[root@xksnode1 ~]# nsenter -t 16495 -n iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N ISTIO_INBOUND
-N ISTIO_IN_REDIRECT
-N ISTIO_OUTPUT
-N ISTIO_REDIRECT
-A PREROUTING -p tcp -j ISTIO_INBOUND
-A OUTPUT -p tcp -j ISTIO_OUTPUT
-A ISTIO_INBOUND -p tcp -m tcp --dport 15008 -j RETURN
-A ISTIO_INBOUND -p tcp -m tcp --dport 15090 -j RETURN
-A ISTIO_INBOUND -p tcp -m tcp --dport 15021 -j RETURN
-A ISTIO_INBOUND -p tcp -m tcp --dport 15020 -j RETURN
-A ISTIO_INBOUND -p tcp -j ISTIO_IN_REDIRECT
-A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-ports 15006
-A ISTIO_OUTPUT -s 127.0.0.6/32 -o lo -j RETURN
-A ISTIO_OUTPUT ! -d 127.0.0.1/32 -o lo -m owner --uid-owner 1337 -j ISTIO_IN_REDIRECT 目标地址不是请求127.0.0.1 通过lo通信 属组1337-envoy自己的流量 对外访问的
-A ISTIO_OUTPUT -o lo -m owner ! --uid-owner 1337 -j RETURN
-A ISTIO_OUTPUT -m owner --uid-owner 1337 -j RETURN
-A ISTIO_OUTPUT ! -d 127.0.0.1/32 -o lo -m owner --gid-owner 1337 -j ISTIO_IN_REDIRECT
-A ISTIO_OUTPUT -o lo -m owner ! --gid-owner 1337 -j RETURN
-A ISTIO_OUTPUT -m owner --gid-owner 1337 -j RETURN
-A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN
-A ISTIO_OUTPUT -j ISTIO_REDIRECT
-A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15001
[root@xksmaster1 ~]# kubectl exec demoappv10-54757f48d6-vwr4k -c istio-proxy -- pilot-agent request GET /listeners 或者 /clusters
90a2c7dd-6d69-481f-bd28-832340de8522::0.0.0.0:15090
58a59bb0-0d5c-41bb-9c14-d1c5fd2c8cc2::0.0.0.0:15021
10.96.0.1_443::10.96.0.1:443
10.108.113.206_15443::10.108.113.206:15443
10.110.214.145_443::10.110.214.145:443
10.106.118.36_443::10.106.118.36:443
10.108.113.206_443::10.108.113.206:443
10.96.0.10_53::10.96.0.10:53
10.110.214.145_15012::10.110.214.145:15012
10.108.113.206_31400::10.108.113.206:31400
10.108.113.206_15021::10.108.113.206:15021
0.0.0.0_8080::0.0.0.0:8080
10.96.0.10_9153::10.96.0.10:9153
10.96.128.159_443::10.96.128.159:443
0.0.0.0_15010::0.0.0.0:15010
0.0.0.0_15014::0.0.0.0:15014
0.0.0.0_9090::0.0.0.0:9090
0.0.0.0_8082::0.0.0.0:8082
10.103.71.204_8000::10.103.71.204:8000
0.0.0.0_80::0.0.0.0:80
0.0.0.0_20001::0.0.0.0:20001
virtualOutbound::0.0.0.0:15001
virtualInbound::0.0.0.0:15006
#入向流量如何处理
[root@xksmaster1 ~]# istioctl pc listeners demoappv10-54757f48d6-lvtn9 --port 15006
ADDRESS PORT MATCH DESTINATION
0.0.0.0 15006 Addr: *:15006 Non-HTTP/Non-TCP
0.0.0.0 15006 Trans: tls; App: istio-http/1.0,istio-http/1.1,istio-h2; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4
0.0.0.0 15006 Trans: raw_buffer; App: http/1.1,h2c; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4
0.0.0.0 15006 Trans: tls; App: TCP TLS; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4
0.0.0.0 15006 Trans: raw_buffer; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4
0.0.0.0 15006 Trans: tls; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4
0.0.0.0 15006 Trans: tls; App: istio,istio-peer-exchange,istio-http/1.0,istio-http/1.1,istio-h2; Addr: *:8080 Cluster: inbound|8080||
0.0.0.0 15006 Trans: raw_buffer; Addr: *:8080 Cluster: inbound|8080||
[root@xksmaster1 ~]# istioctl pc clusters demoappv10-54757f48d6-lvtn9 --fqdn demoapp.default
SERVICE FQDN PORT SUBSET DIRECTION TYPE DESTINATION RULE
demoapp.default.svc.cluster.local 8080 - outbound EDS demoapp.default
demoapp.default.svc.cluster.local 8080 v10 outbound EDS demoapp.default
demoapp.default.svc.cluster.local 8080 v11 outbound EDS demoapp.default
#istio-proxy Cluster
[root@xksmaster1 ~]# kubectl exec demoappv10-54757f48d6-lvtn9 -c istio-proxy -- curl -s 127.0.0.1:15000/clusters | grep -o "^[^:]\+" | sort -u
agent
BlackHoleCluster
inbound|8080||
InboundPassthroughClusterIpv4
outbound|15010||istiod.istio-system.svc.cluster.local
outbound|15012||istiod.istio-system.svc.cluster.local
outbound|15014||istiod.istio-system.svc.cluster.local
outbound|15021||istio-ingressgateway.istio-system.svc.cluster.local
outbound|15443||istio-ingressgateway.istio-system.svc.cluster.local
outbound|20001||kiali.istio-system.svc.cluster.local
outbound|31400||istio-ingressgateway.istio-system.svc.cluster.local
outbound|443||istiod.istio-system.svc.cluster.local
outbound|443||istio-egressgateway.istio-system.svc.cluster.local
outbound|443||istio-ingressgateway.istio-system.svc.cluster.local
outbound|443||kubernetes-dashboard.kubernetes-dashboard.svc.cluster.local
outbound|443||kubernetes.default.svc.cluster.local
outbound|53||kube-dns.kube-system.svc.cluster.local
outbound|8000||dashboard-metrics-scraper.kubernetes-dashboard.svc.cluster.local
outbound|8080||demoapp.default.svc.cluster.local
outbound|8080|v10|demoapp.default.svc.cluster.local
outbound|8080|v11|demoapp.default.svc.cluster.local
outbound|8082||backend.default.svc.cluster.local
outbound|80||istio-egressgateway.istio-system.svc.cluster.local
outbound|80||istio-ingressgateway.istio-system.svc.cluster.local
outbound|80||proxy.default.svc.cluster.local
outbound|80||sleep.default.svc.cluster.local
outbound|9090||kiali.istio-system.svc.cluster.local
outbound|9090||prometheus.istio-system.svc.cluster.local
outbound|9153||kube-dns.kube-system.svc.cluster.local
PassthroughCluster
prometheus_stats
sds-grpc
xds-grpc
zipkin
修改Sidecar配置 来配置特定需要的侦听器
#查看 proxy 的 labels 然后关联到下面的 workloadSelector上
[root@xksmaster1 ~]# kubectl get pods --show-labels | grep proxy
proxy-645cd54b84-xsrx8 2/2 Running 4 (4h36m ago) 4d app=proxy,pod-template-hash=645cd54b84,security.istio.io/tlsMode=istio,service.istio.io/canonical-name=proxy,service.istio.io/canonical-revision=latest
#配置Sidecar配置文件
[root@xksmaster1 ~]# cat sidecar-demo-test.yaml
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: proxy-sidecar
namespace: default
spec:
workloadSelector:
labels:
app: proxy
egress :
- hosts:
- "./*"
[root@xksmaster1 ~]# kubectl apply -f sidecar-demo-test.yaml
sidecar.networking.istio.io/proxy-sidecar unchanged
#查看 目前支持查看到 默认default下的所有侦听器
[root@xksmaster1 ~]# istioctl pc listeners proxy-645cd54b84-xsrx8
ADDRESS PORT MATCH DESTINATION
0.0.0.0 80 Trans: raw_buffer; App: http/1.1,h2c Route: 80
0.0.0.0 80 ALL PassthroughCluster
10.96.0.1 443 ALL Cluster: outbound|443||kubernetes.default.svc.cluster.local
0.0.0.0 8080 Trans: raw_buffer; App: http/1.1,h2c Route: 8080
0.0.0.0 8080 ALL PassthroughCluster
0.0.0.0 8082 Trans: raw_buffer; App: http/1.1,h2c Route: 8082
0.0.0.0 8082 ALL PassthroughCluster
0.0.0.0 15001 ALL PassthroughCluster
0.0.0.0 15001 Addr: *:15001 Non-HTTP/Non-TCP
0.0.0.0 15006 Addr: *:15006 Non-HTTP/Non-TCP
0.0.0.0 15006 Trans: tls; App: istio-http/1.0,istio-http/1.1,istio-h2; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4
0.0.0.0 15006 Trans: raw_buffer; App: http/1.1,h2c; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4
0.0.0.0 15006 Trans: tls; App: TCP TLS; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4
0.0.0.0 15006 Trans: raw_buffer; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4
0.0.0.0 15006 Trans: tls; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4
0.0.0.0 15006 Trans: tls; App: istio,istio-peer-exchange,istio-http/1.0,istio-http/1.1,istio-h2; Addr: *:8080 Cluster: inbound|8080||
0.0.0.0 15006 Trans: raw_buffer; Addr: *:8080 Cluster: inbound|8080||
0.0.0.0 15021 ALL Inline Route: /healthz/ready*
0.0.0.0 15090 ALL Inline Route: /stats/prometheus*
#再次添加能够看到Istio-system下侦听器
[root@xksmaster1 ~]# cat sidecar-demo-test.yaml
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: proxy-sidecar
namespace: default
spec:
workloadSelector:
labels:
app: proxy
egress :
- hosts:
- "./*"
- "istio-system/*"
[root@xksmaster1 ~]# kubectl apply -f sidecar-demo-test.yaml
sidecar.networking.istio.io/proxy-sidecar configured
[root@xksmaster1 ~]# istioctl pc listeners proxy-645cd54b84-xsrx8 ADDRESS PORT MATCH DESTINATION
0.0.0.0 80 Trans: raw_buffer; App: http/1.1,h2c Route: 80
0.0.0.0 80 ALL PassthroughCluster
10.106.118.36 443 ALL Cluster: outbound|443||istio-egressgateway.istio-system.svc.cluster.local
10.108.113.206 443 ALL Cluster: outbound|443||istio-ingressgateway.istio-system.svc.cluster.local
10.110.214.145 443 ALL Cluster: outbound|443||istiod.istio-system.svc.cluster.local
10.96.0.1 443 ALL Cluster: outbound|443||kubernetes.default.svc.cluster.local
0.0.0.0 8080 Trans: raw_buffer; App: http/1.1,h2c Route: 8080
0.0.0.0 8080 ALL PassthroughCluster
0.0.0.0 8082 Trans: raw_buffer; App: http/1.1,h2c Route: 8082
0.0.0.0 8082 ALL PassthroughCluster
0.0.0.0 9090 Trans: raw_buffer; App: http/1.1,h2c Route: 9090
0.0.0.0 9090 ALL PassthroughCluster
0.0.0.0 15001 ALL PassthroughCluster
0.0.0.0 15001 Addr: *:15001 Non-HTTP/Non-TCP
0.0.0.0 15006 Addr: *:15006 Non-HTTP/Non-TCP
0.0.0.0 15006 Trans: tls; App: istio-http/1.0,istio-http/1.1,istio-h2; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4
0.0.0.0 15006 Trans: raw_buffer; App: http/1.1,h2c; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4
0.0.0.0 15006 Trans: tls; App: TCP TLS; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4
0.0.0.0 15006 Trans: raw_buffer; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4
0.0.0.0 15006 Trans: tls; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4
0.0.0.0 15006 Trans: tls; App: istio,istio-peer-exchange,istio-http/1.0,istio-http/1.1,istio-h2; Addr: *:8080 Cluster: inbound|8080||
0.0.0.0 15006 Trans: raw_buffer; Addr: *:8080 Cluster: inbound|8080||
0.0.0.0 15010 Trans: raw_buffer; App: http/1.1,h2c Route: 15010
0.0.0.0 15010 ALL PassthroughCluster
10.110.214.145 15012 ALL Cluster: outbound|15012||istiod.istio-system.svc.cluster.local
0.0.0.0 15014 Trans: raw_buffer; App: http/1.1,h2c Route: 15014
0.0.0.0 15014 ALL PassthroughCluster
0.0.0.0 15021 ALL Inline Route: /healthz/ready*
10.108.113.206 15021 Trans: raw_buffer; App: http/1.1,h2c Route: istio-ingressgateway.istio-system.svc.cluster.local:15021
10.108.113.206 15021 ALL Cluster: outbound|15021||istio-ingressgateway.istio-system.svc.cluster.local
0.0.0.0 15090 ALL Inline Route: /stats/prometheus*
10.108.113.206 15443 ALL Cluster: outbound|15443||istio-ingressgateway.istio-system.svc.cluster.local
0.0.0.0 20001 Trans: raw_buffer; App: http/1.1,h2c Route: 20001
0.0.0.0 20001 ALL PassthroughCluster
10.108.113.206 31400 ALL Cluster: outbound|31400||istio-ingressgateway.istio-system.svc.cluster.local
![]()
![]()
![]()
浙公网安备 33010602011771号