sidecar 注入原理

func (s *Server) initSidecarInjector(args *PilotArgs) (*inject.Webhook, error) {
    // 当前常量: "./var/lib/istio/inject"
    injectPath := args.InjectionOptions.InjectionDirectory
    if injectPath == "" || !injectionEnabled.Get() {
        log.Infof("Skipping sidecar injector, injection path is missing or disabled.")
        return nil, nil
    }

    // 本地或者远程配置存在将启动注入
    var watcher inject.Watcher
    // 查看本地是否有配置
    if _, err := os.Stat(filepath.Join(injectPath, "config")); !os.IsNotExist(err) {
        configFile := filepath.Join(injectPath, "config")
        valuesFile := filepath.Join(injectPath, "values")
        watcher, err = inject.NewFileWatcher(configFile, valuesFile)
        if err != nil {
            return nil, err
        }
    } else {
        //访问configmap,常量istio-sidecar-injector
        configMapName := getInjectorConfigMapName(args.Revision)
        cms := s.kubeClient.CoreV1().ConfigMaps(args.Namespace)
        if _, err := cms.Get(context.TODO(), configMapName, metav1.GetOptions{}); err != nil {
            if errors.IsNotFound(err) {
                log.Infof("Skipping sidecar injector, template not found")
                return nil, nil
            }
            return nil, err
        }
        watcher = inject.NewConfigMapWatcher(s.kubeClient, args.Namespace, configMapName, "config", "values")
    }

    log.Info("initializing sidecar injector")

    parameters := inject.WebhookParameters{
        Watcher: watcher,
        Env:     s.environment,
        // Disable monitoring. The injection metrics will be picked up by Pilots metrics exporter already
        MonitoringPort: -1,
        Mux:            s.httpsMux,
        Revision:       args.Revision,
    }

    wh, err := inject.NewWebhook(parameters)
    if err != nil {
        return nil, fmt.Errorf("failed to create injection webhook: %v", err)
    }
    // Patch cert if a webhook config name is provided.
    // This requires RBAC permissions - a low-priv Istiod should not attempt to patch but rely on
    // operator or CI/CD
    if features.InjectionWebhookConfigName.Get() != "" {
        s.addStartFunc(func(stop <-chan struct{}) error {
            // No leader election - different istiod revisions will patch their own cert.
            caBundlePath := s.caBundlePath
            if hasCustomTLSCerts(args.ServerOptions.TLSOptions) {
                caBundlePath = args.ServerOptions.TLSOptions.CaCertFile
            }
            webhooks.PatchCertLoop(features.InjectionWebhookConfigName.Get(), webhookName, caBundlePath, s.kubeClient, stop)
            return nil
        })
    }
    s.addStartFunc(func(stop <-chan struct{}) error {
        go wh.Run(stop)
        return nil
    })
    return wh, nil
}

func NewWebhook(p WebhookParameters) (*Webhook, error) {
    ...
    //具体的处理器
    p.Mux.HandleFunc("/inject", wh.serveInject)
    p.Mux.HandleFunc("/inject/", wh.serveInject)

    p.Env.Watcher.AddMeshHandler(func() {
        wh.mu.Lock()
        wh.meshConfig = p.Env.Mesh()
        wh.mu.Unlock()
    })

    ...
}

func (wh *Webhook) serveInject(w http.ResponseWriter, r *http.Request) {
    totalInjections.Increment()
    ...

    var reviewResponse *kube.AdmissionResponse
    var obj runtime.Object
    var ar *kube.AdmissionReview
    // webhook传入admissionreview,获取admissionrequest 写入admissionresponse
    if out, _, err := deserializer.Decode(body, nil, obj); err != nil {
        handleError(fmt.Sprintf("Could not decode body: %v", err))
        //返回error信息
        reviewResponse = toAdmissionResponse(err)
    } else {
        log.Debugf("AdmissionRequest for path=%s\n", path)
        ar, err = kube.AdmissionReviewKubeToAdapter(out)
        if err != nil {
            handleError(fmt.Sprintf("Could not decode object: %v", err))
        }
        //注入
        reviewResponse = wh.inject(ar, path)
    }

    response := kube.AdmissionReview{}
    response.Response = reviewResponse
    var responseKube runtime.Object
    var apiVersion string
    if ar != nil {
        apiVersion = ar.APIVersion
        response.TypeMeta = ar.TypeMeta
        if response.Response != nil {
            if ar.Request != nil {
                response.Response.UID = ar.Request.UID
            }
        }
    }
    //根据版本返回信息
    responseKube = kube.AdmissionReviewAdapterToKube(&response, apiVersion)
    resp, err := json.Marshal(responseKube)
    if err != nil {
        log.Errorf("Could not encode response: %v", err)
        http.Error(w, fmt.Sprintf("could not encode response: %v", err), http.StatusInternalServerError)
    }
    if _, err := w.Write(resp); err != nil {
        log.Errorf("Could not write response: %v", err)
        http.Error(w, fmt.Sprintf("could not write response: %v", err), http.StatusInternalServerError)
    }
}

```go func (wh Webhook) inject(ar kube.AdmissionReview, path string) *kube.AdmissionResponse { ... // 生成patch patchBytes, err := injectPod(params) if err != nil { handleError(fmt.Sprintf("Pod injection failed: %v", err)) return toAdmissionResponse(err) }

// 返回resp AdmissionResponse
reviewResponse := kube.AdmissionResponse{
    Allowed: true,
    Patch:   patchBytes,
    PatchType: func() *string {
        pt := "JSONPatch"
        return &pt
    }(),
}
totalSuccessfulInjections.Increment()
return &reviewResponse

}

Previousistio中的controller Nextwebhook 配置校验

Last updated 4 years ago

Was this helpful?