我的书签
添加书签
移除书签Debugging Envoy and Istiod
If you want to try the commands described below, you can either:
- Have a Kubernetes cluster with Istio and Bookinfo installed (as described in installation steps and ).
OR
- Use similar commands against your own application running in a Kubernetes cluster.
The proxy-status command allows you to get an overview of your mesh. If you suspect one of your sidecars isn’t receiving configuration or is out of sync then proxy-status will tell you this.
If a proxy is missing from this list it means that it is not currently connected to a Istiod instance so will not be receiving any configuration.
SYNCEDmeans that Envoy has acknowledged the last configuration Istiod has sent to it.NOT SENTmeans that Istiod hasn’t sent anything to Envoy. This usually is because Istiod has nothing to send.STALEmeans that Istiod has sent an update to Envoy but has not received an acknowledgement. This usually indicates a networking issue between Envoy and Istiod or a bug with Istio itself.
Retrieve diffs between Envoy and Istiod
The proxy-status command can also be used to retrieve a diff between the configuration Envoy has loaded and the configuration Istiod would send, by providing a proxy ID. This can help you determine exactly what is out of sync and where the issue may lie.
$ istioctl proxy-status details-v1-6dcc6fbb9d-wsjz4.default--- Istiod Clusters+++ Envoy Clusters@@ -374,36 +374,14 @@"edsClusterConfig": {"edsConfig": {"ads": {}},"serviceName": "outbound|443||public-cr0bdc785ce3f14722918080a97e1f26be-alb1.kube-system.svc.cluster.local"- },- "connectTimeout": "1.000s",- "circuitBreakers": {- "thresholds": [- {-- }- ]- }- }- },- {- "cluster": {- "name": "outbound|53||kube-dns.kube-system.svc.cluster.local",- "type": "EDS",- "edsClusterConfig": {- "edsConfig": {- "ads": {-- }- },- "serviceName": "outbound|53||kube-dns.kube-system.svc.cluster.local"},"connectTimeout": "1.000s","circuitBreakers": {"thresholds": [{}Listeners MatchRoutes Match (RDS last loaded at Tue, 04 Aug 2020 11:52:54 IST)
Here you can see that the listeners and routes match but the clusters are out of sync.
The proxy-config command can be used to see how a given Envoy instance is configured. This can then be used to pinpoint any issues you are unable to detect by just looking through your Istio configuration and custom resources. To get a basic summary of clusters, listeners or routes for a given pod use the command as follows (changing clusters for listeners or routes when required):
$ istioctl proxy-config cluster -n istio-system istio-ingressgateway-7d6874b48f-qxhn5SERVICE FQDN PORT SUBSET DIRECTION TYPE DESTINATION RULEBlackHoleCluster - - - STATICagent - - - STATICdetails.default.svc.cluster.local 9080 - outbound EDS details.defaultistio-ingressgateway.istio-system.svc.cluster.local 80 - outbound EDSistio-ingressgateway.istio-system.svc.cluster.local 443 - outbound EDSistio-ingressgateway.istio-system.svc.cluster.local 15021 - outbound EDSistio-ingressgateway.istio-system.svc.cluster.local 15443 - outbound EDSistiod.istio-system.svc.cluster.local 443 - outbound EDSistiod.istio-system.svc.cluster.local 853 - outbound EDSistiod.istio-system.svc.cluster.local 15010 - outbound EDSistiod.istio-system.svc.cluster.local 15012 - outbound EDSistiod.istio-system.svc.cluster.local 15014 - outbound EDSkube-dns.kube-system.svc.cluster.local 53 - outbound EDSkube-dns.kube-system.svc.cluster.local 9153 - outbound EDSkubernetes.default.svc.cluster.local 443 - outbound EDS...productpage.default.svc.cluster.local 9080 - outbound EDSprometheus_stats - - - STATICratings.default.svc.cluster.local 9080 - outbound EDSreviews.default.svc.cluster.local 9080 - outbound EDSsds-grpc - - - STATICxds-grpc - - - STRICT_DNSzipkin - - - STRICT_DNS
In order to debug Envoy you need to understand Envoy clusters/listeners/routes/endpoints and how they all interact. We will use the proxy-config command with the -o json and filtering flags to follow Envoy as it determines where to send a request from the productpage pod to the reviews pod at reviews:9080.
From the above summary you can see that every sidecar has a listener bound to
0.0.0.0:15006which is where IP tables routes all inbound pod traffic to and a listener bound to0.0.0.0:15001which is where IP tables routes all outbound pod traffic to. The0.0.0.0:15001listener hands the request over to the virtual listener that best matches the original destination of the request, if it can find a matching one. Otherwise, it sends the request to thePassthroughClusterwhich connects to the destination directly.-
$ istioctl proxy-config listeners productpage-v1-6c886ff494-7vxhs -o json --address 0.0.0.0 --port 9080..."rds": {"configSource": {"ads": {},"resourceApiVersion": "V3"},"routeConfigName": "9080"}...
The
9080route configuration only has a virtual host for each service. Our request is heading to the reviews service so Envoy will select the virtual host to which our request matches a domain. Once matched on domain Envoy looks for the first route that matches the request. In this case we don’t have any advanced routing so there is only one route that matches on everything. This route tells Envoy to send the request to theoutbound|9080||reviews.default.svc.cluster.localcluster.$ istioctl proxy-config routes productpage-v1-6c886ff494-7vxhs --name 9080 -o json[{"name": "9080","virtualHosts": [{"name": "reviews.default.svc.cluster.local:9080","domains": ["reviews.default.svc.cluster.local","reviews.default.svc.cluster.local:9080","reviews","reviews:9080","reviews.default.svc.cluster","reviews.default.svc.cluster:9080","reviews.default.svc","reviews.default.svc:9080","reviews.default","reviews.default:9080","10.98.88.0","10.98.88.0:9080"],"routes": [{"name": "default","match": {"prefix": "/"},"route": {}}]...
This cluster is configured to retrieve the associated endpoints from Istiod (via ADS). So Envoy will then use the
serviceNamefield as a key to look up the list of Endpoints and proxy the request to one of them.$ istioctl proxy-config cluster productpage-v1-6c886ff494-7vxhs --fqdn reviews.default.svc.cluster.local -o json[{"name": "outbound|9080||reviews.default.svc.cluster.local","type": "EDS","edsClusterConfig": {"edsConfig": {"ads": {},"resourceApiVersion": "V3"},"serviceName": "outbound|9080||reviews.default.svc.cluster.local"},"connectTimeout": "10s","circuitBreakers": {"thresholds": [{"maxConnections": 4294967295,"maxPendingRequests": 4294967295,"maxRequests": 4294967295,"maxRetries": 4294967295}]},}]
To see the endpoints currently available for this cluster use the
proxy-configendpoints command.
Inspecting bootstrap configuration
So far we have looked at configuration retrieved (mostly) from Istiod, however Envoy requires some bootstrap configuration that includes information like where Istiod can be found. To view this use the following command:
$ istioctl proxy-config bootstrap -n istio-system istio-ingressgateway-7d6874b48f-qxhn5{"bootstrap": {"node": {"id": "router~172.30.86.14~istio-ingressgateway-7d6874b48f-qxhn5.istio-system~istio-system.svc.cluster.local","cluster": "istio-ingressgateway","metadata": {"CLUSTER_ID": "Kubernetes","EXCHANGE_KEYS": "NAME,NAMESPACE,INSTANCE_IPS,LABELS,OWNER,PLATFORM_METADATA,WORKLOAD_NAME,MESH_ID,SERVICE_ACCOUNT,CLUSTER_ID","INSTANCE_IPS": "10.244.0.7","ISTIO_PROXY_SHA": "istio-proxy:f98b7e538920abc408fbc91c22a3b32bc854d9dc","ISTIO_VERSION": "1.7.0","LABELS": {"app": "istio-ingressgateway","chart": "gateways","heritage": "Tiller","istio": "ingressgateway","pod-template-hash": "68bf7d7f94","release": "istio","service.istio.io/canonical-name": "istio-ingressgateway","service.istio.io/canonical-revision": "latest"},"MESH_ID": "cluster.local","NAME": "istio-ingressgateway-68bf7d7f94-sp226","NAMESPACE": "istio-system","OWNER": "kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway","ROUTER_MODE": "sni-dnat","SDS": "true","SERVICE_ACCOUNT": "istio-ingressgateway-service-account","WORKLOAD_NAME": "istio-ingressgateway"},"userAgentBuildVersion": {"version": {"majorNumber": 1,"minorNumber": 15},"metadata": {"build.type": "RELEASE","revision.sha": "f98b7e538920abc408fbc91c22a3b32bc854d9dc","revision.status": "Clean","ssl.version": "BoringSSL"}},},...
Verifying connectivity to Istiod is a useful troubleshooting step. Every proxy container in the service mesh should be able to communicate with Istiod. This can be accomplished in a few simple steps:
Create a
sleeppod:$ kubectl create namespace foo$ kubectl apply -f <(istioctl kube-inject -f samples/sleep/sleep.yaml) -n foo
Test connectivity to Istiod using
curl. The following example invokes the v1 registration API using default Istiod configuration parameters and mutual TLS enabled:
You should receive a response listing the “service” and “endpoint” for each service in the mesh.
What Envoy version is Istio using?
To find out the Envoy version used in deployment, you can exec into the container and query the endpoint:
Using MOSN with Istio: an alternative data plane
An alternative sidecar proxy for Istio.
Install and use Istio with the Istio CNI plugin, allowing operators to deploy services with lower privilege.
Describes the telemetry and monitoring features provided by Istio.
Describes the various Istio features focused on traffic routing and control.
How to configure TLS settings to secure network traffic.
