堆栈内存溢出
  简体   繁体   English

使用 Istio,有没有办法将入口路由到未运行 envoy sidecar 的 k8s 集群服务?

[英]Using Istio, is there a way to route ingress to a k8s cluster service that is not running an envoy sidecar?

 原文  2020-01-22 15:01:15       azure/ kubernetes/ istio/ azure-aks

问题描述

I'm running a Azure AKS cluster with both Windows and Linux VMs.我正在使用 Windows 和 Linux VM 运行 Azure AKS 集群。

I can curl the cluster service by name from a pod in the Istio namespace, so I know TCP to the pod works.我可以从 Istio 命名空间中的 pod 按名称卷曲集群服务,所以我知道到 pod 的 TCP 是有效的。 I believe I need to inform my Virtual Service in some way to not route through the envoy proxy, but just forward requests directly to the k8s service endpoint - similar to as if it were a VM external to the mesh.我相信我需要以某种方式通知我的虚拟服务不要通过特使代理进行路由,而只是将请求直接转发到 k8s 服务端点——就像它是网格外部的虚拟机一样。 I do have TLS terminating at the gateway - the k8s service itself is just exposed inside the cluster on port 80.我确实有 TLS 在网关处终止——k8s 服务本身只是暴露在集群内部的端口 80 上。

Currently, there is no envoy sidecar for Windows containers, but from k8s perspective, this is just another service in the same cluster Istio is running in.目前,没有用于 Windows 容器的 envoy sidecar,但从 k8s 的角度来看,这只是运行 Istio 的同一集群中的另一个服务。

http-gateway.yaml http-gateway.yaml

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  annotations:
  name: http-gateway
  namespace: istio-system
spec:
  selector:    
    istio: ingressgateway
  servers:
  - hosts:
    - "*.myapp.com"
    port:
      number: 80
      name: http-80-gateway
      protocol: HTTP
    tls:
      httpsRedirect: true # sends 301 redirect for http requests
  - hosts:
    - "*.myapp.com"
    port:
      number: 443
      name: https-443-gateway
      protocol: HTTPS
    tls:
      credentialName: cert-azure-dns
      privateKey: sds
      serverCertificate: sds
      mode: SIMPLE

virtual-service.yaml虚拟服务.yaml

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: myapp-vsvc
  namespace: myapp-ns
spec:
  hosts:
  - foo #external DNS name is foo.myapp.com; gateway host for HTTPS is '*.myapp.com'
  gateways:
  - istio-system/http-gateway
  http:
  - route:
    - destination:
        host: myapp-svc.myapp-ns.svc.cluster.local
        port:
          number: 80

Attempting an Envoy Passthrough I've added a ServiceEntry like the following:尝试Envoy Passthrough我添加了一个 ServiceEntry,如下所示:

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: myapp-se
  namespace: myapp-ns
spec:
  hosts:
  - myapp-svc.myapp-ns.svc.cluster.local
  ports:
  - number: 80
    name: http
    protocol: HTTP
  resolution: DNS
  location: MESH_EXTERNAL

The server response is a 404 with a "server" header value of "istio-envoy".服务器响应是 404,其中“服务器”标头值为“istio-envoy”。

DNS is resolving to the gateway correctly and the acme cert is valid - so this error usually indicates I've made it to the Virtual Service, but haven't been routed to a cluster service. DNS 正确解析到网关并且 acme 证书有效 - 所以这个错误通常表明我已经进入虚拟服务,但还没有路由到集群服务。 In Kiali, there are no Istio validation errors on any of my yaml definitions: virtual service, service entry or gateway.在 Kiali 中,我的任何 yaml 定义都没有 Istio 验证错误:虚拟服务、服务入口或网关。

My global.outboundTrafficPolicy.mode is set to "ALLOW_ANY".我的 global.outboundTrafficPolicy.mode 设置为“ALLOW_ANY”。

I wonder if declaring "EXTERNAL_MESH" for a cluster service is a problem?我想知道为集群服务声明“EXTERNAL_MESH”是否有问题? Istio knows the k8s service exists, so is it trying to give priority to routing to the envoy sidecar and ignoring my service entry registration? Istio 知道 k8s 服务存在,那么它是否试图优先路由到 envoy sidecar 而忽略我的服务入口注册?

There is an option to bypass envoy altogether for specific IP ranges, which would be an option if I could somehow set a static IP on this particular cluster service.有一个选项可以针对特定的 IP 范围完全绕过 envoy ,如果我能以某种方式在这个特定的集群服务上设置一个静态 IP,这将是一个选项。 I want to bypass envoy for ingress to this one cluster service.我想绕过特使进入这个集群服务。

2 个解决方案

解决方案1
 1  2020-01-22 17:31:05

you would use the serviceentry to do that:你会使用serviceentry来做到这一点:

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: httpbin-ext
spec:
  hosts:
  - httpbin.org
  ports:
  - number: 80
    name: http
    protocol: HTTP
  resolution: DNS
  location: MESH_EXTERNAL

https://istio.io/docs/tasks/traffic-management/egress/egress-control/ https://istio.io/docs/tasks/traffic-management/egress/egress-control/

解决方案2
 1  2020-01-22 23:32:09

I could have sworn I tried this before, but apparently all I needed to provide was a simple Virtual Service without any Destination Rule or Service Entry.我本可以发誓我以前试过这个,但显然我需要提供的只是一个没有任何目标规则或服务条目的简单虚拟服务。

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: myapp-vsvc
  namespace: myapp-ns
spec:
  hosts:
  - foo.myapp.com 
  gateways:
  - istio-system/http-gateway
  http:
  - route:
    - destination:
        host: myapp-svc.myapp-ns.svc.cluster.local
        port:
          number: 80

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 在Azure K8s上设置入口 - setup ingress on azure k8s 如何访问在 Azure 中运行的托管 k8s 上的 ingress-nginx 命名空间中安装的 Prometheus 和 Grafana? - How to access Prometheus and Grafana installed in the ingress-nginx namespace on managed k8s running in Azure? azure 上的 kudeadm k8s 集群 - kudeadm k8s cluster on azure 无论如何要告诉哪个云提供商当前的 k8s 集群正在运行? - anyway to tell which cloud provider current k8s cluster is running at? k8s 使用 ownerRef 获取集群中的所有 pod 层次结构 - k8s get all pods hierarchy in cluster with ownerRef's 使用Azure api管理连接k8s集群 - Connect k8s cluster with azure api mangement 查询已部署集群K8S上的配置文件值 - Query config file value on deployed cluster K8S AKS K8S - 使用服务名称从 angular 前端访问 spring-boot 应用程序 - AKS K8S - access spring-boot app from angular frontend using service name 为什么我的 k8s Nginx 入口 controller 提供两个证书(其中一个是 Kubernetes 假证书)? - Why is my k8s Nginx ingress controller serving two certificates (one of which is a Kubernetes Fake Certificate)? 有没有办法在 azure 上的虚拟节点中运行 Istio sidecar? - Is there a way to run Istio sidecar within virtual-node on azure?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM