istio流量拦截原理

环境

这里我们是在本机使用kind,安装

查看容器对应的虚拟设备对

for container in `crictl ps -q`
do
iflink=`crictl exec $container cat /sys/class/net/eth0/iflink`
iflink=`echo $iflink|tr -d '\r'`
veth=`grep -l $iflink /sys/class/net/*/ifindex`
veth=`echo $veth|sed -e 's;^.*net/\(.*\)/ifindex$;\1;'`
echo $container:$veth
done

查看iptables规则

ip netns exec cni-bf783dac-fe05-cb35-4d5a-848449119b19 iptables -L -t nat

-A PREROUTING -p tcp -j ISTIO_INBOUND                          # PREROUTING全部转发到INBOUND,PREROUTING发生在流入的数据包进入路由表之前
-A OUTPUT -p tcp -j ISTIO_OUTPUT                               # 由本机产生的数据向外转发的
-A ISTIO_INBOUND -p tcp -m tcp --dport 22 -j RETURN            # 22 15090  15021 15020的不转发到ISTIO_REDIRECT 
-A ISTIO_INBOUND -p tcp -m tcp --dport 15090 -j RETURN         
-A ISTIO_INBOUND -p tcp -m tcp --dport 15021 -j RETURN
-A ISTIO_INBOUND -p tcp -m tcp --dport 15020 -j RETURN
-A ISTIO_INBOUND -p tcp -j ISTIO_IN_REDIRECT                   # 剩余的流量都转发到ISTIO_REDIRECT
-A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-ports 15006       # 转发到15006
-A ISTIO_OUTPUT -s 127.0.0.6/32 -o lo -j RETURN                # 127.0.0.6是InboundPassthroughBindIpv4,代表原地址是passthrough的流量都直接跳过,不劫持
-A ISTIO_OUTPUT ! -d 127.0.0.1/32 -o lo -m owner --uid-owner 1337 -j ISTIO_IN_REDIRECT  #lo网卡出流量,目标地址不是localhost的,且为同用户的流量进入ISTIO_IN_REDIRECT
-A ISTIO_OUTPUT -o lo -m owner ! --uid-owner 1337 -j RETURN    # lo网卡出流量 非同用户的不劫持
-A ISTIO_OUTPUT -m owner --uid-owner 1337 -j RETURN            # 剩下的同用户的都跳过
-A ISTIO_OUTPUT ! -d 127.0.0.1/32 -o lo -m owner --gid-owner 1337 -j ISTIO_IN_REDIRECT  # lo网卡出流量,目标地址非本地,同用户组的流量进入ISTIO_IN_REDIRECT
-A ISTIO_OUTPUT -o lo -m owner ! --gid-owner 1337 -j RETURN    # lo网卡出流量非同组的不劫持
-A ISTIO_OUTPUT -m owner --gid-owner 1337 -j RETURN            # 剩余的同用户的不劫持
-A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN                      # 剩余的目标地址为127的不劫持
-A ISTIO_OUTPUT -j ISTIO_REDIRECT                              # 剩下的都进入 ISTIO_REDIRECT
-A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15001          # 转达到15001 outbond
COMMIT

请求流程分析

现在有httpbin和sleep两个服务,如果httpbin要访问sleep

httpbin访问sleep:80端口
iptables拦截转发到15001 的15001端口

virtualOutbound Listener

{
  "@type": "type.googleapis.com/envoy.api.v2.Listener",
  "name": "virtualOutbound",
  "address": {
    "socket_address": {
      "address": "0.0.0.0",
      "port_value": 15001
    }
  },
  "filter_chains": [
    {
      "filters": [
        {
          "name": "istio.stats", # 为指标添加istio_前缀
          "typed_config": {
            "@type": "type.googleapis.com/udpa.type.v1.TypedStruct",
            "type_url": "type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm",
            "value": {
              "config": {
                "root_id": "stats_outbound",
                "vm_config": {
                  "vm_id": "tcp_stats_outbound",
                  "runtime": "envoy.wasm.runtime.null",
                  "code": {
                    "local": {
                      "inline_string": "envoy.wasm.stats"
                    }
                  }
                },
                "configuration": "{\n \"debug\": \"false\",\n \"stat_prefix\": \"istio\"\n}\n"
              }
            }
          }
        },
        {
          "name": "envoy.tcp_proxy",
          "typed_config": {
            "@type": "type.googleapis.com/envoy.config.filter.network.tcp_proxy.v2.TcpProxy",
            "stat_prefix": "PassthroughCluster",
            "cluster": "PassthroughCluster",
            "access_log": [
              {
                "name": "envoy.file_access_log",
                "typed_config": {
                  "@type": "type.googleapis.com/envoy.config.accesslog.v2.FileAccessLog",
                  "path": "/dev/stdout",
                  "format": "[%START_TIME%] \"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\" %RESPONSE_CODE% %RESPONSE_FLAGS% \"%DYNAMIC_METADATA(istio.mixer:status)%\" \"%UPSTREAM_TRANSPORT_FAILURE_REASON%\" %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% \"%REQ(X-FORWARDED-FOR)%\" \"%REQ(USER-AGENT)%\" \"%REQ(X-REQUEST-ID)%\" \"%REQ(:AUTHORITY)%\" \"%UPSTREAM_HOST%\" %UPSTREAM_CLUSTER% %UPSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_REMOTE_ADDRESS% %REQUESTED_SERVER_NAME% %ROUTE_NAME%\n"
                }
              }
            ]
          }
        }
      ],
      "name": "virtualOutbound-catchall-tcp"
    }
  ],
  "use_original_dst": true, 
  "traffic_direction": "OUTBOUND"
}

use_original_dst: 如果使用iptables重定向连接,则代理在其上接收连接的端口可能与原始目标地址不同.当此标志设置为true时,监听器将重定向到与原始目标地址关联的监听器的重定向连接.如果没有与原始目标地址关联的监听器,则连接由接收该监听器的监听器处理.默认为false。

我们原本请求的是 sleep:80,则在PassthroughCluster之后重新匹配符合sleep:80的规则

PassthroughCluster

{
  "@type": "type.googleapis.com/envoy.api.v2.Cluster",
  "name": "PassthroughCluster",
  "type": "ORIGINAL_DST",
  "connect_timeout": "10s",
  "lb_policy": "CLUSTER_PROVIDED",
  "circuit_breakers": {
    "thresholds": [
      {
        "max_connections": 4294967295,
        "max_pending_requests": 4294967295,
        "max_requests": 4294967295,
        "max_retries": 4294967295
      }
    ]
  },
  "filters": [
    {
      "name": "istio.metadata_exchange",
      "typed_config": {
        "@type": "type.googleapis.com/udpa.type.v1.TypedStruct",
        "type_url": "type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange",
        "value": {
          "protocol": "istio-peer-exchange"
        }
      }
    }
  ]
}

匹配sleep:80的listener

{
  "@type": "type.googleapis.com/envoy.api.v2.Listener",
  "name": "0.0.0.0_80",
  "address": {
    "socket_address": {
      "address": "0.0.0.0",
      "port_value": 80
    }
  },
  "filter_chains": [
    {
      "filter_chain_match": {
        "application_protocols": [
          "http/1.0",
          "http/1.1",
          "h2c"
        ]
      },
      "filters": [
        {
          "name": "envoy.http_connection_manager",
          "typed_config": {
            "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager",
            "stat_prefix": "outbound_0.0.0.0_80",
            "rds": {
              "config_source": {
                "ads": {
                }
              },
              "route_config_name": "80"
            },
            "http_filters": [
              {
                "name": "istio.metadata_exchange",
                "typed_config": {
                  "@type": "type.googleapis.com/udpa.type.v1.TypedStruct",
                  "type_url": "type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm",
                  "value": {
                    "config": {
                      "vm_config": {
                        "runtime": "envoy.wasm.runtime.null",
                        "code": {
                          "local": {
                            "inline_string": "envoy.wasm.metadata_exchange"
                          }
                        }
                      },
                      "configuration": "{}\n"
                    }
                  }
                }
              },
              {
                "name": "istio.alpn",
                "typed_config": {
                  "@type": "type.googleapis.com/istio.envoy.config.filter.http.alpn.v2alpha1.FilterConfig",
                  "alpn_override": [
                    {
                      "alpn_override": [
                        "istio-http/1.0",
                        "istio"
                      ]
                    },
                    {
                      "upstream_protocol": "HTTP11",
                      "alpn_override": [
                        "istio-http/1.1",
                        "istio"
                      ]
                    },
                    {
                      "upstream_protocol": "HTTP2",
                      "alpn_override": [
                        "istio-h2",
                        "istio"
                      ]
                    }
                  ]
                }
              },
              {
                "name": "envoy.cors",
                "typed_config": {
                  "@type": "type.googleapis.com/envoy.config.filter.http.cors.v2.Cors"
                }
              },
              {
                "name": "envoy.fault",
                "typed_config": {
                  "@type": "type.googleapis.com/envoy.config.filter.http.fault.v2.HTTPFault"
                }
              },
              {
                "name": "istio.stats",
                "typed_config": {
                  "@type": "type.googleapis.com/udpa.type.v1.TypedStruct",
                  "type_url": "type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm",
                  "value": {
                    "config": {
                      "root_id": "stats_outbound",
                      "vm_config": {
                        "vm_id": "stats_outbound",
                        "runtime": "envoy.wasm.runtime.null",
                        "code": {
                          "local": {
                            "inline_string": "envoy.wasm.stats"
                          }
                        }
                      },
                      "configuration": "{\n \"debug\": \"false\",\n \"stat_prefix\": \"istio\"\n}\n"
                    }
                  }
                }
              },
              {
                "name": "envoy.router",
                "typed_config": {
                  "@type": "type.googleapis.com/envoy.config.filter.http.router.v2.Router"
                }
              }
            ],
            "tracing": {
              "client_sampling": {
                "value": 100
              },
              "random_sampling": {
                "value": 100
              },
              "overall_sampling": {
                "value": 100
              }
            },
            "access_log": [
              {
                "name": "envoy.file_access_log",
                "typed_config": {
                  "@type": "type.googleapis.com/envoy.config.accesslog.v2.FileAccessLog",
                  "path": "/dev/stdout",
                  "format": "[%START_TIME%] \"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\" %RESPONSE_CODE% %RESPONSE_FLAGS% \"%DYNAMIC_METADATA(istio.mixer:status)%\" \"%UPSTREAM_TRANSPORT_FAILURE_REASON%\" %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% \"%REQ(X-FORWARDED-FOR)%\" \"%REQ(USER-AGENT)%\" \"%REQ(X-REQUEST-ID)%\" \"%REQ(:AUTHORITY)%\" \"%UPSTREAM_HOST%\" %UPSTREAM_CLUSTER% %UPSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_REMOTE_ADDRESS% %REQUESTED_SERVER_NAME% %ROUTE_NAME%\n"
                }
              }
            ],
            "use_remote_address": false,
            "generate_request_id": true,
            "upgrade_configs": [
              {
                "upgrade_type": "websocket"
              }
            ],
            "stream_idle_timeout": "0s",
            "normalize_path": true
          }
        }
      ]
    },
    {
      "filter_chain_match": {
      },
      "filters": [
        {
          "name": "istio.stats",
          "typed_config": {
            "@type": "type.googleapis.com/udpa.type.v1.TypedStruct",
            "type_url": "type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm",
            "value": {
              "config": {
                "root_id": "stats_outbound",
                "vm_config": {
                  "vm_id": "tcp_stats_outbound",
                  "runtime": "envoy.wasm.runtime.null",
                  "code": {
                    "local": {
                      "inline_string": "envoy.wasm.stats"
                    }
                  }
                },
                "configuration": "{\n \"debug\": \"false\",\n \"stat_prefix\": \"istio\"\n}\n"
              }
            }
          }
        },
        {
          "name": "envoy.tcp_proxy",
          "typed_config": {
            "@type": "type.googleapis.com/envoy.config.filter.network.tcp_proxy.v2.TcpProxy",
            "stat_prefix": "PassthroughCluster",
            "cluster": "PassthroughCluster",
            "access_log": [
              {
                "name": "envoy.file_access_log",
                "typed_config": {
                  "@type": "type.googleapis.com/envoy.config.accesslog.v2.FileAccessLog",
                  "path": "/dev/stdout",
                  "format": "[%START_TIME%] \"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\" %RESPONSE_CODE% %RESPONSE_FLAGS% \"%DYNAMIC_METADATA(istio.mixer:status)%\" \"%UPSTREAM_TRANSPORT_FAILURE_REASON%\" %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% \"%REQ(X-FORWARDED-FOR)%\" \"%REQ(USER-AGENT)%\" \"%REQ(X-REQUEST-ID)%\" \"%REQ(:AUTHORITY)%\" \"%UPSTREAM_HOST%\" %UPSTREAM_CLUSTER% %UPSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_REMOTE_ADDRESS% %REQUESTED_SERVER_NAME% %ROUTE_NAME%\n"
                }
              }
            ]
          }
        }
      ],
      "metadata": {
        "filter_metadata": {
          "pilot_meta": {
            "fallthrough": true
          }
        }
      },
      "name": "PassthroughFilterChain"
    }
  ],
  "deprecated_v1": {
    "bind_to_port": false
  },
  "listener_filters": [
    {
      "name": "envoy.listener.tls_inspector",
      "typed_config": {
        "@type": "type.googleapis.com/envoy.config.filter.listener.tls_inspector.v2.TlsInspector"
      }
    },
    {
      "name": "envoy.listener.http_inspector",
      "typed_config": {
        "@type": "type.googleapis.com/envoy.config.filter.listener.http_inspector.v2.HttpInspector"
      }
    }
  ],
  "listener_filters_timeout": "0.100s",
  "traffic_direction": "OUTBOUND",
  "continue_on_listener_filters_timeout": true
}

匹配 route 80

因为配置较多我们值展示对应sleep的route config

{
  "name": "sleep.foo.svc.cluster.local:80",
  "domains": [
    "sleep.foo.svc.cluster.local",
    "sleep.foo.svc.cluster.local:80",
    "sleep",
    "sleep:80",
    "sleep.foo.svc.cluster",
    "sleep.foo.svc.cluster:80",
    "sleep.foo.svc",
    "sleep.foo.svc:80",
    "sleep.foo",
    "sleep.foo:80",
    "10.97.250.188",
    "10.97.250.188:80"
  ],
  "routes": [
    {
      "match": {
        "prefix": "/"
      },
      "route": {
        "cluster": "outbound|80||sleep.foo.svc.cluster.local",
        "timeout": "0s",
        "retry_policy": {
          "retry_on": "connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes",
          "num_retries": 2,
          "retry_host_predicate": [
            {
              "name": "envoy.retry_host_predicates.previous_hosts"
            }
          ],
          "host_selection_retry_max_attempts": "5",
          "retriable_status_codes": [
            503
          ]
        },
        "max_grpc_timeout": "0s"
      },
      "decorator": {
        "operation": "sleep.foo.svc.cluster.local:80/*"
      },
      "name": "default"
    }
  ],
  "include_request_attempt_count": true
}

这里我们可以看到最终请求到了outbound|80||sleep.foo.svc.cluster.local 这个cluster,只有一个ep 10.244.1.12:80

outbound|80||sleep.foo.svc.cluster.local::default_priority::max_connections::4294967295
outbound|80||sleep.foo.svc.cluster.local::default_priority::max_pending_requests::4294967295
outbound|80||sleep.foo.svc.cluster.local::default_priority::max_requests::4294967295
outbound|80||sleep.foo.svc.cluster.local::default_priority::max_retries::4294967295
outbound|80||sleep.foo.svc.cluster.local::high_priority::max_connections::1024
outbound|80||sleep.foo.svc.cluster.local::high_priority::max_pending_requests::1024
outbound|80||sleep.foo.svc.cluster.local::high_priority::max_requests::1024
outbound|80||sleep.foo.svc.cluster.local::high_priority::max_retries::3
outbound|80||sleep.foo.svc.cluster.local::added_via_api::true
outbound|80||sleep.foo.svc.cluster.local::10.244.1.12:80::cx_active::0
outbound|80||sleep.foo.svc.cluster.local::10.244.1.12:80::cx_connect_fail::0
outbound|80||sleep.foo.svc.cluster.local::10.244.1.12:80::cx_total::0
outbound|80||sleep.foo.svc.cluster.local::10.244.1.12:80::rq_active::0
outbound|80||sleep.foo.svc.cluster.local::10.244.1.12:80::rq_error::0
outbound|80||sleep.foo.svc.cluster.local::10.244.1.12:80::rq_success::0
outbound|80||sleep.foo.svc.cluster.local::10.244.1.12:80::rq_timeout::0
outbound|80||sleep.foo.svc.cluster.local::10.244.1.12:80::rq_total::0
outbound|80||sleep.foo.svc.cluster.local::10.244.1.12:80::hostname::
outbound|80||sleep.foo.svc.cluster.local::10.244.1.12:80::health_flags::healthy
outbound|80||sleep.foo.svc.cluster.local::10.244.1.12:80::weight::1
outbound|80||sleep.foo.svc.cluster.local::10.244.1.12:80::region::
outbound|80||sleep.foo.svc.cluster.local::10.244.1.12:80::zone::
outbound|80||sleep.foo.svc.cluster.local::10.244.1.12:80::sub_zone::
outbound|80||sleep.foo.svc.cluster.local::10.244.1.12:80::canary::false
outbound|80||sleep.foo.svc.cluster.local::10.244.1.12:80::priority::0
outbound|80||sleep.foo.svc.cluster.local::10.244.1.12:80::success_rate::-1.0
outbound|80||sleep.foo.svc.cluster.local::10.244.1.12:80::local_origin_success_rate::-1.0

sleep接收请求

sleep接收到请求将被iptables重定向到inboud port 15006

为了选择过滤器链,传入连接必须满足其所有条件,连接的属性由网络堆栈和/或监听器过滤器设置。

以下顺序适用:

目的端口。
目的IP地址。
服务器名称(例如TLS协议的SNI),
传输协议。
应用协议(例如用于TLS协议的ALPN)。

prefix_ranges如果为非空,则在监听器绑定到0.0.0.0/::或指定use_original_dst时,指定IP地址和前缀长度以匹配地址。

流量到达sleep进行匹配

{
  "filter_chain_match": {
    "prefix_ranges": [
      {
        "address_prefix": "10.244.1.12",
        "prefix_len": 32
      }
    ],
    "destination_port": 80
  },
  "filters": [
    {
      "name": "istio.metadata_exchange",
      "typed_config": {
        "@type": "type.googleapis.com/udpa.type.v1.TypedStruct",
        "type_url": "type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange",
        "value": {
          "protocol": "istio-peer-exchange"
        }
      }
    },
    {
      "name": "envoy.http_connection_manager",
      "typed_config": {
        "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager",
        "stat_prefix": "inbound_10.244.1.12_80",
        "route_config": {
          "name": "inbound|80|http|sleep.foo.svc.cluster.local",
          "virtual_hosts": [
            {
              "name": "inbound|http|80",
              "domains": [
                "*"
              ],
              "routes": [
                {
                  "match": {
                    "prefix": "/"
                  },
                  "route": {
                    "cluster": "inbound|80|http|sleep.foo.svc.cluster.local",
                    "timeout": "0s",
                    "max_grpc_timeout": "0s"
                  },
                  "decorator": {
                    "operation": "sleep.foo.svc.cluster.local:80/*"
                  },
                  "name": "default"
                }
              ]
            }
          ],
          "validate_clusters": false
        },
        "http_filters": [
          {
            "name": "istio.metadata_exchange",
            "typed_config": {
              "@type": "type.googleapis.com/udpa.type.v1.TypedStruct",
              "type_url": "type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm",
              "value": {
                "config": {
                  "vm_config": {
                    "runtime": "envoy.wasm.runtime.null",
                    "code": {
                      "local": {
                        "inline_string": "envoy.wasm.metadata_exchange"
                      }
                    }
                  },
                  "configuration": "{}\n"
                }
              }
            }
          },
          {
            "name": "istio_authn",
            "typed_config": {
              "@type": "type.googleapis.com/istio.envoy.config.filter.http.authn.v2alpha1.FilterConfig",
              "policy": {
                "peers": [
                  {
                    "mtls": {
                    }
                  }
                ]
              }
            }
          },
          {
            "name": "envoy.cors",
            "typed_config": {
              "@type": "type.googleapis.com/envoy.config.filter.http.cors.v2.Cors"
            }
          },
          {
            "name": "envoy.fault",
            "typed_config": {
              "@type": "type.googleapis.com/envoy.config.filter.http.fault.v2.HTTPFault"
            }
          },
          {
            "name": "istio.stats",
            "typed_config": {
              "@type": "type.googleapis.com/udpa.type.v1.TypedStruct",
              "type_url": "type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm",
              "value": {
                "config": {
                  "root_id": "stats_inbound",
                  "vm_config": {
                    "vm_id": "stats_inbound",
                    "runtime": "envoy.wasm.runtime.null",
                    "code": {
                      "local": {
                        "inline_string": "envoy.wasm.stats"
                      }
                    }
                  },
                  "configuration": "{\n \"debug\": \"false\",\n \"stat_prefix\": \"istio\"\n}\n"
                }
              }
            }
          },
          {
            "name": "envoy.router",
            "typed_config": {
              "@type": "type.googleapis.com/envoy.config.filter.http.router.v2.Router"
            }
          }
        ],
        "tracing": {
          "client_sampling": {
            "value": 100
          },
          "random_sampling": {
            "value": 100
          },
          "overall_sampling": {
            "value": 100
          }
        },
        "server_name": "istio-envoy",
        "access_log": [
          {
            "name": "envoy.file_access_log",
            "typed_config": {
              "@type": "type.googleapis.com/envoy.config.accesslog.v2.FileAccessLog",
              "path": "/dev/stdout",
              "format": "[%START_TIME%] \"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\" %RESPONSE_CODE% %RESPONSE_FLAGS% \"%DYNAMIC_METADATA(istio.mixer:status)%\" \"%UPSTREAM_TRANSPORT_FAILURE_REASON%\" %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% \"%REQ(X-FORWARDED-FOR)%\" \"%REQ(USER-AGENT)%\" \"%REQ(X-REQUEST-ID)%\" \"%REQ(:AUTHORITY)%\" \"%UPSTREAM_HOST%\" %UPSTREAM_CLUSTER% %UPSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_REMOTE_ADDRESS% %REQUESTED_SERVER_NAME% %ROUTE_NAME%\n"
            }
          }
        ],
        "use_remote_address": false,
        "generate_request_id": true,
        "forward_client_cert_details": "APPEND_FORWARD",
        "set_current_client_cert_details": {
          "subject": true,
          "dns": true,
          "uri": true
        },
        "upgrade_configs": [
          {
            "upgrade_type": "websocket"
          }
        ],
        "stream_idle_timeout": "0s",
        "normalize_path": true
      }
    }
  ],
  "transport_socket": {
    "name": "envoy.transport_sockets.tls",
    "typed_config": {
      "@type": "type.googleapis.com/envoy.api.v2.auth.DownstreamTlsContext",
      "common_tls_context": {
        "alpn_protocols": [
          "h2",
          "http/1.1"
        ],
        "tls_certificate_sds_secret_configs": [
          {
            "name": "default",
            "sds_config": {
              "api_config_source": {
                "api_type": "GRPC",
                "grpc_services": [
                  {
                    "envoy_grpc": {
                      "cluster_name": "sds-grpc"
                    }
                  }
                ]
              }
            }
          }
        ],
        "combined_validation_context": {
          "default_validation_context": {
          },
          "validation_context_sds_secret_config": {
            "name": "ROOTCA",
            "sds_config": {
              "api_config_source": {
                "api_type": "GRPC",
                "grpc_services": [
                  {
                    "envoy_grpc": {
                      "cluster_name": "sds-grpc"
                    }
                  }
                ]
              }
            }
          }
        }
      },
      "require_client_certificate": true
    }
  },
  "name": "10.244.1.12_80"
}

流量到达sleep的 inbound|80|http|sleep.foo.svc.cluster.local cluster

{
  "version_info": "2020-07-17T08:45:26Z/18",
  "cluster": {
    "@type": "type.googleapis.com/envoy.api.v2.Cluster",
    "name": "inbound|80|http|sleep.foo.svc.cluster.local",
    "type": "STATIC",
    "connect_timeout": "10s",
    "circuit_breakers": {
      "thresholds": [
        {
          "max_connections": 4294967295,
          "max_pending_requests": 4294967295,
          "max_requests": 4294967295,
          "max_retries": 4294967295
        }
      ]
    },
    "load_assignment": {
      "cluster_name": "inbound|80|http|sleep.foo.svc.cluster.local",
      "endpoints": [
        {
          "lb_endpoints": [
            {
              "endpoint": {
                "address": {
                  "socket_address": {
                    "address": "127.0.0.1",
                    "port_value": 80
                  }
                }
              }
            }
          ]
        }
      ]
    }
  },
  "last_updated": "2020-07-17T08:45:29.404Z"
}

InboundPassthroughClusterIpv4

这是一个最后生效的cluster,如果入流量,没有匹配到规则,即我们访问了一个没有暴露到svc,的端口,则透传到服务容器

Previous原理分析 Nextistio dns拦截

Last updated 4 years ago

Was this helpful?