控制 Egress 流量任务展示了如何配置 Istio 以允许网格内部的应用程序访问外部 HTTP 和 HTTPS 服务,但那个任务实际上是通过 sidecar 直接调用的外部服务。而这个示例会展示如何配置 Istio 以通过专用的 egress gateway 服务间接调用外部服务。
Istio 使用 Ingress and Egress gateways 配置运行在服务网格边缘的负载均衡。 Ingress gateway 允许您定义网格所有入站流量的入口。Egress gateway 是一个与 Ingress gateway 对称的概念,它定义了网格的出口。Egress gateway 允许您将 Istio 的功能(例如,监视和路由规则)应用于网格的出站流量。
1、定义 Egress gateway 并引导 HTTP 流量
1.1)首先创建一个 ServiceEntry,允许流量直接访问一个外部服务。此时如果直接访问是通过sidecar直接请求的,匹配上对应的host
kubectl apply -f - <<EOF apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: cnn spec: hosts: - edition.cnn.com ports: - number: 80 name: http-port protocol: HTTP - number: 443 name: https protocol: HTTPS resolution: DNS EOF
1.2)为 edition.cnn.com 端口 80 创建 egress Gateway。并为指向 egress gateway 的流量创建一个 destination rule。
kubectl apply -f - <<EOF apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: istio-egressgateway spec: selector: istio: egressgateway servers: - port: number: 80 name: http protocol: HTTP hosts: - edition.cnn.com --- apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: egressgateway-for-cnn spec: host: istio-egressgateway.istio-system.svc.cluster.local subsets: - name: cnn EOF
1.3)定义一个 VirtualService,将流量从 sidecar 引导至 Egress Gateway,再从 Egress Gateway 引导至外部服务
kubectl apply -f - <<EOF apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: direct-cnn-through-egress-gateway spec: hosts: - edition.cnn.com gateways: - istio-egressgateway - mesh http: - match: - gateways: - mesh port: 80 route: - destination: host: istio-egressgateway.istio-system.svc.cluster.local subset: cnn port: number: 80 weight: 100 - match: - gateways: - istio-egressgateway port: 80 route: - destination: host: edition.cnn.com port: number: 80 weight: 100 EOF
1.2和1.3 配置不太好理解,gw mesh是什么,参考https://istio.io/v1.12/zh/docs/reference/config/networking/virtual-service/#VirtualService
The reserved word mesh is used to imply all the sidecars in the mesh. When this field is omitted, the default gateway (mesh) will be used, which would apply the rule to all sidecars in the mesh.
所以上述配置的流量流向大概是,从所有sidecars出来的流量默认走mesh,此时匹配上dr的规则,然后mesh将流量传入istio-egressgateway,当流量从istio-egressgateway出来时,匹配上edition.cnn.com,流量去往目的地。
测试过程中对vr的subset处和dr的subset处有一点疑点,对原本的配置做了修改进行了测试。忘记了出口流量是怎么匹配上se的cnn的,回想当初也没有直接匹配上metadata的name,后来发现请求cnn的时候唯一关联的信息只有se.spec.hosts
kubectl apply -f - <<EOF apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: cnn spec: hosts: - edition.cnn.com ports: - number: 80 name: http-port protocol: HTTP - number: 443 name: https protocol: HTTPS resolution: DNS EOF --- kubectl apply -f - <<EOF apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: istio-egressgateway spec: selector: istio: egressgateway servers: - port: number: 80 name: http protocol: HTTP hosts: - edition.cnn.com EOF --- kubectl apply -f - <<EOF apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: egressgateway-for-cnn spec: host: istio-egressgateway.istio-system.svc.cluster.local subsets: - name: nicaicai EOF --- kubectl apply -f - <<EOF apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: direct-cnn-through-egress-gateway spec: hosts: - edition.cnn.com gateways: - istio-egressgateway - mesh http: - match: - gateways: - mesh port: 80 route: - destination: host: istio-egressgateway.istio-system.svc.cluster.local subset: nicaicai port: number: 80 weight: 100 - match: - gateways: - istio-egressgateway port: 80 route: - destination: host: edition.cnn.com port: number: 80 weight: 100 EOF
2、用 Egress gateway 发起 HTTPS 请求
与上面差不多,参考 https://istio.io/latest/zh/docs/tasks/traffic-management/egress/egress-gateway/#egress-gateway-for-https-traffic
3、应用 Kubernetes 网络策略
https://istio.io/latest/zh/docs/tasks/traffic-management/egress/egress-gateway/#apply-Kubernetes-network-policies