Gateway转发至后端的VirtualService资源对象上。

二、Ingress实验

1）部署httpbin服务

➜ cat ../../samples/httpbin/httpbin.yaml # Copyright Istio Authors## Licensed under the Apache License, Version 2.0 (the "License");# you may not use this file except in compliance with the License.# You may obtain a copy of the License at## /licenses/LICENSE-2.0## Unless required by applicable law or agreed to in writing, software# distributed under the License is distributed on an "AS IS" BASIS,# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.# See the License for the specific language governing permissions and# limitations under the License.################################################################################################### httpbin service##################################################################################################apiVersion: v1kind: ServiceAccountmetadata:name: httpbin---apiVersion: v1kind: Servicemetadata:name: httpbinlabels:app: httpbinservice: httpbinspec:ports:- name: httpport: 8000targetPort: 80selector:app: httpbin---apiVersion: apps/v1kind: Deploymentmetadata:name: httpbinspec:replicas: 1selector:matchLabels:app: httpbinversion: v1template:metadata:labels:app: httpbinversion: v1spec:serviceAccountName: httpbincontainers:- image: docker.io/kennethreitz/httpbinimagePullPolicy: IfNotPresentname: httpbinports:- containerPort: 80➜ kubectl apply -f ../../samples/httpbin/httpbin.yaml serviceaccount/httpbin createdservice/httpbin createddeployment.apps/httpbin created

2）查看httpbin服务状态

➜ kubectl get pods -o wide | grep httpbinhttpbin-74fb669cc6-vn8972/2Running 04m15s 10.1.8.133 docker-desktop <none> <none>➜ kubectl get rs -o wide | grep httpbin httpbin-74fb669cc61 1 1 7m5s httpbin docker.io/kennethreitz/httpbin app=httpbin,pod-template-hash=74fb669cc6,version=v1➜ kubectl get deploy -o wide | grep httpbin httpbin1/11 1 6m52s httpbin docker.io/kennethreitz/httpbin app=httpbin,version=v1➜ kubectl get svc httpbin NAMETYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGEhttpbin ClusterIP 10.110.191.190 <none> 8000/TCP 12m➜ kubectl describe svc httpbin Name: httpbinNamespace: defaultLabels: app=httpbinservice=httpbinAnnotations: <none>Selector:app=httpbinType: ClusterIPIP:10.110.191.190Port: http 8000/TCPTargetPort: 80/TCPEndpoints: 10.1.8.133:80Session Affinity: NoneEvents: <none>➜ kubectl describe pods httpbin-74fb669cc6-vn897 Name: httpbin-74fb669cc6-vn897Namespace: defaultPriority:0Node: docker-desktop/192.168.65.4Start Time: Sat, 03 Jul 17:23:17 +0800Labels: app=httpbinistio.io/rev=defaultpod-template-hash=74fb669cc6security.istio.io/tlsMode=istioservice.istio.io/canonical-name=httpbinservice.istio.io/canonical-revision=v1version=v1Annotations: kubectl.kubernetes.io/default-container: httpbinkubectl.kubernetes.io/default-logs-container: httpbinprometheus.io/path: /stats/prometheusprometheus.io/port: 15020prometheus.io/scrape: truesidecar.istio.io/status:{"initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["istio-envoy","istio-data","istio-podinfo","istiod-ca-cert"],"ima...Status: RunningIP: 10.1.8.133IPs:IP: 10.1.8.133Controlled By: ReplicaSet/httpbin-74fb669cc6Init Containers:istio-init:Container ID: docker://c2540ee240389633be39ef2c442f4b3a3bda1316a529d247a594c28bd1cefa32Image: docker.io/istio/proxyv2:1.10.1Image ID:docker-pullable://istio/proxyv2@sha256:d9b295da022ad826c54d5bb49f1f2b661826efd8c2672b2f61ddc2aedac78cfcPort:<none>Host Port:<none>Args:istio-iptables-p15001-z15006-u1337-mREDIRECT-i*-x-b*-d15090,15021,15020State:TerminatedReason: CompletedExit Code: 0Started:Sat, 03 Jul 17:23:21 +0800Finished:Sat, 03 Jul 17:23:21 +0800Ready:TrueRestart Count: 0Limits:cpu:2memory: 1GiRequests:cpu: 10mmemory:40MiEnvironment: <none>Mounts:/var/run/secrets/kubernetes.io/serviceaccount from httpbin-token-qk94s (ro)Containers:httpbin:Container ID: docker://3e4dfc72174241724b7c50c27d8d16947b43d126e435b916e39c5a925d79c1f8Image:docker.io/kennethreitz/httpbinImage ID: docker-pullable://kennethreitz/httpbin@sha256:599fe5e5073102dbb0ee3dbb65f049dab44fa9fc251f6835c9990f8fb196a72bPort: 80/TCPHost Port:0/TCPState:RunningStarted:Sat, 03 Jul 17:26:41 +0800Ready:TrueRestart Count: 0Environment: <none>Mounts:/var/run/secrets/kubernetes.io/serviceaccount from httpbin-token-qk94s (ro)istio-proxy:Container ID: docker://4c0a5a3b8bc0c7ed9f9fb5fac7690f5302652b76e5adf21dd58e4b6c6a8a5c8bImage: docker.io/istio/proxyv2:1.10.1Image ID:docker-pullable://istio/proxyv2@sha256:d9b295da022ad826c54d5bb49f1f2b661826efd8c2672b2f61ddc2aedac78cfcPort:15090/TCPHost Port:0/TCPArgs:proxysidecar--domain$(POD_NAMESPACE).svc.cluster.local--serviceClusterhttpbin.$(POD_NAMESPACE)--proxyLogLevel=warning--proxyComponentLogLevel=misc:error--log_output_level=default:info--concurrency2State:RunningStarted:Sat, 03 Jul 17:26:41 +0800Ready:TrueRestart Count: 0Limits:cpu:2memory: 1GiRequests:cpu:10mmemory: 40MiReadiness: http-get http://:15021/healthz/ready delay=1s timeout=3s period=2s #success=1 #failure=30Environment:JWT_POLICY:first-party-jwtPILOT_CERT_PROVIDER: istiodCA_ADDR: istiod.istio-system.svc:15012POD_NAME: httpbin-74fb669cc6-vn897 (v1:metadata.name)POD_NAMESPACE: default (v1:metadata.namespace)INSTANCE_IP:(v1:status.podIP)SERVICE_ACCOUNT:(v1:spec.serviceAccountName)HOST_IP: (v1:status.hostIP)CANONICAL_SERVICE: (v1:metadata.labels['service.istio.io/canonical-name'])CANONICAL_REVISION: (v1:metadata.labels['service.istio.io/canonical-revision'])PROXY_CONFIG: {}ISTIO_META_POD_PORTS:[{"containerPort":80,"protocol":"TCP"}]ISTIO_META_APP_CONTAINERS:httpbinISTIO_META_CLUSTER_ID: KubernetesISTIO_META_INTERCEPTION_MODE: REDIRECTISTIO_META_WORKLOAD_NAME:httpbinISTIO_META_OWNER: kubernetes://apis/apps/v1/namespaces/default/deployments/httpbinISTIO_META_MESH_ID: cluster.localTRUST_DOMAIN: cluster.localMounts:/etc/istio/pod from istio-podinfo (rw)/etc/istio/proxy from istio-envoy (rw)/var/lib/istio/data from istio-data (rw)/var/run/secrets/istio from istiod-ca-cert (rw)/var/run/secrets/kubernetes.io/serviceaccount from httpbin-token-qk94s (ro)Conditions:Type StatusInitialized True Ready True ContainersReady True PodScheduledTrue Volumes:istio-envoy:Type: EmptyDir (a temporary directory that shares a pod's lifetime)Medium:MemorySizeLimit: <unset>istio-data:Type: EmptyDir (a temporary directory that shares a pod's lifetime)Medium:SizeLimit: <unset>istio-podinfo:Type: DownwardAPI (a volume populated by information about the pod)Items:metadata.labels -> labelsmetadata.annotations -> annotationslimits.cpu -> cpu-limitrequests.cpu -> cpu-requestistiod-ca-cert:Type:ConfigMap (a volume populated by a ConfigMap)Name:istio-ca-root-certOptional: falsehttpbin-token-qk94s:Type: Secret (a volume populated by a Secret)SecretName: httpbin-token-qk94sOptional: falseQoS Class: BurstableNode-Selectors: <none>Tolerations:node.kubernetes.io/not-ready:NoExecute op=Exists for 300snode.kubernetes.io/unreachable:NoExecute op=Exists for 300sEvents:Type ReasonAge FromMessage---- ---------- -----------Normal Scheduled 4m32s default-scheduler Successfully assigned default/httpbin-74fb669cc6-vn897 to docker-desktopNormal Pulled4m28s kubelet Container image "docker.io/istio/proxyv2:1.10.1" already present on machineNormal Created 4m28s kubelet Created container istio-initNormal Started 4m28s kubelet Started container istio-initNormal Pulling 4m28s kubelet Pulling image "docker.io/kennethreitz/httpbin"Normal Pulled69s kubelet Successfully pulled image "docker.io/kennethreitz/httpbin" in 3m18.6849062sNormal Created 69s kubelet Created container httpbinNormal Started 68s kubelet Started container httpbinNormal Pulled68s kubelet Container image "docker.io/istio/proxyv2:1.10.1" already present on machineNormal Created 68s kubelet Created container istio-proxyNormal Started 68s kubelet Started container istio-proxy

3）创建Ingress Gateway

➜ cat ingress.yaml apiVersion: networking.istio.io/v1alpha3kind: Gatewaymetadata:name: httpbin-gatewayspec:selector:istio: ingressgatewayservers:- port:number: 80name: httpprotocol: HTTPhosts:- ""➜ kubectl apply -f ingress.yaml working.istio.io/httpbin-gateway created➜ kubectl get gw httpbin-gateway -o wide NAME AGEhttpbin-gateway 32s➜ kubectl describe gw httpbin-gatewayName: httpbin-gatewayNamespace: defaultLabels: <none>Annotations: <none>API Version: networking.istio.io/v1beta1Kind: GatewayMetadata:Creation Timestamp: -07-03T09:32:32ZGeneration:1Managed Fields:API Version: networking.istio.io/v1alpha3Fields Type: FieldsV1fieldsV1:f:metadata:f:annotations:.:f:kubectl.kubernetes.io/last-applied-configuration:f:spec:.:f:selector:.:f:istio:f:servers:Manager: kubectl-client-side-applyOperation: UpdateTime: -07-03T09:32:32ZResource Version: 632602Self Link: /apis/networking.istio.io/v1beta1/namespaces/default/gateways/httpbin-gatewayUID:d1a475fb-a50a-485d-817c-4dedbb3426a9Spec:Selector:Istio: ingressgatewayServers:Hosts:Port:Name:httpNumber: 80Protocol: HTTPEvents:<none>

4）创建对应的Virtual Service

➜ cat virtualservice.yaml apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata:name: httpbinspec:hosts:- ""gateways:- httpbin-gatewayhttp:- match:- uri:prefix: /status- uri:prefix: /delayroute:- destination:port:number: 8000host: httpbin➜ kubectl apply -f working.istio.io/httpbin created

5）查看Virtual Service状态

➜ kubectl get vs -o wide | grep httpbinhttpbin ["httpbin-gateway"] [""] 56s➜ kubectl describe vs httpbinName: httpbinNamespace: defaultLabels: <none>Annotations: <none>API Version: networking.istio.io/v1beta1Kind: VirtualServiceMetadata:Creation Timestamp: -07-03T09:39:26ZGeneration:1Managed Fields:API Version: networking.istio.io/v1alpha3Fields Type: FieldsV1fieldsV1:f:metadata:f:annotations:.:f:kubectl.kubernetes.io/last-applied-configuration:f:spec:.:f:gateways:f:hosts:f:http:Manager: kubectl-client-side-applyOperation: UpdateTime: -07-03T09:39:26ZResource Version: 633475Self Link: /apis/networking.istio.io/v1beta1/namespaces/default/virtualservices/httpbinUID:4bf50ddd-6d1c-4e3b-948e-56d04b5f2332Spec:Gateways:httpbin-gatewayHosts:Http:Match:Uri:Prefix: /statusUri:Prefix: /delayRoute:Destination:Host: httpbinPort:Number: 8000Events: <none>

6）访问测试

httpbin服务有两个测试的url，分别是status与delay，status用于返回客户端传入的状态码，delay用于客户端自定义延迟多久返回响应报文。

➜ curl -I -HHost: http://localhost/status/200HTTP/1.1 200 OKserver: istio-envoydate: Sat, 03 Jul 09:56:10 GMTcontent-type: text/html; charset=utf-8access-control-allow-origin: *access-control-allow-credentials: truecontent-length: 0x-envoy-upstream-service-time: 29➜ curl -I -HHost: http://localhost/status/301HTTP/1.1 301 Moved Permanentlyserver: istio-envoydate: Sat, 03 Jul 09:57:08 GMTlocation: /redirect/1access-control-allow-origin: *access-control-allow-credentials: truecontent-length: 0x-envoy-upstream-service-time: 44➜ curl -I -HHost: http://localhost/status/502HTTP/1.1 502 Bad Gatewayserver: istio-envoydate: Sat, 03 Jul 09:56:38 GMTcontent-type: text/html; charset=utf-8access-control-allow-origin: *access-control-allow-credentials: truecontent-length: 0x-envoy-upstream-service-time: 39➜ curl -I -HHost: http://localhost/status/504HTTP/1.1 504 Gateway Timeoutserver: istio-envoydate: Sat, 03 Jul 09:56:52 GMTcontent-type: text/html; charset=utf-8access-control-allow-origin: *access-control-allow-credentials: truecontent-length: 0x-envoy-upstream-service-time: 38➜ time curl -I -HHost: http://localhost/delay/2HTTP/1.1 200 OKserver: istio-envoydate: Sat, 03 Jul 09:57:35 GMTcontent-type: application/jsoncontent-length: 737access-control-allow-origin: *access-control-allow-credentials: truex-envoy-upstream-service-time: curl -I -HHost: http://localhost/delay/2 0.00s user 0.01s system 0% cpu 2.023 total➜ time curl -I -HHost: http://localhost/delay/5HTTP/1.1 200 OKserver: istio-envoydate: Sat, 03 Jul 09:58:32 GMTcontent-type: application/jsoncontent-length: 737access-control-allow-origin: *access-control-allow-credentials: truex-envoy-upstream-service-time: 5005curl -I -HHost: http://localhost/delay/5 0.00s user 0.01s system 0% cpu 5.016 total

三、认识Egress

Egress网关允许您通过自定义Egress网关策略，来管理集群内部服务的流量出集群时的控制管理。

四、Egress实验

1）查看集群Egress Gateway组件是否存在

➜ kubectl get pods -n istio-system | grep egressgatewayistio-egressgateway-5796fb8ccf-jjtjl 1/1Running 214d

2）创建sleep服务

➜ kubectl apply -f ../../samples/sleep/sleep.yamlserviceaccount/sleep createdservice/sleep createddeployment.apps/sleep created➜ kubectl get pods -o wide | grep sleepsleep-557747455f-rhj7k 2/2Running 028s 10.1.8.134 docker-desktop <none> <none>➜ kubectl get deploy -o wide | grep sleep sleep 1/11 1 49s sleep curlimages/curl app=sleep➜ kubectl get rs -o wide | grep sleep sleep-557747455f 1 1 1 59s sleep curlimages/curl app=sleep,pod-template-hash=557747455f➜ kubectl get svc -o wide | grep sleep sleep ClusterIP 10.106.229.29 <none> 80/TCP66s app=sleep

3）为外部服务定义Service Entry

➜ cat serviceentry.yaml apiVersion: networking.istio.io/v1alpha3kind: ServiceEntrymetadata:name: httpbinspec:hosts:- ports:- number: 80name: http-portprotocol: HTTPresolution: DNS➜ kubectl apply -f serviceentry.yaml working.istio.io/httpbin created➜ kubectl get serviceentry -o wide NAMEHOSTS LOCATION RESOLUTION AGEhttpbin [""] DNS22s➜ kubectl describe serviceentry httpbinName: httpbinNamespace: defaultLabels: <none>Annotations: <none>API Version: networking.istio.io/v1beta1Kind: ServiceEntryMetadata:Creation Timestamp: -07-03T10:11:12ZGeneration:1Managed Fields:API Version: networking.istio.io/v1alpha3Fields Type: FieldsV1fieldsV1:f:metadata:f:annotations:.:f:kubectl.kubernetes.io/last-applied-configuration:f:spec:.:f:hosts:f:ports:f:resolution:Manager: kubectl-client-side-applyOperation: UpdateTime: -07-03T10:11:12ZResource Version: 637531Self Link: /apis/networking.istio.io/v1beta1/namespaces/default/serviceentries/httpbinUID:ff8a43a4-a5d2-410c-ad7a-62d967f31c02Spec:Hosts:Ports:Name:http-portNumber: 80Protocol: HTTPResolution: DNSEvents: <none>

4）查看Egress Gateway日志，查看sleep服务访问外部服务是否经过Egress Gateway

➜ kubectl logs -f istio-egressgateway-5796fb8ccf-jjtjl -n istio-systemkubectl exec -it sleep-557747455f-rhj7k -c sleep -- curl http://ip{"origin": "58.49.32.170"}

5）定义路由，将流量引导至Egress Gateway

➜ cat virtualservice.yaml apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata:name: vs-for-egressgatewayspec:hosts:- gateways:- istio-egressgateway- meshhttp:- match:- gateways:- methport: 80route: - destination:host: istio-egressgateway.istio-system.svc.cluster.localsubset: httpbinport:number: 80weight: 100- match:- gateways:- istio-egressgatewayport: 80route:- destination:host: port: number: 80weight: 100➜ kubectl apply -f virtualservice.yaml working.istio.io/vs-for-egressgateway created➜ kubectl get vs -o wide | grep vs-for-egressgatewayvs-for-egressgateway ["istio-egressgateway","mesh"] [""] 21s➜ kubectl describe vs vs-for-egressgateway Name: vs-for-egressgatewayNamespace: defaultLabels: <none>Annotations: <none>API Version: networking.istio.io/v1beta1Kind: VirtualServiceMetadata:Creation Timestamp: -07-03T10:18:46ZGeneration:1Managed Fields:API Version: networking.istio.io/v1alpha3Fields Type: FieldsV1fieldsV1:f:metadata:f:annotations:.:f:kubectl.kubernetes.io/last-applied-configuration:f:spec:.:f:gateways:f:hosts:f:http:Manager: kubectl-client-side-applyOperation: UpdateTime: -07-03T10:18:46ZResource Version: 638484Self Link: /apis/networking.istio.io/v1beta1/namespaces/default/virtualservices/vs-for-egressgatewayUID:cbd00a94-cb8d-46f5-9669-6df3584e0178Spec:Gateways:istio-egressgatewaymeshHosts:Http:Match:Gateways:methPort: 80Route:Destination:Host: istio-egressgateway.istio-system.svc.cluster.localPort:Number: 80Subset: httpbinWeight:100Match:Gateways:istio-egressgatewayPort: 80Route:Destination:Host: Port:Number: 80Weight:100Events: <none>

➜ cat destinationrule.yamlapiVersion: networking.istio.io/v1alpha3kind: DestinationRulemetadata:name: dr-for-egressgatewayspec:host: istio-egressgateway.istio-system.svc.cluster.localsubsets:- name: httpbin➜ kubectl apply -f working.istio.io/dr-for-egressgateway created➜ kubectl get dr -o wide NAME HOST AGEdr-for-egressgateway istio-egressgateway.istio-system.svc.cluster.local 6s➜ kubectl describe dr dr-for-egressgatewayName: dr-for-egressgatewayNamespace: defaultLabels: <none>Annotations: <none>API Version: networking.istio.io/v1beta1Kind: DestinationRuleMetadata:Creation Timestamp: -07-03T10:21:31ZGeneration:1Managed Fields:API Version: networking.istio.io/v1alpha3Fields Type: FieldsV1fieldsV1:f:metadata:f:annotations:.:f:kubectl.kubernetes.io/last-applied-configuration:f:spec:.:f:host:f:subsets:Manager: kubectl-client-side-applyOperation: UpdateTime: -07-03T10:21:31ZResource Version: 638834Self Link: /apis/networking.istio.io/v1beta1/namespaces/default/destinationrules/dr-for-egressgatewayUID:bee9b39e-a9ac-4e36-803d-153bdf40c97dSpec:Host: istio-egressgateway.istio-system.svc.cluster.localSubsets:Name: httpbinEvents: <none>

6）再次使用sleep服务访问外部服务，查看Egress Gateway是否有相应的日志

kubectl exec -it sleep-557747455f-rhj7k -c sleep -- curl http://ip{"origin": "113.57.121.60"}➜ kubectl logs -l istio=egressgateway -c istio-proxy -n istio-system | tail [-07-03 T18:38:49.810Z] "GET /politics HTTP/2" 200 - "-" "-" 0 0 1445 1444 "10.80.3.231" "curl/7.64.0" "2151bde2-4382-4e2f-b088-e464943c2a9b" "" "113.57.121.60:80" outbound|80|| 10.80.3.232:51516 10.80.3.232:8080 10.80.3.231:38072 - -