案例背景
- 为了便于测试,我们用非网格化的名称空间中运行的应用来模拟运行于VM/萝服务上的外部服务,假设:
- 在网格外部运行nginx服务,有2个实例
- Nginx2001:监听地址为172.29.1.201:8091,nginx版本为1.20
- nginx2002:监听地址为172.29.1.202:8091,nginx版本为1.20、
- 网格内部default名称空间中的pods/client作为客户端访问该服务
- 在网格外部运行nginx服务,有2个实例
- 请求测试
- 未启用serviceEntry,客户端的请求目标在网格中不存匹配的listener等,因此将由sidercar Envoy通过tcp proxy透传到指定的外部服务
- 这种透传机制,依赖于Sidercar Envoy的默认策略为ALLOW_ANY
案例环境设置
-
环境设置
k8s-master 192.168.170.134 node01 192.168.170.136 node02 192.168.170.133 nginx 192.168.170.137 -
nginx采用docker-compose部署,必须在nginx机器的ens33网卡上绑定几个ip
192.168.170.100 192.168.170.101 192.168.170.102
环境部署
首先将nginx部署在nginx机器,部署方式为docker-compose
version: '3.3'services:nginx2001:image: nginx:1.20-alpinevolumes:- ./html/nginx2001:/usr/share/nginx/html/networks:envoymesh:ipv4_address: 172.31.201.11aliases:- nginxexpose:- "80"ports:- "192.168.170.100:8091:80"nginx2002:image: nginx:1.20-alpinevolumes:- ./html/nginx2002:/usr/share/nginx/html/networks:envoymesh:ipv4_address: 172.31.201.12aliases:- nginxexpose:- "80"ports:- "192.168.170.101:8091:80"nginx2101:image: nginx:1.21-alpinevolumes:- ./html/nginx2101:/usr/share/nginx/html/networks:envoymesh:ipv4_address: 172.31.201.13aliases:- nginx- canaryexpose:- "80"ports:- "192.168.170.102:8091:80"networks:envoymesh:driver: bridgeipam:config:- subnet: 172.31.201.0/24
启动
docker-compose up
-
创建VirtualService和DestinationRule,为ServiceEntry的流量配置高级路由规则
apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata:name: nginx-external spec:hosts:- nginx.icloud2native.comhttp:- name: falut-injectionmatch:- headers:X-Testing:exact: "true"route:- destination:host: nginx.icloud2native.comfault:delay:percentage:value: 5fixedDelay: 2sabort:percentage:value: 5httpStatus: 555- name: nginx-externalroute:- destination:host: nginx.icloud2native.comapiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata:name: nginx-external spec:host: nginx.icloud2native.comtrafficPolicy:loadBalancer:consistentHash:httpHeaderName: X-UserconnectionPool:tcp:maxConnections: 10000connectTimeout: 10mstcpKeepalive:time: 7200sinterval: 75shttp:http2MaxRequests: 1000maxRequestsPerConnection: 10outlierDetection:maxEjectionPercent: 50consecutive5xxErrors: 5interval: 2mbaseEjectionTime: 1mminHealthPercent: 40
测试
进入到sleep这个容器进行访问
while true; do curl -H 'host: nginx.icloud2native.com' 192.168.170.100:8091;sleep 0.$RANDOM; done
while true; do curl -H 'host: nginx.icloud2native.com' -H "X-Testing: true" 192.168.170.100:8091;sleep 0.$RANDOM; done
会发现定义的vs规则生效,有一部分已经注入故障,在kiali上查看:
