직전까지 클러스터 모니터링 구축하기 (Loki, Prometheus, Grafana) [1]를 했는데,
해당 환경에서 Istio 학습을 하기 위해서 설치를 진행하고자 합니다.
A. 설치하기
Istio 설치하기
Istio Sample 앱 배포하기
Istio 용 대시보드 배포하기
A.1. 초간단 Istio 개념
Istio는 Control Plane, Data Plane으로 구성되어 있습니다.
Istio Control Plane은 @1.15 전후로 다른 구성을 가집니다.
~ @1.15 : Pilot, Cital, Galley이 각각 conf, discovery, cert를 담당
@1.15 ~ : istiod가 담당
Istio Data Plane은 sidecar 방식을 기본적으로 사용됩니다.
~ : sidecar 방식으로 트래픽을 제어하며 envoy를 사용
@1.24 ~ (GA) : ambient mesh 방식으로 트래픽을 제어
A.2. Istio 설치하기
Istio 실습을 진행하기 위해서 Control Plane 설치가 필요합니다.
Istio@ 1.25.1의 Control Plane은 istiod로 통합되어 있습니다.
Istiod는 기본적으로 Service, Deployment 등으로 구성됩니다.
[명령어 1] Istio 설치하기
1. Istio 다운로드
sudo -i
sudo mkdir -p ~/istio/
sudo curl -L https://istio.io/downloadIstio | sh -
cd istio-1.25.1
export PATH=$PWD/bin:$PATH2. Istio 설치하기
오브젝트 : install.istio.io/v1alpha1
samples/bookinfo/demo-profile-no-gateways.yaml
istioctl install -f samples/bookinfo/demo-profile-no-gateways.yaml -y
✔ Istio core installed ⛵️
✔ Istiod installed 🧠
✔ Installation complete3. 생성된 리소스들 확인하기
istio-system 네임스페이스
kubectl get ns --sort-by=.metadata.creationTimestamp | sort -k3 -r
NAME STATUS AGE
istio-system Active 4m13s
...4. 생성된 리소스들 확인하기
istiod 서비스, 디플로이, 레플리카셋, 파드
kubectl get svc,deploy,rs,pod -n istio-system -o=custom-columns=TYPE:.kind,NAMESPACE:.metadata.namespace,NAME:.metadata.name
TYPE NAMESPACE NAME
Service istio-system istiod
Deployment istio-system istiod
ReplicaSet istio-system istiod-f4d5f766f
Pod istio-system istiod-f4d5f766f-nvnct5. Kubernetes Gateway API CRD 설치하기
kubectl get crd gateways.gateway.networking.k8s.io &> /dev/null || \
{ kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v1.2.1" | kubectl apply -f -; }
customresourcedefinition.apiextensions.k8s.io/gatewayclasses.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/gateways.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/grpcroutes.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/httproutes.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/referencegrants.gateway.networking.k8s.io createdA.3. Istio Sample 앱 배포하기
Istio Sample 앱 배포를 위해서는 Data Plane이 필요합니다.
Sidecar 형태로 배포된 Envoy 컨테이너가 Data Plane의 역할을 담당하며,
앤드포인트 노출을 위해 사용하는 Gateway를 제외하면 외관상 차이점은 없습니다.
특이한 점은 istiod에서 envoy를 주입하는 형태의 배포 방식이 있다는 점입니다.
[명령어 2]를 통해 생성한
Istio Data Plane은 Gateway, Service, Deployment로 구성됩니다.
Gateway : 앤드포인트 노출을 위해 사용하며 Ingress와 유사하다고 이해(일단)
Gateway Service : Gateway를 배포하면 생성되는 Serivce는 다른 마이크로서비스의 Service를 바라보도록 구성되어 있음
Service : 일반적인 Service와 동일한 구성으로 Pod를 바라보고 있음
Istio sample은 크게 2종류의 서비스로 구성되며 Gateway Service로 묶습니다.
FrontEnd : Productpage
BackEnd : Details, Ratings, Reviews
[명령어 2] Istio 앱 배포하기
1. 샘플 네임스페이스 생성하기
kubectl create ns istio-sample2. 샘플 네임스페이스에 Istio Inject 허용하기
kubectl label namespace istio-sample istio-injection=enabled3. 샘플 어플리케이션 배포하기
samples/bookinfo/platform/kube/bookinfo.yaml
sudo -i
cd ~/istio/istio-1.25.1
kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml \
--namespace istio-sampleservice/details created
serviceaccount/bookinfo-details created
deployment.apps/details-v1 created
service/ratings created
serviceaccount/bookinfo-ratings created
deployment.apps/ratings-v1 created
service/reviews created
serviceaccount/bookinfo-reviews created
deployment.apps/reviews-v1 created
deployment.apps/reviews-v2 created
deployment.apps/reviews-v3 created
service/productpage created
serviceaccount/bookinfo-productpage created
deployment.apps/productpage-v1 created4. 샘플 어플리케이션 배포 확인하기
kubectl get svc,deploy,rs,pod -n istio-sample -o=custom-columns=TYPE:.kind,NAMESPACE:.metadata.namespace,NAME:.metadata.nameTYPE NAMESPACE NAME
Service istio-sample details
Service istio-sample productpage
Service istio-sample ratings
Service istio-sample reviews
Deployment istio-sample details-v1
Deployment istio-sample productpage-v1
Deployment istio-sample ratings-v1
Deployment istio-sample reviews-v1
Deployment istio-sample reviews-v2
Deployment istio-sample reviews-v3
ReplicaSet istio-sample details-v1-79dfbd6fff
ReplicaSet istio-sample productpage-v1-dffc47f64
ReplicaSet istio-sample ratings-v1-65f797b499
ReplicaSet istio-sample reviews-v1-5c4d6d447c
ReplicaSet istio-sample reviews-v2-65cb66b45c
ReplicaSet istio-sample reviews-v3-f68f94645
Pod istio-sample details-v1-79dfbd6fff-7pvh7
Pod istio-sample productpage-v1-dffc47f64-hktzc
Pod istio-sample ratings-v1-65f797b499-kvk2m
Pod istio-sample reviews-v1-5c4d6d447c-jm9t5
Pod istio-sample reviews-v2-65cb66b45c-n7tsm
Pod istio-sample reviews-v3-f68f94645-fnxgc5. Istio Inject 확인하기
kubectl get pods -n istio-sample -o jsonpath="{range .items[*]}{.metadata.namespace}{'\t'}{.metadata.name}{'\t'}{range .spec.containers[*]}{.name}:{.image}{'\t'}{end}{'\n'}{end}"
istio-sample details-v1-79dfbd6fff-7pvh7 details:docker.io/istio/examples-bookinfo-details-v1:1.20.2 istio-proxy:docker.io/istio/proxyv2:1.25.1
istio-sample productpage-v1-dffc47f64-hktzc productpage:docker.io/istio/examples-bookinfo-productpage-v1:1.20.2 istio-proxy:docker.io/istio/proxyv2:1.25.1
istio-sample ratings-v1-65f797b499-kvk2m ratings:docker.io/istio/examples-bookinfo-ratings-v1:1.20.2 istio-proxy:docker.io/istio/proxyv2:1.25.1
istio-sample reviews-v1-5c4d6d447c-jm9t5 reviews:docker.io/istio/examples-bookinfo-reviews-v1:1.20.2 istio-proxy:docker.io/istio/proxyv2:1.25.1
istio-sample reviews-v2-65cb66b45c-n7tsm reviews:docker.io/istio/examples-bookinfo-reviews-v2:1.20.2 istio-proxy:docker.io/istio/proxyv2:1.25.1
istio-sample reviews-v3-f68f94645-fnxgc reviews:docker.io/istio/examples-bookinfo-reviews-v3:1.20.2 istio-proxy:docker.io/istio/proxyv2:1.25.16. 샘플 어플리케이션에 Gateway 배포하기
kubectl apply \
-f samples/bookinfo/gateway-api/bookinfo-gateway.yaml \
--namespace istio-samplegateway.gateway.networking.k8s.io/bookinfo-gateway created
httproute.gateway.networking.k8s.io/bookinfo created7. Gateway 유형 변경하기 : LoadBalancer → NodePort
kubectl annotate \
gateway bookinfo-gateway \
networking.istio.io/service-type=NodePort \
--namespace=istio-samplegateway.gateway.networking.k8s.io/bookinfo-gateway annotated8. Gateway Svc 확인하기
kubectl get svc -n istio-sampleNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
bookinfo-gateway-istio ClusterIP 10.108.125.8615021/TCP,80/TCP 8m26s
details ClusterIP 10.99.137.2389080/TCP 16m
productpage ClusterIP 10.99.153.1589080/TCP 16m
ratings ClusterIP 10.105.28.1039080/TCP 16m
reviews ClusterIP 10.98.123.1239080/TCP 16m [명령어 3]을 통해,
Istio sample의 iptables NAT 구성을 손쉽게 확인할 수 있었습니다.
Gateway Service
istio-sample/bookinfo-gateway-istio:status-port cluster IP
istio-sample/bookinfo-gateway-istio:http cluster IP
Service
istio-sample/~~~~~:http cluster IP
[명령어 3] Istio Sample Iptables NAT 리스트업하기
1. Iptables NAT 리스트업하기
sudo iptables -t nat -L KUBE-SERVICES -v | grep -E "(istio-sample|pkts)"pkts bytes target prot opt in out source destination
0 0 KUBE-SVC-G5PLZLXGXOQRM5YI tcp -- any any anywhere 10.107.170.191 /* istio-sample/ratings:http cluster IP */
0 0 KUBE-SVC-PSJQMOZRUGSJJO2Y tcp -- any any anywhere 10.99.197.44 /* istio-sample/details:http cluster IP */
0 0 KUBE-SVC-M3GRG3ZIUI3SSHYC tcp -- any any anywhere 10.109.175.27 /* istio-sample/bookinfo-gateway-istio:status-port cluster IP */
0 0 KUBE-SVC-TQVK2WQMHZOS6576 tcp -- any any anywhere 10.105.143.182 /* istio-sample/productpage:http cluster IP */
0 0 KUBE-SVC-IZRUIY3NLSNO2IFV tcp -- any any anywhere 10.102.65.41 /* istio-sample/reviews:http cluster IP */
0 0 KUBE-SVC-AJGCB2HIHIW4ZNR7 tcp -- any any anywhere 10.109.175.27 /* istio-sample/bookinfo-gateway-istio:http cluster IP */kube-proxy(iptables)는 Service로의 네트워크 흐름이 다음과 같이 구성됩니다.
Iptables → Iptables chain → KUBE-MARK-MASQ, KUBE-SEP-*
여기서 출발지, 도착지에 대한 NAT을 하는 MARK-MAS, SEP-*이 있습니다.
KUBE-MARK-MASK(Mark Masquerade) : IP Masquerading 작업을 위한 iptable chain으로서 SNAT(Source Network Address Translation) 작업을 한다
KUBE-SEP(Service Endpoint) : IP Fowarding 작업을 위한 iptable chain으로서 Service DNS에 대한 요청이 실제 파드로 포워딩되도록 기능
[명령어 4-6]을 실행해보면, istio-sample 또한 동일한 것을 알 수 있습니다.
다만 조금 특이한 것은 [명령어 6]에서 트래픽을 일정 비율(0.34, 0.5, 나머지)로 분산하는 것을 알 수 있습니다. (probability 속성으로 정의되어 있음)
[명령어 4] Gateway Service 확인하기 (bookinfo-gateway)
1. Gateway Service iptables NAT 구성 확인하기
sudo iptables -t nat -L KUBE-SERVICES -v | grep -E "(bookinfo-gateway|pkts)"pkts bytes target prot opt in out source destination
0 0 KUBE-SVC-M3GRG3ZIUI3SSHYC tcp -- any any anywhere 10.109.175.27 /* istio-sample/bookinfo-gateway-istio:status-port cluster IP */
0 0 KUBE-SVC-AJGCB2HIHIW4ZNR7 tcp -- any any anywhere 10.109.175.27 /* istio-sample/bookinfo-gateway-istio:http cluster IP */2. Gateway Service KUBE-MARK-MASQ(Mark Masquerade) 구성확인하기
sudo iptables -t nat -L KUBE-MARK-MASQ -vChain KUBE-MARK-MASQ (60 references)
pkts bytes target prot opt in out source destination
4 256 MARK all -- any any anywhere anywhere MARK or 0x40003. Gateway Service KUBE-SEP-* (Service Endpoint) 확인하기
sudo iptables -t nat -L KUBE-SEP-JHP3G26UDNVJ2JCA -vChain KUBE-SEP-JHP3G26UDNVJ2JCA (1 references)
pkts bytes target prot opt in out source destination
0 0 KUBE-MARK-MASQ all -- any any 10.244.0.213 anywhere /* istio-sample/bookinfo-gateway-istio:status-port */
2 128 DNAT tcp -- any any anywhere anywhere /* istio-sample/bookinfo-gateway-istio:status-port */ tcp to:10.244.0.213:150214. Gateway Pod 존재 확인하기
kubectl get pods -o wide -A | grep 10.244.0.213istio-sample bookinfo-gateway-istio-854cd9bd69-v4q68 1/1 Running 0 87m 10.244.0.213 cp-k8s none none5. Gateway Pod containerPort 확인하기
kubectl get pod bookinfo-gateway-istio-854cd9bd69-v4q68 -n istio-sample -o yaml | grep 15021- containerPort: 15021
port: 15021
port: 15021[명령어 5] Service 확인하기 (productpage,details,ratings)
1. Service iptables NAT 구성확인하기
sudo iptables -t nat -L KUBE-SERVICES -v | grep -E "(productpage|pkts)"pkts bytes target prot opt in out source destination
0 0 KUBE-SVC-TQVK2WQMHZOS6576 tcp -- any any anywhere 10.105.143.182 /* istio-sample/productpage:http cluster IP */2. Service iptables Chain 리스트 확인하기
sudo iptables -t nat -L KUBE-SVC-TQVK2WQMHZOS6576 -vpkts bytes target prot opt in out source destination
0 0 KUBE-MARK-MASQ tcp -- any any !cp-k8s/16 10.105.143.182 /* istio-sample/productpage:http cluster IP */
0 0 KUBE-SEP-YQYLXICOU2BC3HTB all -- any any anywhere anywhere /* istio-sample/productpage:http -> 10.244.0.211:9080 */3. Service KUBE-MARK-MASQ(Mark Masquerade) 구성확인하기
sudo iptables -t nat -L KUBE-MARK-MASQ -vChain KUBE-MARK-MASQ (60 references)
pkts bytes target prot opt in out source destination
0 0 MARK all -- any any anywhere anywhere MARK or 0x40004. Service KUBE-SEP-* (Service Endpoint) 구성확인하기
sudo iptables -t nat -L KUBE-SEP-YQYLXICOU2BC3HTB -vpkts bytes target prot opt in out source destination
0 0 KUBE-MARK-MASQ all -- any any 10.244.0.211 anywhere /* istio-sample/productpage:http */
0 0 DNAT tcp -- any any anywhere anywhere /* istio-sample/productpage:http */ tcp to:10.244.0.211:90805. Service Pod 존재 확인하기
kubectl get pods -o wide -A | grep 10.244.0.211istio-sample productpage-v1-dffc47f64-5v8l6 2/2 Running 0 109m 10.244.0.211 cp-k8s none none6. Service Pod containerPort 확인하기
kubectl get pod productpage-v1-dffc47f64-5v8l6 -n istio-sample -o yaml | grep 9080- containerPort: 9080
{"containerPort":9080,"protocol":"TCP"}
value: '{"scrape":"true","path":"/metrics","port":"9080"}'[명령어 6] Service 확인하기 (reviews)
1. Service iptables NAT 구성확인하기
sudo iptables -t nat -L KUBE-SERVICES -v | grep -E "(reviews|pkts)"pkts bytes target prot opt in out source destination
0 0 KUBE-SVC-IZRUIY3NLSNO2IFV tcp -- any any anywhere 10.102.65.41 /* istio-sample/reviews:http cluster IP */2. Service iptables Chain 리스트 확인하기
sudo iptables -t nat -L KUBE-SVC-IZRUIY3NLSNO2IFV -vpkts bytes target prot opt in out source destination
0 0 KUBE-MARK-MASQ tcp -- any any !cp-k8s/16 10.102.65.41 /* istio-sample/reviews:http cluster IP */
0 0 KUBE-SEP-5U3Z6MOEAXFVLKOR all -- any any anywhere anywhere /* istio-sample/reviews:http -> 10.244.0.208:9080 */ statistic mode random probability 0.33333333349
0 0 KUBE-SEP-XDRB7CPXZN4FG6VD all -- any any anywhere anywhere /* istio-sample/reviews:http -> 10.244.0.209:9080 */ statistic mode random probability 0.50000000000
0 0 KUBE-SEP-O4CHHVMWLNHDCXU5 all -- any any anywhere anywhere /* istio-sample/reviews:http -> 10.244.0.210:9080 */3. Service KUBE-MARK-MASQ(Mark Masquerade) 구성확인하기
sudo iptables -t nat -L KUBE-MARK-MASQ -vChain KUBE-MARK-MASQ (60 references)
pkts bytes target prot opt in out source destination
0 0 MARK all -- any any anywhere anywhere MARK or 0x40004. Service KUBE-SEP-* (Service Endpoint) 구성확인하기
sudo iptables -t nat -L KUBE-SEP-5U3Z6MOEAXFVLKOR -v
sudo iptables -t nat -L KUBE-SEP-XDRB7CPXZN4FG6VD -v
sudo iptables -t nat -L KUBE-SEP-O4CHHVMWLNHDCXU5 -vChain KUBE-SEP-5U3Z6MOEAXFVLKOR (1 references)
pkts bytes target prot opt in out source destination
0 0 KUBE-MARK-MASQ all -- any any 10.244.0.208 anywhere /* istio-sample/reviews:http */
0 0 DNAT tcp -- any any anywhere anywhere /* istio-sample/reviews:http */ tcp to:10.244.0.208:9080
Chain KUBE-SEP-XDRB7CPXZN4FG6VD (1 references)
pkts bytes target prot opt in out source destination
0 0 KUBE-MARK-MASQ all -- any any 10.244.0.209 anywhere /* istio-sample/reviews:http */
0 0 DNAT tcp -- any any anywhere anywhere /* istio-sample/reviews:http */ tcp to:10.244.0.209:9080
Chain KUBE-SEP-O4CHHVMWLNHDCXU5 (1 references)
pkts bytes target prot opt in out source destination
0 0 KUBE-MARK-MASQ all -- any any 10.244.0.210 anywhere /* istio-sample/reviews:http */
0 0 DNAT tcp -- any any anywhere anywhere /* istio-sample/reviews:http */ tcp to:10.244.0.210:90805. Service Pod 존재 확인하기
kubectl get pods -o wide -A | grep -E "(NAME|10.244.0.208|10.244.0.209|10.244.0.210)"NAMESPACE NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
istio-sample reviews-v1-5c4d6d447c-w74pp 2/2 Running 0 136m 10.244.0.208 cp-k8s none none
istio-sample reviews-v2-65cb66b45c-vjmpv 2/2 Running 0 136m 10.244.0.209 cp-k8s none none
istio-sample reviews-v3-f68f94645-bp6v2 2/2 Running 0 136m 10.244.0.210 cp-k8s none none6. Service Pod containerPort 확인하기
kubectl get pods reviews-v1-5c4d6d447c-w74pp reviews-v2-65cb66b45c-vjmpv reviews-v3-f68f94645-bp6v2 -n istio-sample -o yaml | grep "9080"- containerPort: 9080
{"containerPort":9080,"protocol":"TCP"}
- containerPort: 9080
{"containerPort":9080,"protocol":"TCP"}
- containerPort: 9080
{"containerPort":9080,"protocol":"TCP"}
지금까지 파악한 특징은 2가지 였지만,
1번은 Ingress(NGINX, ALB) 등에서도 지원하는 부분이고
2번은 Istio에서 처음 본 기능이었지만 iptables 성질에 의존한다고 생각합니다.
경로 기반 라우팅
비율기반 트래픽 분산 (0.34 : 0.5 : 나머지)
이때, “istio, envoy가 해주는 기능이 정확히 무엇인가?”라는 의문이 생겼습니다.
[명령어 7]을 통해,
Inject된 InitContainer(istio-init), Container(istio-proxy)를 알 수 있었습니다.
InitContaienr(istio-init) : istio-proxy를 위한 iptables 생성
Container(istio-proxy) : Domain Prefix 등의 프록시 정의
💡
Service Endpoint로 요청을 전송하는 방식은 2가지가 있습니다. 1. target-app.default-ns.svc.clsuter.local : 효율적이나 ns변경 시 불편함 2. target-app : ns 변경에서 자유로우나 누가 라우팅될지 모름 하지만 Istio Proxy를 사용하면 아래 옵션으로 Domain 지정이 가능해집니다. --domain $(POD_NAMESPACE).svc.cluster.local
[명령어 7] Istio-proxy(envoy) 확인하기
1. istio-sample 파드 리스트 확인하기
kubectl get pods -n istio-sample -o=custom-columns="KIND:.kind,NS:.metadata.namespace,NAME:.metadata.name"KIND NS NAME
Pod istio-sample bookinfo-gateway-istio-854cd9bd69-v4q68
Pod istio-sample details-v1-79dfbd6fff-slm95
Pod istio-sample productpage-v1-dffc47f64-5v8l6
Pod istio-sample ratings-v1-65f797b499-hf42z
Pod istio-sample reviews-v1-5c4d6d447c-w74pp
Pod istio-sample reviews-v2-65cb66b45c-vjmpv
Pod istio-sample reviews-v3-f68f94645-bp6v22. istio-sample 파드 구성 확인하기 (productpage-v1-dffc47f64-5v8l6)
kubectl get pod productpage-v1-dffc47f64-5v8l6 \
-n istio-sample \
-o=custom-columns="KIND:.kind,NS:.metadata.namespace,NAME:.metadata.name,CONTAINERS:.spec.containers[*].name,INIT_CONTAINERS:.spec.initContainers[*].name"KIND NS NAME CONTAINERS INIT_CONTAINERS
Pod istio-sample productpage-v1-dffc47f64-5v8l6 productpage,istio-proxy istio-init3. InitContainer(istio-init) 확인하기
Istio Sidecar Proxy가 네트워크 트래픽을 가로채기 위한 iptables 설정
모든 Inbound/Outbound Traffic을 제어하기 위해 REDIRECT 사용
kubectl get pod productpage-v1-dffc47f64-5v8l6 -n istio-sample -o yaml | grep "initContainers:" -A 48initContainers:
- args:
- istio-iptables
- -p
- "15001"
- -z
- "15006"
- -u
- "1337"
- -m
- REDIRECT
- -i
- '*'
- -x
- ""
- -b
- '*'
- -d
- 15090,15021,15020
- --log_output_level=default:info
image: docker.io/istio/proxyv2:1.25.1
imagePullPolicy: IfNotPresent
name: istio-init
resources:
limits:
cpu: "2"
memory: 1Gi
requests:
cpu: 10m
memory: 40Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
drop:
- ALL
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-c6b8t
readOnly: true4. Sidecar Container(istio-proxy) 확인하기
kubectl get pod productpage-v1-dffc47f64-5v8l6 -n istio-sample -o yaml | grep " \- args:" -A 145 -m 1- args:
- proxy
- sidecar
- --domain
- $(POD_NAMESPACE).svc.cluster.local
- --proxyLogLevel=warning
- --proxyComponentLogLevel=misc:error
- --log_output_level=default:info
env:
- name: PILOT_CERT_PROVIDER
value: istiod
- name: CA_ADDR
value: istiod.istio-system.svc:15012
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.serviceAccountName
- name: HOST_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.hostIP
- name: ISTIO_CPU_LIMIT
valueFrom:
resourceFieldRef:
divisor: "0"
resource: limits.cpu
- name: PROXY_CONFIG
value: |
{}
- name: ISTIO_META_POD_PORTS
value: |-
[
{"containerPort":9080,"protocol":"TCP"}
]
- name: ISTIO_META_APP_CONTAINERS
value: productpage
- name: GOMEMLIMIT
valueFrom:
resourceFieldRef:
divisor: "0"
resource: limits.memory
- name: GOMAXPROCS
valueFrom:
resourceFieldRef:
divisor: "0"
resource: limits.cpu
- name: ISTIO_META_CLUSTER_ID
value: Kubernetes
- name: ISTIO_META_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: ISTIO_META_INTERCEPTION_MODE
value: REDIRECT
- name: ISTIO_META_WORKLOAD_NAME
value: productpage-v1
- name: ISTIO_META_OWNER
value: kubernetes://apis/apps/v1/namespaces/istio-sample/deployments/productpage-v1
- name: ISTIO_META_MESH_ID
value: cluster.local
- name: TRUST_DOMAIN
value: cluster.local
- name: ISTIO_PROMETHEUS_ANNOTATIONS
value: '{"scrape":"true","path":"/metrics","port":"9080"}'
image: docker.io/istio/proxyv2:1.25.1
imagePullPolicy: IfNotPresent
name: istio-proxy
ports:
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
readinessProbe:
failureThreshold: 4
httpGet:
path: /healthz/ready
port: 15021
scheme: HTTP
periodSeconds: 15
successThreshold: 1
timeoutSeconds: 3
resources:
limits:
cpu: "2"
memory: 1Gi
requests:
cpu: 10m
memory: 40Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1337
runAsNonRoot: true
runAsUser: 1337
startupProbe:
failureThreshold: 600
httpGet:
path: /healthz/ready
port: 15021
scheme: HTTP
periodSeconds: 1
successThreshold: 1
timeoutSeconds: 3
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/secrets/workload-spiffe-uds
name: workload-socket
- mountPath: /var/run/secrets/credential-uds
name: credential-socket
- mountPath: /var/run/secrets/workload-spiffe-credentials
name: workload-certs
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
- mountPath: /var/lib/istio/data
name: istio-data
- mountPath: /etc/istio/proxy
name: istio-envoy
- mountPath: /var/run/secrets/tokens
name: istio-token
- mountPath: /etc/istio/pod
name: istio-podinfo
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-c6b8t
readOnly: true하지만,
여기까지 진행을 해도 istiod, istio-proxy의 작동을 100% 이해할 수 없어서,
후속편 [A.3-1]을 통해서 istiod, istio-proxy의 작동과정을 딥다이브하고자 합니다.
istiod, istio-proxy가 동적 분석을 하는 방식
istiod가 instio-proxy를 자동으로 주입하는 방식
istio-proxy가 경로 전달을 처리하는 방식
istio-proxy의 inbound handler, outbound handler의 작동 과정
A.4. Istio 용 대시보드 배포하기
Kiali 도구 사용법은 이 문서의 목적을 넘어가는 것 같아서 따로 정리하지 않았습니다.
[명령어 3] Istio 대시보드 설치하기
1. istio-system에 모니터링 배포하기 (Kiali, Jeager, Prometheus, Grafana, Loki)
sudo -i
cd ~/istio/istio-1.25.1
kubectl apply -f samples/addons2. kiali Service Type 변경하기
kubectl patch svc kiali -n istio-system -p '{"spec": {"type": "NodePort"}}'3. kiali Service Endpoint 확인하기
kubectl get svc -n istio-systemNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
grafana ClusterIP 10.100.108.1213000/TCP 3m11s
istiod ClusterIP 10.109.45.18415010/TCP,15012/TCP,443/TCP,15014/TCP 66m
jaeger-collector ClusterIP 10.111.90.22614268/TCP,14250/TCP,9411/TCP,4317/TCP,4318/TCP 3m11s
kiali NodePort 10.101.40.6720001:32653/TCP,9090:32621/TCP 3m11s
loki ClusterIP 10.107.156.2533100/TCP,9095/TCP 3m11s
loki-headless ClusterIP None3100/TCP 3m11s
loki-memberlist ClusterIP None7946/TCP 3m11s
prometheus ClusterIP 10.106.11.1639090/TCP 3m11s
tracing ClusterIP 10.96.147.20480/TCP,16685/TCP 3m11s
zipkin ClusterIP 10.104.86.359411/TCP 3m11s A.5. 결론
Istio(Envoy)를 사용하면 파드 → 서비스앤드포인트로 오가는 트래픽을 세밀하게 제어할 수 있습니다. 더 자세한 내용은 후속편 [A.5-1]에서 다루고자 합니다.
