Istio

Multi-Cluster Kubernetes - cross cluster communication

北慕城南 提交于 2021-01-29 09:24:27
问题 Not sure if this is the right place, please point me to a different forum if not. In a multi-cluster kubernetes setup, is cross-cluster communication a valid design? In particular, a pod in one cluster relying on a pod in another cluster. Or are there limitations or anti-patterns associated with this that we should avoid? If not, what tools do you use to manage this deployment and monitor load on each cluster? 回答1: Multicluster deployments give you a greater degree of isolation and

Service entries in Anthos Service Mesh

蓝咒 提交于 2021-01-29 08:27:20
问题 For some test, I have created a ServiceEntry in Anthos Service Mesh. It also works when accessing that service with a curl pod, the headers are set correctly curl -v postman-echo.com/get However, that service entry does not appear neither in the dash board nor in access logs. It seems that dashboard is limited to kubernetes services. If this is the case, is this only a limitation of the ASM dashboard (and maybe available in other installations, for example open source Istio with Kiali) or a

Service Mesh: Using Istio to route TCP traffic based on Client IP in Virtual Service

ε祈祈猫儿з 提交于 2021-01-28 19:39:53
问题 Ingress gateway is located behind AWS ELB(classic) using nodeport and I want to route TCP traffic in Virtual Service based on client ip. Of course Proxy Protocol of ELB is enabled. When I use HTTP, it works. The configuration is below. apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: app-vservice namespace: test spec: hosts: - "app-service" http: - match: - headers: x-forwarded-for: exact: 123.123.123.123 route: - destination: host: app-service subset: v2 - route:

Istio 1.6 AuthorizationPolicy does not have proper response code if coming from cross origin

吃可爱长大的小学妹 提交于 2021-01-28 19:39:14
问题 We have implemented this security filter to pre-validate our JWT token before it reaches the backend services. It is helpful that it can checks some condition that will be your criteria to accept or reject a request. Our problem now is when you send your request to a different URL (which we already configured the CORS policy in VirtualService ), the policy rejected the request and doesn't return with Access-Control-Allow-Origin in the header where it triggers the CORS blocking in Chrome

Azure Kubernetes - Istio Egress not working

霸气de小男生 提交于 2021-01-28 13:30:08
问题 I have used the following configuration to setup the Istio cat << EOF | kubectl apply -f - apiVersion: install.istio.io/v1alpha1 kind: IstioOperator metadata: namespace: istio-system name: istio-control-plane spec: # Use the default profile as the base # More details at: https://istio.io/docs/setup/additional-setup/config-profiles/ profile: default # Enable the addons that we will want to use addonComponents: grafana: enabled: true prometheus: enabled: true tracing: enabled: true kiali:

Is the Traffic between sidecar and main process encrypted in istio?

痞子三分冷 提交于 2021-01-28 09:41:02
问题 I know that istio supports mTLS for inter-service communication done through istio proxy but I couldn't find any documentation on their official site explaining the state of traffic between istio proxy container & main container itself in a pod ? (assuming it's a kubernetes managed cluster) Is the traffic encrypted between proxy and main containers ? If it's not by default, is there any config or plugin out there that can enable this behaviour ? Appreciate any help on this. 回答1: The traffic

Enable http header logging for envoy in istio

那年仲夏 提交于 2021-01-28 01:38:03
问题 I want to be able to capture (log) (at least some of) envoy 's HTTP headers on my istio service mesh. I have gone through envoy 's docs, and in the log levels' section, it does not mention any header-specific information. Currently, my istio-proxy log is like this (this is from a stern output): mysvc-69c46fbc75-d9v8j istio-proxy {"bytes_sent":"124","upstream_cluster":"inbound|80|http|mysvc.default.svc.cluster.local","downstream_remote_address":"10.11.11.1:0","authority":"some.url.com","path":

istio-proxy closing long running TCP connection after 1 hour

与世无争的帅哥 提交于 2021-01-27 06:42:50
问题 TL;DR: How can we configure istio sidecar injection/istio-proxy/envoy-proxy/istio egressgateway to allow long living (>3 hours), possibly idle, TCP connections? Some details: We're trying to perform a database migration to PostgreSQL which is being triggered by one application which has Spring Boot + Flyway configured, this migration is expected to last ~3 hours. Our application is deployed inside our kubernetes cluster, which has configured istio sidecar injection. After exactly one hour of

初赛赛道三:服务网格控制面分治体系构建

谁说我不能喝 提交于 2021-01-24 13:43:14
首届云原生编程挑战赛正在报名中,初赛共有三个赛道,题目如下: 赛道一:实现一个分布式统计和过滤的链路追踪 赛道二:实现规模化容器静态布局和动态迁移 赛道三:服务网格控制面分治体系构建 立即报名 (报名时间即日起至06/29): https://tianchi.aliyun.com/specials/promotion/cloudnative#problem-definition 本文主要针对赛道三题目做出剖析,帮助选手更高效的解题。 背景知识 “服务网格” 是近年来非常火热的技术,其全托管的思维非常适合云原生场景。“服务网格” 核心分为控制面与数据面:数据面主要是一个名为 Sidecar 的代理组件,它通过接收控制面发送的路由与控制信息来定向转发或处理数据。这样一些坐落在服务网格里的应用就将整个分布式逻辑交给了底层,自己不用关心了。一旦与底层解耦,灵活性大大增加,更符合云原生的标准。 题目解析 本题的核心考查点还是如何让服务网格的控制面支撑大规模的 Sidecar 实例。为什么会产生这个问题呢?因为在目前服务网格影响最广的实现 Istio 架构中,控制平面 Pilot 负责整个系统的路由转译工作,也就是说所有服务的实例信息都需要通过 Pilot 下发给每一个 Sidecar,当然用户可以通过 SidecarScope 来设置个别 Sidecar 对于系统服务的可见性,但这只会影响到

拐点已至,云原生引领数字化转型升级

隐身守侯 提交于 2021-01-24 01:48:52
作者 | 易立 阿里云资深技术专家 本文整理自易立在 2019 携程技术峰会上发表的题目为《拐点已至,云原生引领数字化转型升级》的演讲。 关注“阿里巴巴云原生”公众号,回复关键词“转型”即可下载本文 PPT。 今天我跟大家分享的题目是“拐点已至,云原生引领数字化转型升级”。先做个简单的自我介绍,我叫易立,来自于阿里云容器平台,从 2015 年开始负责阿里云容器产品,之前在 IBM 工作 14 年,主要负责企业中间件和云计算的产品研发。 今天会跟大家分享我们对云原生领域的简单思考,以及我们对云原生发展四个趋势大概的介绍: 拥抱 Serverless – 极致弹性,无需运维; 服务网格 – 将服务治理能力与应用解耦,并下沉到基础设施层; 云原生应用管理标准化 – 构建高效、自动化和可信赖的应用交付体系; 计算无边界 – 实现云-边缘-IoT 设备的高效协同。 云原生基本概念 先简单介绍云原生一些基本的概念。 我们接触了很多的客户,对于这些客户而言,上不上云已经不是问题,他们关注的是该怎么上云?该如何充分利用云的能力、最大化云的价值?在 All in Cloud 的时代,企业的技术能力已经成为核心竞争力,他们非常愿意用云作为企业 IT 能力的增效器。 云原生计算是一组最佳实践和方法论,在公共云、专有云环境中,构建可伸缩、健壮、松耦合的应用,可以更加快速地创新和低成本试错;容器、服务网格
订阅 Istio