全局关闭重试
istio默认重试2次
1
2
3
4
5
6
7
8
9
| apiVersion: v1
data:
mesh: |-
...
...
defaultHttpRetryPolicy:
attempts: 0
...
...
|
全局配置Access log
1
2
3
4
5
6
7
| apiVersion: v1
data:
mesh: |-
accessLogEncoding: JSON
accessLogFile: /dev/stdout
accessLogFormat: "{\"authority\":\"%REQ(:AUTHORITY)%\",\"bytes_received\":\"%BYTES_RECEIVED%\",\"bytes_sent\":\"%BYTES_SENT%\",\"downstream_local_address\":\"%DOWNSTREAM_LOCAL_ADDRESS%\",\"downstream_remote_address\":\"%DOWNSTREAM_REMOTE_ADDRESS%\",\"duration\":\"%DURATION%\",\"istio_policy_status\":\"%DYNAMIC_METADATA(istio.mixer:status)%\",\"method\":\"%REQ(:METHOD)%\",\"path\":\"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%\",\"protocol\":\"%PROTOCOL%\",\"request_id\":\"%REQ(X-REQUEST-ID)%\",\"requested_server_name\":\"%REQUESTED_SERVER_NAME%\",\"response_code\":\"%RESPONSE_CODE%\",\"response_flags\":\"%RESPONSE_FLAGS%\",\"route_name\":\"%ROUTE_NAME%\",\"start_time\":\"%START_TIME%\",\"upstream_cluster\":\"%UPSTREAM_CLUSTER%\",\"upstream_host\":\"%UPSTREAM_HOST%\",\"upstream_local_address\":\"%UPSTREAM_LOCAL_ADDRESS%\",\"upstream_service_time\":\"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%\",\"upstream_transport_failure_reason\":\"%UPSTREAM_TRANSPORT_FAILURE_REASON%\",\"user_agent\":\"%REQ(USER-AGENT)%\",\"x_forwarded_for\":\"%REQ(X-FORWARDED-FOR)%\"}"
...
|
Sidecar 生命周期
Istio 中 Envoy 就绪后启动应用容器
在 kubernetes 中,Pod 中的 containers 启动就绪顺序是不确定的。如果应用容器就绪的时候,代理容器没有就绪,那么流量会失败。
Istio 1.7版本中引入配置 holdApplicationUntilProxyStarts,它使 Sidecar 注入器在 Pod 的容器列表的开始处注入 Sidecar,并配置它阻止所有其他容器的启动,直到代理准备好为止。默认情况下禁用此选项。 (Issue #11130)
Istio 中 Envoy 的退出机制以及配置优雅退出
缺省情况下,在收到 SIGTERM 后,Istio-agent 会在等待 terminationDrainDuration (缺省 5S)后退出,由于 Envoy 是 Istio-agent 的子进程,Envoy 也会随之退出。该缺省行为可能对于一些耗时较长的关键业务有影响,导致正在进行业务处理的链接被强制中断。
Istio 1.12 版本中引入环境变量 EXIT_ON_ZERO_ACTIVE_CONNECTIONS 以在排空期间跟踪活动连接,并在活动连接变为零时退出,而不是等待整个排空持续进行。默认情况下这是禁用的issues #34855
1
2
3
4
5
6
7
| apiVersion: v1
data:
mesh: |-
defaultConfig:
holdApplicationUntilProxyStarts: true
proxyMetadata:
EXIT_ON_ZERO_ACTIVE_CONNECTIONS: "true"
|
Istio 负载均衡策略
Istio 中 配置负载均衡策略
istio 默认负载均衡策略是 ROUND_ROBIN,可以通过 DestinationRule 来配置负载均衡策略。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: mydemo-test-ps
namespace: zsl-test
spec:
host: mydemo-test-ps.zsl-test.svc.cluster.local
subsets:
- labels:
publish-no: "5865185"
name: v1
trafficPolicy:
loadBalancer:
simple: LEAST_CONN
trafficPolicy:
loadBalancer:
simple: RANDOM
|
host: mydemo-test-ps.zsl-test.svc.cluster.local 默认为随机 RANDOM, v1 版本为最小连接 LEAST_CONN,
接下来看对应的 Envoy 配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
| - circuitBreakers:
thresholds:
- maxConnections: 4294967295
maxPendingRequests: 4294967295
maxRequests: 4294967295
maxRetries: 4294967295
trackRemaining: true
connectTimeout: 10s
edsClusterConfig:
edsConfig:
ads: {}
initialFetchTimeout: 0s
resourceApiVersion: V3
serviceName: outbound|13750||mydemo-test-ps.zsl-test.svc.cluster.local
filters:
- name: istio.metadata_exchange
typedConfig:
'@type': type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange
protocol: istio-peer-exchange
lbPolicy: RANDOM
metadata:
filterMetadata:
istio:
config: /apis/networking.istio.io/v1alpha3/namespaces/zsl-test/destination-rule/mydemo-test-ps
default_original_port: 13750
services:
- host: mydemo-test-ps.zsl-test.svc.cluster.local
name: mydemo-test-ps
namespace: zsl-test
name: outbound|13750||mydemo-test-ps.zsl-test.svc.cluster.local
transportSocketMatches:
- match:
tlsMode: istio
name: tlsMode-istio
transportSocket:
name: envoy.transport_sockets.tls
typedConfig:
'@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
commonTlsContext:
alpnProtocols:
- istio-peer-exchange
- istio
combinedValidationContext:
defaultValidationContext:
matchSubjectAltNames:
- exact: spiffe://cluster.local/ns/zsl-test/sa/default
validationContextSdsSecretConfig:
name: ROOTCA
sdsConfig:
apiConfigSource:
apiType: GRPC
grpcServices:
- envoyGrpc:
clusterName: sds-grpc
setNodeOnFirstMessageOnly: true
transportApiVersion: V3
initialFetchTimeout: 0s
resourceApiVersion: V3
tlsCertificateSdsSecretConfigs:
- name: default
sdsConfig:
apiConfigSource:
apiType: GRPC
grpcServices:
- envoyGrpc:
clusterName: sds-grpc
setNodeOnFirstMessageOnly: true
transportApiVersion: V3
initialFetchTimeout: 0s
resourceApiVersion: V3
sni: outbound_.13750_._.mydemo-test-ps.zsl-test.svc.cluster.local
- match: {}
name: tlsMode-disabled
transportSocket:
name: envoy.transport_sockets.raw_buffer
type: EDS
- circuitBreakers:
thresholds:
- maxConnections: 4294967295
maxPendingRequests: 4294967295
maxRequests: 4294967295
maxRetries: 4294967295
trackRemaining: true
connectTimeout: 10s
edsClusterConfig:
edsConfig:
ads: {}
initialFetchTimeout: 0s
resourceApiVersion: V3
serviceName: outbound|13750|v1|mydemo-test-ps.zsl-test.svc.cluster.local
filters:
- name: istio.metadata_exchange
typedConfig:
'@type': type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange
protocol: istio-peer-exchange
lbPolicy: LEAST_REQUEST
metadata:
filterMetadata:
istio:
config: /apis/networking.istio.io/v1alpha3/namespaces/zsl-test/destination-rule/mydemo-test-ps
default_original_port: 13750
services:
- host: mydemo-test-ps.zsl-test.svc.cluster.local
name: mydemo-test-ps
namespace: zsl-test
subset: v1
name: outbound|13750|v1|mydemo-test-ps.zsl-test.svc.cluster.local
transportSocketMatches:
- match:
tlsMode: istio
name: tlsMode-istio
transportSocket:
name: envoy.transport_sockets.tls
typedConfig:
'@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
commonTlsContext:
alpnProtocols:
- istio-peer-exchange
- istio
combinedValidationContext:
defaultValidationContext:
matchSubjectAltNames:
- exact: spiffe://cluster.local/ns/zsl-test/sa/default
validationContextSdsSecretConfig:
name: ROOTCA
sdsConfig:
apiConfigSource:
apiType: GRPC
grpcServices:
- envoyGrpc:
clusterName: sds-grpc
setNodeOnFirstMessageOnly: true
transportApiVersion: V3
initialFetchTimeout: 0s
resourceApiVersion: V3
tlsCertificateSdsSecretConfigs:
- name: default
sdsConfig:
apiConfigSource:
apiType: GRPC
grpcServices:
- envoyGrpc:
clusterName: sds-grpc
setNodeOnFirstMessageOnly: true
transportApiVersion: V3
initialFetchTimeout: 0s
resourceApiVersion: V3
sni: outbound_.13750_.v1_.mydemo-test-ps.zsl-test.svc.cluster.local
- match: {}
name: tlsMode-disabled
transportSocket:
name: envoy.transport_sockets.raw_buffer
type: EDS
|
istio全局配置
