Istio Traffic interception theory and debugging analysis -Istio business environment practice

Focus on big data and container cloud core technology decryption, if you have any academic exchange, feel free to contact. For more content, please pay attention to the public account of Data Cloud Technology Community, or forward the email to [email protected].

1 Common operation and maintenance skills of Istio

• Pilot-discovery provides control information services for data surfaces (Envoy and other proxy components running in sidecar), known as Discovery Services or XDS services. Here x is a pronoun, similar to XaaS in cloud computing, which can refer to IaaS, PaaS, SaaS, etc.

• In Istio, XDS includes cluster Discovery Service (CDS),

• Typical vmlinux.lds (listener discovery service),

• RDS (route discovery service),

• Eds (endpoint discovery service),

• Aggregated Discovery Service (ADS) summarizes these services.

Obtain ingress IP address:  $ export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}') $ export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].nodePort}') $ export INGRESS_HOST=$(kubectl Get Po -l istio=ingressgateway -n istio-system -o 'jsonPath ={.items[0].status.hostip}') Service gateway setting:  kubectl get configmap istio -n istio-system -o yaml | sed 's/mode: ALLOW_ANY/mode: REGISTRY_ONLY/g'|kubectl replace -n istio-system -f - kubectl get configmap istio -n istio-system -o yaml | sed 's/mode:  REGISTRY_ONLY/mode: ALLOW_ANY/g '| kubectl replace -n istio - system - f - manual injection agent: Istioctl kube - inject - f nginx - istio - test. Yaml | kubectl apply - f - n jiuxi hub configuration: {" registry - mirrors ": [" http://10.180.210.37 ", "http://10.180.210.196", "https://docker.mirrors.ustc.edu.cn"], "insecure - registries" : [" 10.180.210.37 10.180.210.196 ", ""," docker.mirrors.ustc.edu.cn "]} sudo systemctl daemon - reload sudo systemctl restart Docker Envoy is the core component of the Istio data surface and has deployed the Sidecar pattern with the application in a Pod. The following figure shows the Envoy configuration process: The Pilot-Agent is responsible for Envoy lifecycle management. It generates Envoy's initial configuration file enbith-rev0.json based on the boot parameters and configuration information in the K8S API Server. This file tells the Envoy to fetch dynamic configuration information from the xDS Server and configures the xDS Server address information. Pilot of the control plane. The Pilot-agent launches the envoy process using enbith-rev0.json. Envoy obtains Pilot address based on initial configuration, uses xDS interface to obtain dynamic configuration information such as Listener, Cluster, Route from Pilot. Envoy initiates the Listener based on the retrieved dynamic configuration and processes the intercepted traffic in combination with the Route and Cluster based on the Listener configuration. Envoy is configured dynamically through the xDS API. XDS is a general name for a class of discovery services, including LDS, RDS, CDS, EDS and SDS. LDS: Listener Discovers services. The Listener controls Envoy initiation port listening (currently TCP only) and configures layer L3 or L4 filters that are processed by the network filter stack as the network connection arrives. RDS: Route discovery service, used by the Envoy HTTP connection manager to dynamically retrieve the Route configuration. Route configuration includes modifying HTTP headers (adding or deleting HTTP header keys), Virtual Hosts, and routing entries defined by Virtual Hosts. CDS: Cluster discovery service, used to dynamically obtain Cluster information. The Envoy Cluster Manager manages all upstream clusters. An Envoy abstracts an upstream Cluster from a Listener(for TCP) or Route(for HTTP) as a traffic forwarding target. EDS: the Endpoint discovers services. For each Cluster, the Envoy retrieves the Endpoint dynamically through the EDS API. SDS: Secret discovery service for dynamically obtaining TLS certificates at run time.Copy the code

2 Istio traffic rewriting principle analysis

2.1 Istio Traffic Interception Theory

2.2 Istio Inbound and Outbound Traffic Transfer

3 Envoy

Configure an example envoy to listen on 127.0.0.1:10000 and support HTTP visits with the domain name http://example.com. All HTTP traffic received is forwarded to the 127.0.0.2:1234 service. In this example some_service, the hosts in the cluster are fixed (127.0.0.2:1234), which is not suitable for scaling. Admin: access_log_path: / TMP /admin_access.log address: socket_address: {address: 127.0.0.1, port_value: 9901} static_resources: listeners: name: listener_0 address: socket_address: {address: 127.0.0.1, port_value: 10000 } filter_chains: - filters: - name: envoy.http_connection_manager config: stat_prefix: ingress_http route_config: name: local_route virtual_hosts: - name: local_service domains: ["example.com"] routes: - match: { prefix: "/" } route: { cluster: some_service } http_filters: - name: envoy.router clusters: - name: some_service connect_timeout: 0.25s type: STATIC lb_policy: ROUND_ROBIN hosts: [{socket_address: {address: 127.0.0.2, port_value: 1234}}]Copy the code

Admin: access_log_path: / TMP /admin_access.log address: socket_address: {address: 127.0.0.1, port_value: 9901 } dynamic_resources: lds_config: api_config_source: api_type: GRPC cluster_names: [xds_cluster] cds_config: api_config_source: api_type: GRPC cluster_names: [xds_cluster] static_resources: clusters: - name: Xds_cluster connect_timeout: 0.25s type: STATIC lb_policy: ROUND_ROBIN http2_PROTOCOL_options: {} hosts: [{socket_address: {address: 127.0.0.3, port_value: 5678}}] The LDS service response format is as follows: version_info: "0" resources: - "@type": Type.googleapis.com/envoy.api.v2.Listener name: listener_0 address: socket_address: address: 127.0.0.1 port_value: 10000 filter_chains: - filters: - name: envoy.http_connection_manager config: stat_prefix: ingress_http codec_type: AUTO rds: route_config_name: local_route config_source: api_config_source: api_type: GRPC cluster_names: [xds_cluster] http_filters: - name: envoy. Router RDS service response format is as follows: version_info: "0" resources: - "@type": type.googleapis.com/envoy.api.v2.RouteConfiguration name: local_route virtual_hosts: - name: local_service domains: ["*"] routes: -match: {prefix: "/"} route: {cluster: some_service} the CDS service is version_info: "0" resources: - "@ type" : type.googleapis.com/envoy.api.v2.Cluster name: some_service connect_timeout: 0.25 s lb_policy: ROUND_ROBIN type: EDS eds_cluster_config: eds_config: api_config_source: api_type: GRPC cluster_names: [xds_cluster] The EDS service responds as follows: version_info: "0" resources: - "@type": type.googleapis.com/envoy.api.v2.ClusterLoadAssignment cluster_name: some_service endpoints: - lb_endpoints: - endpoint: address: socket_address: address: 127.0.0.2 port_value: 1234 https://www.jianshu.com/p/73b8ba769274 Envoy learning notes create EDS dynamic configuration Envoy practice at https://www.jianshu.com/p/90f9ee98ce70 https://www.jianshu.com/p/ac9b99b37cd1Copy the code

Focus on big data and container cloud core technology decryption, if you have any academic exchange, feel free to contact. For more content, please pay attention to the public account of “Data Cloud Technology Community”, or forward the email [email protected].