我的书签
添加书签
移除书签- 镜像
- 开始之前
- 创建一个默认路由策略
- 镜像流量到 v2
- 清理
- 相关内容
镜像
此任务演示了 Istio 的流量镜像功能。
流量镜像,也称为影子流量,是一个以尽可能低的风险为生产带来变化的强大的功能。镜像会将实时流量的副本发送到镜像服务。镜像流量发生在主服务的关键请求路径之外。
在此任务中,首先把流量全部路由到 v1 版本的测试服务。然后,执行规则将一部分流量镜像到 v2 版本。
开始之前
按照安装指南中的说明设置 Istio。
首先部署两个版本的 httpbin 服务,httpbin 服务已开启访问日志:
httpbin-v1:
$ cat <<EOF | istioctl kube-inject -f - | kubectl create -f -apiVersion: apps/v1kind: Deploymentmetadata:name: httpbin-v1spec:replicas: 1template:metadata:labels:app: httpbinversion: v1spec:containers:- image: docker.io/kennethreitz/httpbinimagePullPolicy: IfNotPresentname: httpbincommand: ["gunicorn", "--access-logfile", "-", "-b", "0.0.0.0:80", "httpbin:app"]ports:- containerPort: 80EOF
httpbin-v2:
$ cat <<EOF | istioctl kube-inject -f - | kubectl create -f -apiVersion: apps/v1kind: Deploymentmetadata:name: httpbin-v2spec:replicas: 1template:metadata:labels:app: httpbinversion: v2spec:containers:- image: docker.io/kennethreitz/httpbinimagePullPolicy: IfNotPresentname: httpbincommand: ["gunicorn", "--access-logfile", "-", "-b", "0.0.0.0:80", "httpbin:app"]ports:- containerPort: 80EOF
httpbin Kubernetes service:
$ kubectl create -f - <<EOFapiVersion: v1kind: Servicemetadata:name: httpbinlabels:app: httpbinspec:ports:- name: httpport: 8000targetPort: 80selector:app: httpbinEOF
- 启动
sleep服务,这样就可以使用curl来提供负载了:
sleep service:
$ cat <<EOF | istioctl kube-inject -f - | kubectl create -f -apiVersion: apps/v1kind: Deploymentmetadata:name: sleepspec:replicas: 1template:metadata:labels:app: sleepspec:containers:- name: sleepimage: tutum/curlcommand: ["/bin/sleep","infinity"]imagePullPolicy: IfNotPresentEOF
创建一个默认路由策略
默认情况下,Kubernetes 在 httpbin 服务的两个版本之间进行负载均衡。在此步骤中会更改该行为,把所有流量都路由到 v1。
- 创建一个默认路由规则,将所有流量路由到服务的
v1:
如果安装/配置 Istio 的时候开启了 TLS 认证,在应用 DestinationRule 之前必须将 TLS 流量策略 mode: ISTIO_MUTUAL 添加到 DestinationRule。否则,请求将发生 503 错误,如设置目标规则后出现 503 错误所述。
$ kubectl apply -f - <<EOFapiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata:name: httpbinspec:hosts:- httpbinhttp:- route:- destination:host: httpbinsubset: v1weight: 100---apiVersion: networking.istio.io/v1alpha3kind: DestinationRulemetadata:name: httpbinspec:host: httpbinsubsets:- name: v1labels:version: v1- name: v2labels:version: v2EOF
现在所有流量都转到httpbin:v1服务。
- 向服务发送一下流量:
$ export SLEEP_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})$ kubectl exec -it $SLEEP_POD -c sleep -- sh -c 'curl http://httpbin:8000/headers' | python -m json.tool{"headers": {"Accept": "*/*","Content-Length": "0","Host": "httpbin:8000","User-Agent": "curl/7.35.0","X-B3-Sampled": "1","X-B3-Spanid": "eca3d7ed8f2e6a0a","X-B3-Traceid": "eca3d7ed8f2e6a0a","X-Ot-Span-Context": "eca3d7ed8f2e6a0a;eca3d7ed8f2e6a0a;0000000000000000"}}
- 分别查看
httpbin服务v1和v2两个 pods 的日志,您可以看到访问日志进入v1,而v2中没有日志,显示为<none>:
$ export V1_POD=$(kubectl get pod -l app=httpbin,version=v1 -o jsonpath={.items..metadata.name})$ kubectl logs -f $V1_POD -c httpbin127.0.0.1 - - [07/Mar/2018:19:02:43 +0000] "GET /headers HTTP/1.1" 200 321 "-" "curl/7.35.0"
$ export V2_POD=$(kubectl get pod -l app=httpbin,version=v2 -o jsonpath={.items..metadata.name})$ kubectl logs -f $V2_POD -c httpbin<none>
镜像流量到 v2
- 改变流量规则将流量镜像到 v2:
$ kubectl apply -f - <<EOFapiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata:name: httpbinspec:hosts:- httpbinhttp:- route:- destination:host: httpbinsubset: v1weight: 100mirror:host: httpbinsubset: v2mirror_percent: 100EOF
这个路由规则发送 100% 流量到 v1。最后一段表示你将镜像流量到 httpbin:v2 服务。当流量被镜像时,请求将发送到镜像服务中,并在 headers 中的 Host/Authority 属性值上追加 -shadow。例如 cluster-1 变为 cluster-1-shadow。
此外,重点注意这些被镜像的流量是『即发即弃』的,就是说镜像请求的响应会被丢弃。
您可以使用 mirror_percent 属性来设置镜像流量的百分比,而不是镜像全部请求。为了兼容老版本,如果这个属性不存在,将镜像所有流量。
- 发送流量:
$ kubectl exec -it $SLEEP_POD -c sleep -- sh -c 'curl http://httpbin:8000/headers' | python -m json.tool
现在就可以看到 v1 和 v2 中都有了访问日志。v2 中的访问日志就是由镜像流量产生的,这些请求的实际目标是 v1。
$ kubectl logs -f $V1_POD -c httpbin127.0.0.1 - - [07/Mar/2018:19:02:43 +0000] "GET /headers HTTP/1.1" 200 321 "-" "curl/7.35.0"127.0.0.1 - - [07/Mar/2018:19:26:44 +0000] "GET /headers HTTP/1.1" 200 321 "-" "curl/7.35.0"
$ kubectl logs -f $V2_POD -c httpbin127.0.0.1 - - [07/Mar/2018:19:26:44 +0000] "GET /headers HTTP/1.1" 200 361 "-" "curl/7.35.0"
- 如果要检查流量内部,请在另一个控制台上运行以下命令:
$ export SLEEP_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})$ export V1_POD_IP=$(kubectl get pod -l app=httpbin -l version=v1 -o jsonpath={.items..status.podIP})$ export V2_POD_IP=$(kubectl get pod -l app=httpbin -l version=v2 -o jsonpath={.items..status.podIP})$ kubectl exec -it $SLEEP_POD -c istio-proxy -- sudo tcpdump -A -s 0 host $V1_POD_IP or host $V2_POD_IPtcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes05:47:50.159513 IP sleep-7b9f8bfcd-2djx5.38836 > 10-233-75-11.httpbin.default.svc.cluster.local.80: Flags [P.], seq 4039989036:4039989832, ack 3139734980, win 254, options [nop,nop,TS val 77427918 ecr 76730809], length 796: HTTP: GET /headers HTTP/1.1E..P2.X.X.X..K..K....P..W,.$.......+.......t.....GET /headers HTTP/1.1host: httpbin:8000user-agent: curl/7.35.0accept: */*x-forwarded-proto: httpx-request-id: 571c0fd6-98d4-4c93-af79-6a2fe2945847x-envoy-decorator-operation: httpbin.default.svc.cluster.local:8000/*x-b3-traceid: 82f3e0a76dcebca2x-b3-spanid: 82f3e0a76dcebca2x-b3-sampled: 0x-istio-attributes: Cj8KGGRlc3RpbmF0aW9uLnNlcnZpY2UuaG9zdBIjEiFodHRwYmluLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwKPQoXZGVzdGluYXRpb24uc2VydmljZS51aWQSIhIgaXN0aW86Ly9kZWZhdWx0L3NlcnZpY2VzL2h0dHBiaW4KKgodZGVzdGluYXRpb24uc2VydmljZS5uYW1lc3BhY2USCRIHZGVmYXVsdAolChhkZXN0aW5hdGlvbi5zZXJ2aWNlLm5hbWUSCRIHaHR0cGJpbgo6Cgpzb3VyY2UudWlkEiwSKmt1YmVybmV0ZXM6Ly9zbGVlcC03YjlmOGJmY2QtMmRqeDUuZGVmYXVsdAo6ChNkZXN0aW5hdGlvbi5zZXJ2aWNlEiMSIWh0dHBiaW4uZGVmYXVsdC5zdmMuY2x1c3Rlci5sb2NhbA==content-length: 005:47:50.159609 IP sleep-7b9f8bfcd-2djx5.49560 > 10-233-71-7.httpbin.default.svc.cluster.local.80: Flags [P.], seq 296287713:296288571, ack 4029574162, win 254, options [nop,nop,TS val 77427918 ecr 76732809], length 858: HTTP: GET /headers HTTP/1.1E.....X.X....K..G....P......l......e.......t.....GET /headers HTTP/1.1host: httpbin-shadow:8000user-agent: curl/7.35.0accept: */*x-forwarded-proto: httpx-request-id: 571c0fd6-98d4-4c93-af79-6a2fe2945847x-envoy-decorator-operation: httpbin.default.svc.cluster.local:8000/*x-b3-traceid: 82f3e0a76dcebca2x-b3-spanid: 82f3e0a76dcebca2x-b3-sampled: 0x-istio-attributes: Cj8KGGRlc3RpbmF0aW9uLnNlcnZpY2UuaG9zdBIjEiFodHRwYmluLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwKPQoXZGVzdGluYXRpb24uc2VydmljZS51aWQSIhIgaXN0aW86Ly9kZWZhdWx0L3NlcnZpY2VzL2h0dHBiaW4KKgodZGVzdGluYXRpb24uc2VydmljZS5uYW1lc3BhY2USCRIHZGVmYXVsdAolChhkZXN0aW5hdGlvbi5zZXJ2aWNlLm5hbWUSCRIHaHR0cGJpbgo6Cgpzb3VyY2UudWlkEiwSKmt1YmVybmV0ZXM6Ly9zbGVlcC03YjlmOGJmY2QtMmRqeDUuZGVmYXVsdAo6ChNkZXN0aW5hdGlvbi5zZXJ2aWNlEiMSIWh0dHBiaW4uZGVmYXVsdC5zdmMuY2x1c3Rlci5sb2NhbA==x-envoy-internal: truex-forwarded-for: 10.233.75.12content-length: 005:47:50.166734 IP 10-233-75-11.httpbin.default.svc.cluster.local.80 > sleep-7b9f8bfcd-2djx5.38836: Flags [P.], seq 1:472, ack 796, win 276, options [nop,nop,TS val 77427925 ecr 77427918], length 471: HTTP: HTTP/1.1 200 OKE....3X.?....K..K..P...$....ZH.............t...t.HTTP/1.1 200 OKserver: envoydate: Fri, 15 Feb 2019 05:47:50 GMTcontent-type: application/jsoncontent-length: 241access-control-allow-origin: *access-control-allow-credentials: truex-envoy-upstream-service-time: 3{"headers": {"Accept": "*/*","Content-Length": "0","Host": "httpbin:8000","User-Agent": "curl/7.35.0","X-B3-Sampled": "0","X-B3-Spanid": "82f3e0a76dcebca2","X-B3-Traceid": "82f3e0a76dcebca2"}}05:47:50.166789 IP sleep-7b9f8bfcd-2djx5.38836 > 10-233-75-11.httpbin.default.svc.cluster.local.80: Flags [.], ack 472, win 262, options [nop,nop,TS val 77427925 ecr 77427925], length 0E..42.X.X.\..K..K....P..ZH.$...............t...t.05:47:50.167234 IP 10-233-71-7.httpbin.default.svc.cluster.local.80 > sleep-7b9f8bfcd-2djx5.49560: Flags [P.], seq 1:512, ack 858, win 280, options [nop,nop,TS val 77429926 ecr 77427918], length 511: HTTP: HTTP/1.1 200 OKE..3..X.>....G..K..P....l....;.............|...t.HTTP/1.1 200 OKserver: envoydate: Fri, 15 Feb 2019 05:47:49 GMTcontent-type: application/jsoncontent-length: 281access-control-allow-origin: *access-control-allow-credentials: truex-envoy-upstream-service-time: 3{"headers": {"Accept": "*/*","Content-Length": "0","Host": "httpbin-shadow:8000","User-Agent": "curl/7.35.0","X-B3-Sampled": "0","X-B3-Spanid": "82f3e0a76dcebca2","X-B3-Traceid": "82f3e0a76dcebca2","X-Envoy-Internal": "true"}}05:47:50.167253 IP sleep-7b9f8bfcd-2djx5.49560 > 10-233-71-7.httpbin.default.svc.cluster.local.80: Flags [.], ack 512, win 262, options [nop,nop,TS val 77427926 ecr 77429926], length 0E..4..X.X....K..G....P...;..n..............t...|.
您可以看到流量的请求和响应内容。
清理
- 删除规则:
$ kubectl delete virtualservice httpbin$ kubectl delete destinationrule httpbin
- 关闭 httpbin 服务和客户端:
$ kubectl delete deploy httpbin-v1 httpbin-v2 sleep$ kubectl delete svc httpbin
相关内容
Traffic Mirroring with Istio for Testing in Production
An introduction to safer, lower-risk deployments and release to production.
Istio as a Proxy for External Services
Configure Istio ingress gateway to act as a proxy for external services.
Multi-mesh deployments for isolation and boundary protection
Deploy environments that require isolation into separate meshes and enable inter-mesh communication by mesh federation.
Secure Control of Egress Traffic in Istio, part 3
Comparison of alternative solutions to control egress traffic including performance considerations.
Secure Control of Egress Traffic in Istio, part 2
Use Istio Egress Traffic Control to prevent attacks involving egress traffic.
Secure Control of Egress Traffic in Istio, part 1
Attacks involving egress traffic and requirements for egress traffic control.
