每周阅读(3/11/2019)

字数 305阅读 16

Hand-crafting a Sidecar Proxy like Istio

如何实现 sidecar 模式?文中用 golang 实现了一个示例:

  • 用 sidecar 容器代理流量和转发
  • 用 init 容器修改 iptable 实现流量拦截

Istio v1.10 sidecar 资源

1.10 有一个对于提高 pilot 和代理性能的新增资源配置 - Sidecar。

apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
  name: default
  namespace: prod-us1
spec:
  ingress:
  - port:
      number: 9080
      protocol: HTTP
      name: somename
    defaultEndpoint: unix:///var/run/someuds.sock
  egress:
  - hosts:
    - "istio-system/*"
  - port:
      number: 9080
      protocol: HTTP
      name: egresshttp
    hosts:
    - "prod-us1/*"

Sidecar describes the configuration of the sidecar proxy that mediates inbound and outbound communication to the workload it is attached to. By default, Istio will program all sidecar proxies in the mesh with the necessary configuration required to reach every workload in the mesh, as well as accept traffic on all the ports associated with the workload. The Sidecar resource provides a way to fine tune the set of ports, protocols that the proxy will accept when forwarding traffic to and from the workload. In addition, it is possible to restrict the set of services that the proxy can reach when forwarding outbound traffic from the workload.

目前版本中,Sidecar 会包含整个网格内的服务信息,在 1.1 中,新建了 Sidecar 资源,通过对这一 CRD 的配置,不但能够限制 Sidecar 的相关服务的数量,从而降低资源占用,提高传播效率;还能方便的对 Sidecar 的代理行为做出更多的精细控制——例如对 Ingress 场景中的被代理端点的配置能力。

推荐阅读更多精彩内容