为Nginx服务添加ServiceEntry和workloadEntry对象，治理目标为网格外部服务的出向流量

标签：ServiceEntry nginx com magedu Nginx master workloadEntry k8s root

测试在网格内部访问网格外部服务

我是开了三台云主机每台都安装下docker和docker-compose

第一台

[root@VM-0-12-centos ~]# cat Deploy-Nginx/docker-compose.yml 
version: '3.3'

services:
  nginx2001:
    image: nginx:1.20-alpine
    volumes:
      - ./html/nginx2001:/usr/share/nginx/html/
    networks:
      envoymesh:
        ipv4_address: 172.31.201.11
        aliases:
        - nginx
    expose:
      - "80"
    ports:
      - "10.0.0.12:8091:80"

networks:
  envoymesh:
    driver: bridge
    ipam:
      config:
        - subnet: 172.31.201.0/24

[root@VM-0-12-centos ~]# cat Deploy-Nginx/html/nginx2001/index.html 
<title>nginx.magedu.com</title>
Nginx 2001 ~~

第二台

[root@VM-0-6-centos ~]# cat Deploy-Nginx/docker-compose.yml 
version: '3.3'

services:
  nginx2002:
    image: nginx:1.20-alpine
    volumes:
      - ./html/nginx2002:/usr/share/nginx/html/
    networks:
      envoymesh:
        ipv4_address: 172.31.201.12
        aliases:
        - nginx
    expose:
      - "80"
    ports:
      - "10.0.0.6:8091:80"

networks:
  envoymesh:
    driver: bridge
    ipam:
      config:
        - subnet: 172.31.201.0/24
[root@VM-0-6-centos ~]# cat Deploy-Nginx/html/nginx2002/index.html 
<title>nginx.magedu.com</title>
Nginx 2002 ~~

第三台

[root@VM-0-14-centos ~]# cat Deploy-Nginx/docker-compose.yml 
version: '3.3'

services:
  nginx2101:
    image: nginx:1.21-alpine
    volumes:
      - ./html/nginx2101:/usr/share/nginx/html/
    networks:
      envoymesh:
        ipv4_address: 172.31.201.13
        aliases:
        - nginx
        - canary
    expose:
      - "80"
    ports:
      - "10.0.0.14:8091:80"

networks:
  envoymesh:
    driver: bridge
    ipam:
      config:
        - subnet: 172.31.201.0/24
[root@VM-0-14-centos ~]# cat Deploy-Nginx/html/nginx2101/index.html 
<title>nginx.magedu.com</title>
Nginx 2101 ~~

三台都执行下docker-compose up，启动之后curl访问下有没有问题

docker-compose up -d

进入sleep使用curl访问外部服务，使用while循环访问

[root@k8s-master ~]# kubectl exec -it sleep-698cfc4445-dvx5n  -- /bin/sh
/ $ curl 1.13.251.235:8091
<title>nginx.magedu.com</title>
Nginx 2101 ~~
/ $ curl 175.27.156.219:8091
<title>nginx.magedu.com</title>
Nginx 2002 ~~
/ $ curl 1.13.169.203:8091
<title>nginx.magedu.com</title>
Nginx 2001 ~~
while true; do curl curl 1.13.251.235:8091; sleep 1; done

打开kiali，可以看到流量

将外部的服务引入到网格内部

[root@k8s-master 01-Service-Entry]# kubectl apply -f 01-serviceentry-nginx.yaml 
serviceentry.networking.istio.io/nginx-external created
[root@k8s-master 01-Service-Entry]# cat 01-serviceentry-nginx.yaml 
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: nginx-external
spec:
  hosts:
  - nginx.magedu.com
  addresses:
  - "1.13.169.203"
  - "175.27.156.219"
  - "1.13.251.235"
  ports:
  - number: 8091
    name: http
    protocol: HTTP
  location: MESH_EXTERNAL
  resolution: STATIC
  endpoints:
  - address: "1.13.169.203"
    ports:
      http: 8091
  - address: "175.27.156.219"
    ports:
      http: 8091
  - address: "1.13.251.235"
    ports:
      http: 8091

看下有没有生成listener

[root@k8s-master 01-Service-Entry]# istioctl pc listeners sleep-698cfc4445-dvx5n

[root@k8s-master 01-Service-Entry]# istioctl pc cluster sleep-698cfc4445-dvx5n

[root@k8s-master 01-Service-Entry]# istioctl pc endpoint sleep-698cfc4445-dvx5n

再次使用sleep访问外部nginx查看协议没有变成http

创建一个pod加一个解析

[root@k8s-master ~]# kubectl run client-$RANDOM --image ikubernetes/admin-box:v1.2 --restart=Never -it --command -- /bin/bash
root@client-25390 /# vi /etc/hosts
1.13.169.203 nginx.magedu.com
root@client-25390 /# while true; do curl nginx.magedu.com:8091; sleep 1 ;done

可以看到三台都可以访问到

 

这时我们就可以使用destinationrule和virtualservices

[root@k8s-master 01-Service-Entry]# cat 02-destinationrule-nginx.yaml 
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: nginx-external
spec:
  host: nginx.magedu.com
  trafficPolicy:
    loadBalancer:
      consistentHash:
        httpHeaderName: X-User
    connectionPool:
      tcp:
        maxConnections: 10000
        connectTimeout: 10ms
        tcpKeepalive:
          time: 7200s
          interval: 75s
      http:
        http2MaxRequests: 1000
        maxRequestsPerConnection: 10
    outlierDetection:
      maxEjectionPercent: 50
      consecutive5xxErrors: 5
      interval: 2m
      baseEjectionTime: 1m
      minHealthPercent: 40
[root@k8s-master 01-Service-Entry]# cat 03-virtualservice-nginx.yaml 
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: nginx-external
spec:
  hosts:
  - nginx.magedu.com
  http:
  - name: falut-injection
    match:
    - headers:
        X-Testing:
          exact: "true"
    route:
    - destination:
        host: nginx.magedu.com
    fault:
      delay:
        percentage:
          value: 5
        fixedDelay: 2s
      abort:
        percentage:
          value: 5
        httpStatus: 555
  - name: nginx-external
    route:
    - destination:
        host: nginx.magedu.com

[root@k8s-master 02-Workload-Entry]# kubectl apply -f 01-workloadentry-nginx.yaml
[root@k8s-master 02-Workload-Entry]# kubectl apply -f 02-serviceentry-nginx.yaml 

[root@k8s-master 02-Workload-Entry]# cat 01-workloadentry-nginx.yaml 
apiVersion: networking.istio.io/v1beta1
kind: WorkloadEntry
metadata:
  name: workload-nginx2001
  labels:
    version: v1.20
spec:
  address: "1.13.169.203"
  ports:
    http: 8091
  labels:
    app: nginx
    version: v1.20
    instance-id: Nginx2001
---
apiVersion: networking.istio.io/v1beta1
kind: WorkloadEntry
metadata:
  name: workload-nginx2002
  labels:
    version: v1.20
spec:
  address: "175.27.156.219"
  ports:
    http: 8091
  labels:
    app: nginx
    version: v1.20
    instance-id: Nginx2002
---
[root@k8s-master 02-Workload-Entry]# cat 02-serviceentry-nginx.yaml 
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: nginx-external
spec:
  hosts:
  - nginx.magedu.com
  ports:
  - number: 80
    name: http
    protocol: HTTP
    targetPort: 8091
  location: MESH_EXTERNAL
  resolution: STATIC
  workloadSelector:
    labels:
      app: nginx

[root@k8s-master 02-Workload-Entry]# kubectl get workloadentry
NAME                 AGE     ADDRESS
workload-nginx2001   3m31s   172.29.1.201
workload-nginx2002   3m31s   172.29.1.202
[root@k8s-master 02-Workload-Entry]# kubectl get workloadentry --show-labels
NAME                 AGE     ADDRESS        LABELS
workload-nginx2001   4m15s   172.29.1.201   version=v1.20
workload-nginx2002   4m15s   172.29.1.202   version=v1.20

将网格外部的端点引入到网格内部

也可以单独配置destinationrule和virtualservice

[root@k8s-master 02-Workload-Entry]# cat 03-destinationrule-nginx.yaml 
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: nginx-external
spec:
  host: nginx.magedu.com
  trafficPolicy:
    loadBalancer:
      simple: RANDOM
    connectionPool:
      tcp:
        maxConnections: 10000
        connectTimeout: 10ms
        tcpKeepalive:
          time: 7200s
          interval: 75s
      http:
        http2MaxRequests: 1000
        maxRequestsPerConnection: 10
    outlierDetection:
      maxEjectionPercent: 50
      consecutive5xxErrors: 5
      interval: 2m
      baseEjectionTime: 1m
      minHealthPercent: 40
[root@k8s-master 02-Workload-Entry]# cat 04-virtualservice-nginx.yaml 
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: nginx-external
spec:
  hosts:
  - nginx.magedu.com
  http:
  - name: falut-injection
    route:
    - destination:
        host: nginx.magedu.com
    fault:
      delay:
        percentage:
          value: 5
        fixedDelay: 2s
      abort:
        percentage:
          value: 5
        httpStatus: 555

 

标签：ServiceEntry,nginx,com,magedu,Nginx,master,workloadEntry,k8s,root
From： https://www.cnblogs.com/zyyang1993/p/16617264.html