我的书签
添加书签
移除书签镜像
流量镜像,也称为影子流量,是一个以尽可能低的风险为生产带来变化的强大的功能。镜像会将实时流量的副本发送到镜像服务。镜像流量发生在主服务的关键请求路径之外。
在此任务中,首先把流量全部路由到 版本的测试服务。然后,执行规则将一部分流量镜像到 v2 版本。
httpbin-v1:
httpbin-v2:
$ cat <<EOF | istioctl kube-inject -f - | kubectl create -f -apiVersion: apps/v1kind: Deploymentmetadata:name: httpbin-v2spec:replicas: 1template:metadata:labels:app: httpbinversion: v2spec:containers:- image: docker.io/kennethreitz/httpbinimagePullPolicy: IfNotPresentname: httpbincommand: ["gunicorn", "--access-logfile", "-", "-b", "0.0.0.0:80", "httpbin:app"]ports:- containerPort: 80EOF
httpbin Kubernetes service:
$ kubectl create -f - <<EOFapiVersion: v1kind: Servicemetadata:name: httpbinlabels:app: httpbinspec:ports:- name: httpport: 8000targetPort: 80selector:app: httpbinEOF
- 启动
sleep服务,这样就可以使用curl来提供负载了:
sleep service:
$ cat <<EOF | istioctl kube-inject -f - | kubectl create -f -apiVersion: apps/v1kind: Deploymentmetadata:name: sleepspec:replicas: 1template:metadata:labels:app: sleepspec:containers:- name: sleepimage: tutum/curlcommand: ["/bin/sleep","infinity"]imagePullPolicy: IfNotPresentEOF
- 创建一个默认路由规则,将所有流量路由到服务的
v1:
如果安装/配置 Istio 的时候开启了 TLS 认证,在应用 DestinationRule 之前必须将 TLS 流量策略 mode: ISTIO_MUTUAL 添加到 DestinationRule。否则,请求将发生 503 错误,如所述。
$ kubectl apply -f - <<EOFapiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata:name: httpbinspec:hosts:- httpbinhttp:- route:- destination:host: httpbinsubset: v1weight: 100---kind: DestinationRulemetadata:spec:host: httpbinsubsets:- name: v1labels:version: v1- name: v2labels:version: v2EOF
现在所有流量都转到httpbin:v1服务。
- 向服务发送一下流量:
- 分别查看
httpbin服务v1和v2两个 pods 的日志,您可以看到访问日志进入v1,而v2中没有日志,显示为<none>:
$ export V1_POD=$(kubectl get pod -l app=httpbin,version=v1 -o jsonpath={.items..metadata.name})$ kubectl logs -f $V1_POD -c httpbin127.0.0.1 - - [07/Mar/2018:19:02:43 +0000] "GET /headers HTTP/1.1" 200 321 "-" "curl/7.35.0"
$ export V2_POD=$(kubectl get pod -l app=httpbin,version=v2 -o jsonpath={.items..metadata.name})$ kubectl logs -f $V2_POD -c httpbin<none>
- 改变流量规则将流量镜像到 v2:
$ kubectl apply -f - <<EOFapiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata:name: httpbinspec:hosts:- httpbinhttp:- route:- destination:host: httpbinsubset: v1weight: 100mirror:host: httpbinsubset: v2mirror_percent: 100EOF
这个路由规则发送 100% 流量到 v1。最后一段表示你将镜像流量到 httpbin:v2 服务。当流量被镜像时,请求将发送到镜像服务中,并在 headers 中的 Host/Authority 属性值上追加 -shadow。例如 cluster-1 变为 cluster-1-shadow。
此外,重点注意这些被镜像的流量是『即发即弃』的,就是说镜像请求的响应会被丢弃。
您可以使用 mirror_percent 属性来设置镜像流量的百分比,而不是镜像全部请求。为了兼容老版本,如果这个属性不存在,将镜像所有流量。
- 发送流量:
$ kubectl exec -it $SLEEP_POD -c sleep -- sh -c 'curl http://httpbin:8000/headers' | python -m json.tool
现在就可以看到 v1 和 v2 中都有了访问日志。v2 中的访问日志就是由镜像流量产生的,这些请求的实际目标是 v1。
$ kubectl logs -f $V2_POD -c httpbin127.0.0.1 - - [07/Mar/2018:19:26:44 +0000] "GET /headers HTTP/1.1" 200 361 "-" "curl/7.35.0"
- 如果要检查流量内部,请在另一个控制台上运行以下命令:
$ export SLEEP_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})$ export V1_POD_IP=$(kubectl get pod -l app=httpbin -l version=v1 -o jsonpath={.items..status.podIP})$ export V2_POD_IP=$(kubectl get pod -l app=httpbin -l version=v2 -o jsonpath={.items..status.podIP})$ kubectl exec -it $SLEEP_POD -c istio-proxy -- sudo tcpdump -A -s 0 host $V1_POD_IP or host $V2_POD_IPtcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes05:47:50.159513 IP sleep-7b9f8bfcd-2djx5.38836 > 10-233-75-11.httpbin.default.svc.cluster.local.80: Flags [P.], seq 4039989036:4039989832, ack 3139734980, win 254, options [nop,nop,TS val 77427918 ecr 76730809], length 796: HTTP: GET /headers HTTP/1.1E..P2.X.X.X..K..K....P..W,.$.......+.......t.....GET /headers HTTP/1.1host: httpbin:8000user-agent: curl/7.35.0accept: */*x-forwarded-proto: httpx-request-id: 571c0fd6-98d4-4c93-af79-6a2fe2945847x-envoy-decorator-operation: httpbin.default.svc.cluster.local:8000/*x-b3-traceid: 82f3e0a76dcebca2x-b3-spanid: 82f3e0a76dcebca2x-b3-sampled: 0x-istio-attributes: Cj8KGGRlc3RpbmF0aW9uLnNlcnZpY2UuaG9zdBIjEiFodHRwYmluLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwKPQoXZGVzdGluYXRpb24uc2VydmljZS51aWQSIhIgaXN0aW86Ly9kZWZhdWx0L3NlcnZpY2VzL2h0dHBiaW4KKgodZGVzdGluYXRpb24uc2VydmljZS5uYW1lc3BhY2USCRIHZGVmYXVsdAolChhkZXN0aW5hdGlvbi5zZXJ2aWNlLm5hbWUSCRIHaHR0cGJpbgo6Cgpzb3VyY2UudWlkEiwSKmt1YmVybmV0ZXM6Ly9zbGVlcC03YjlmOGJmY2QtMmRqeDUuZGVmYXVsdAo6ChNkZXN0aW5hdGlvbi5zZXJ2aWNlEiMSIWh0dHBiaW4uZGVmYXVsdC5zdmMuY2x1c3Rlci5sb2NhbA==content-length: 005:47:50.159609 IP sleep-7b9f8bfcd-2djx5.49560 > 10-233-71-7.httpbin.default.svc.cluster.local.80: Flags [P.], seq 296287713:296288571, ack 4029574162, win 254, options [nop,nop,TS val 77427918 ecr 76732809], length 858: HTTP: GET /headers HTTP/1.1E.....X.X....G....P......l......e.......t.....GET /headers HTTP/1.1host: httpbin-shadow:8000user-agent: curl/7.35.0accept: */*x-request-id: 571c0fd6-98d4-4c93-af79-6a2fe2945847x-envoy-decorator-operation: httpbin.default.svc.cluster.local:8000/*x-b3-traceid: 82f3e0a76dcebca2x-b3-spanid: 82f3e0a76dcebca2x-b3-sampled: 0x-istio-attributes: Cj8KGGRlc3RpbmF0aW9uLnNlcnZpY2UuaG9zdBIjEiFodHRwYmluLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwKPQoXZGVzdGluYXRpb24uc2VydmljZS51aWQSIhIgaXN0aW86Ly9kZWZhdWx0L3NlcnZpY2VzL2h0dHBiaW4KKgodZGVzdGluYXRpb24uc2VydmljZS5uYW1lc3BhY2USCRIHZGVmYXVsdAolChhkZXN0aW5hdGlvbi5zZXJ2aWNlLm5hbWUSCRIHaHR0cGJpbgo6Cgpzb3VyY2UudWlkEiwSKmt1YmVybmV0ZXM6Ly9zbGVlcC03YjlmOGJmY2QtMmRqeDUuZGVmYXVsdAo6ChNkZXN0aW5hdGlvbi5zZXJ2aWNlEiMSIWh0dHBiaW4uZGVmYXVsdC5zdmMuY2x1c3Rlci5sb2NhbA==x-envoy-internal: truex-forwarded-for: 10.233.75.12content-length: 005:47:50.166734 IP 10-233-75-11.httpbin.default.svc.cluster.local.80 > sleep-7b9f8bfcd-2djx5.38836: Flags [P.], seq 1:472, ack 796, win 276, options [nop,nop,TS val 77427925 ecr 77427918], length 471: HTTP: HTTP/1.1 200 OKE....3X.?....K..K..P...$....ZH.............t...t.HTTP/1.1 200 OKserver: envoydate: Fri, 15 Feb 2019 05:47:50 GMTcontent-type: application/jsoncontent-length: 241access-control-allow-origin: *access-control-allow-credentials: truex-envoy-upstream-service-time: 3{"headers": {"Accept": "*/*","Content-Length": "0","Host": "httpbin:8000","User-Agent": "curl/7.35.0","X-B3-Sampled": "0","X-B3-Spanid": "82f3e0a76dcebca2","X-B3-Traceid": "82f3e0a76dcebca2"}}05:47:50.166789 IP sleep-7b9f8bfcd-2djx5.38836 > 10-233-75-11.httpbin.default.svc.cluster.local.80: Flags [.], ack 472, win 262, options [nop,nop,TS val 77427925 ecr 77427925], length 0E..42.X.X.\..K..K....P..ZH.$...............t...t.05:47:50.167234 IP 10-233-71-7.httpbin.default.svc.cluster.local.80 > sleep-7b9f8bfcd-2djx5.49560: Flags [P.], seq 1:512, ack 858, win 280, options [nop,nop,TS val 77429926 ecr 77427918], length 511: HTTP: HTTP/1.1 200 OKE..3..X.>....G..K..P....l....;.............|...t.HTTP/1.1 200 OKserver: envoydate: Fri, 15 Feb 2019 05:47:49 GMTcontent-type: application/jsoncontent-length: 281access-control-allow-origin: *access-control-allow-credentials: truex-envoy-upstream-service-time: 3{"headers": {"Accept": "*/*","Content-Length": "0","Host": "httpbin-shadow:8000","User-Agent": "curl/7.35.0","X-B3-Sampled": "0","X-B3-Spanid": "82f3e0a76dcebca2","X-B3-Traceid": "82f3e0a76dcebca2","X-Envoy-Internal": "true"}}05:47:50.167253 IP sleep-7b9f8bfcd-2djx5.49560 > 10-233-71-7.httpbin.default.svc.cluster.local.80: Flags [.], ack 512, win 262, options [nop,nop,TS val 77427926 ecr 77429926], length 0E..4..X.X....K..G....P...;..n..............t...|.
您可以看到流量的请求和响应内容。
- 删除规则:
$ kubectl delete virtualservice httpbin$ kubectl delete destinationrule httpbin
- 关闭 httpbin 服务和客户端:
$ kubectl delete deploy httpbin-v1 httpbin-v2 sleep
Istio as a Proxy for External Services
Configure Istio ingress gateway to act as a proxy for external services.
Deploy environments that require isolation into separate meshes and enable inter-mesh communication by mesh federation.
Secure Control of Egress Traffic in Istio, part 3
Comparison of alternative solutions to control egress traffic including performance considerations.
Use Istio Egress Traffic Control to prevent attacks involving egress traffic.
Attacks involving egress traffic and requirements for egress traffic control.
