6. Kubernetes and Istio
• Golang 微服務
• Service Mesh Implement Functions of
Communication in Infra
• Developers focus on Business logic
+Kubernetes +Istio Service Mesh
7.
8. SERVICE MESH? AMBIENT MESH?
Service Mesh:
• A infrastructure layer for handling service-to-service communication.
• It’s responsible for the reliable delivery of requests through the complex topology of
services that comprise a modern, cloud native application.
Ambient Mesh:
• The new architectural alternative that does not rely on sidecars for a service mesh.
• Enables customers to reduce costs up to 90% while simplifying operations and improving
performance for their applications.
參考資料:[3]、[4]
9. ISTIO SERVICE MESH
• Control Plane
⚬ Pilot:管理 Proxy 路由規則配置
⚬ Citadel:憑證授權單位 (CA)
⚬ Galley: 配置驗證、提取、處理
• Data Plane
⚬ Sidecar:使用 Envoy (c++ based) 作為
Proxy,攔截 Pod Inbound / Outbound
流量
參考資料:[5]
10. SIDECAR PROXY
• Init Container 會使用 IPtables 配置來
kernel 網路規則
• kernel space 與 user space 反覆切換
(同一節點內,至少3次)
Init
Container
Init
Container
參考資料:[6]
30. 1. 建立 IPSet
● 紀錄當前 Node 上 Pods 的 IP Address
● Istio-CNI 根據異動,自動進行更新
● 用途:當封包的 srcIP 命中此集合,將會被標記
metadata (0x100/0x100)。
$ docker exec ambient-worker ipset list
Name: ztunnel-pods-ips
Type: hash:ip
Revision: 0
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 296
References: 1
Number of entries: 1
Members:
10.244.1.7 ambient-worker 的 Pod IP Address
$ k get pod
-ocustom-columns=NAME:.metadata.name,IP:.status.podIP,NODE:.spec.nodeN
ame|grep ambient-worker
httpbin-86869bccff-8v829 10.244.2.5 ambient-worker2
sleep-9454cc476-w74cd 10.244.1.7 ambient-worker
31. 2. 建立 Network Interface (Node)
$ docker exec ambient-worker ip addr|grep istioin
5: istioin: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default
inet 192.168.126.1/30 brd 192.168.126.3 scope global istioin
$ docker exec ambient-worker ip addr|grep istioout
6: istioout: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default
inet 192.168.127.1/30 brd 192.168.127.3 scope global istioou
• 使用 ptp (point to point) 模式連接
• 添加 istioin 網路介面,IP: 192.168.126.1
• 添加 istioout 網路介面,IP: 192.168.127.1
32. 2. 建立 Network Interface (Pod)
$ k -n istio-system exec ztunnel-cmq4f -- ip addr|grep pistioin
3: pistioin: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default
inet 192.168.126.2/30 brd 192.168.126.3 scope global pistioin
$ k -n istio-system exec ztunnel-cmq4f -- ip addr|grep pistioout
4: pistioout: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default
inet 192.168.127.2/30 brd 192.168.127.3 scope global pistioout
• 添加 pistioin 網路介面,IP: 192.168.126.2
• 添加 pistioout 網路介面,IP: 192.168.127.2
33. 2. 建立 Network Interface
$ docker exec ambient-worker ip -d link show istioout
9: istioout: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN mode DEFAULT
group default
link/ether ae:b7:c1:b2:00:4d brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 65485
geneve id 1001 remote 10.244.1.6 ttl auto dstport 6081 noudpcsum udp6zerocsumrx addrgenmode eui64
numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
$ k -n istio-system exec ztunnel-cmq4f -- ip -d link show pistioout
4: pistioout: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN mode DEFAULT
group default
link/ether 5e:d6:87:52:61:97 brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 65485
geneve id 1001 remote 10.244.1.1 ttl auto dstport 6081 noudpcsum udp6zerocsumrx addrgenmode eui64
numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
• istioout 和 istioin 所接收的封包,將會經由 Geneve Tunnel 被傳入 ztunnel Pod 之中
,也就是 10.244.1.6
34. 3. 設定 Network Interface
● 將 rp_filter 設定為 0,關閉反向路徑過濾
• 1: 嚴格模式,反向路徑若不是同一個網路介面,直接丟棄封包
• 2: 寬鬆模式,反向路徑的封包如果不可到達 (任意介面),就會被丟棄
● 將 accept_local 設定為 1
• 接受非 loopback 介面傳遞的封包 (srcIP 是 local)
accept_local – BOOLEAN
Accept packets with local source addresses. In combination with suitable routing, this
can be used to direct packets between two local interfaces over the wire and have them
accepted properly. default FALSE
35. 4. 設定 IPTables、路由規則 ● 更改 IPTables 上的 NAT 和 MANGLE 表
• NAT:用於更改 srcIP 和 dstIP
• MANGLE:用於標記 metadata
$ docker exec ambient-worker ip rule
0: from all lookup local
100: from all fwmark 0x200/0x200 goto 32766
101: from all fwmark 0x100/0x100 lookup 101
102: from all fwmark 0x40/0x40 lookup 102
103: from all lookup 100
32766: from all lookup main
32767: from all lookup default
$ docker exec ambient-worker ip route show table 101
default via 192.168.127.2 dev istioout
10.244.1.6 dev veth6f1f20dc scope link
41. 2. Node NS (NAT) -> Ztunnel NS
# 查看路由規則
$ docker exec ambient-worker ip rule
0: from all lookup local
100: from all fwmark 0x200/0x200 goto 32766
101: from all fwmark 0x100/0x100 lookup 101
102: from all fwmark 0x40/0x40 lookup 102
103: from all lookup 100
32766: from all lookup main
32767: from all lookup default
● 路由規則內會命中 fwmark 0x100/0x100 的標記
● 將封包由 istioout 網路介面進行傳送至 192.168.127.2 的 pistioout 網路介面
# 根據 fwmark 0x100/0x100,查找 table 101
$ docker exec ambient-worker ip route show table 101
default via 192.168.127.2 dev istioout
10.244.1.6 dev veth6f1f20dc scope link
42. 3. Ztunnel NS -> Other Node
# 獲取 ztunnel Pod 內的 iptables 規則
$ k -n istio-system exec ztunnel-cmq4f -- iptables-save
--- mangle ---
# …
# 使用 TPORXY 作為轉發,並標記 port, ip, tproxy-mark,用做後
續路由規則中使用
-A PREROUTING -i pistioout -p tcp -j TPROXY --on-port
15001 --on-ip 127.0.0.1 --tproxy-mark 0x400/0xfff
# 獲取 ztunnel Pod 內的路由規則
$ k -n istio-system exec ztunnel-cmq4f -- ip rule
0: from all lookup local
20000: from all fwmark 0x400/0xfff lookup 100
20003: from all fwmark 0x4d3/0xfff lookup 100
32766: from all lookup main
32767: from all lookup default
$ k -n istio-system exec ztunnel-bbplk -- ip route show table 100
local default dev lo scope host
● 使用 Transparent Proxy 重新導向 127.0.0.1:15001,保留原本的 dstIP
● 將封包由 loopback 網路介面傳送到 ztunnel 的 Process
47. 1. Node NS -> Ztunnel NS
$ docker exec ambient-worker2 ip rule
0: from all lookup local
100: from all fwmark 0x200/0x200 goto 32766
101: from all fwmark 0x100/0x100 lookup 101
102: from all fwmark 0x40/0x40 lookup 102
103: from all lookup 100
32766: from all lookup main
32767: from all lookup default
● 入站流量不會命中 ztunnel-pods-ips,所以直接進入路由轉發
● 將封包由 istioin 網路介面進行傳送至 192.168.126.2 的 pistioin 網路介面
$ docker exec ambient-worker2 ip route show table 100
10.244.2.5 via 192.168.126.2 dev istioin src 10.244.2.1
10.244.2.10 dev veth6cc9a213 scope link
48. 2. Ztunnel NS
# 獲取 ztunnel Pod 內的 iptables 規則
$ k -n istio-system exec ztunnel-bbplk -- iptables-save
--- mangle ---
# 使用 TPORXY 作為轉發,並標記 port, ip, tproxy-mark,用做後續路
由規則中使用
-A PREROUTING -i pistioin -p tcp -m tcp --dport 15008 -j
TPROXY --on-port 15008 --on-ip 127.0.0.1 --tproxy-mark
0x400/0xfff
-A PREROUTING -i pistioin -p tcp -j TPROXY --on-port 15006
--on-ip 127.0.0.1 --tproxy-mark 0x400/0xfff
# 獲取 ztunnel Pod 內的路由規則
$ k -n istio-system exec ztunnel-bbplk -- ip rule
0: from all lookup local
20000: from all fwmark 0x400/0xfff lookup 100
20003: from all fwmark 0x4d3/0xfff lookup 100
32766: from all lookup main
32767: from all lookup default
$ k -n istio-system exec ztunnel-bbplk -- ip route show table 100
local default dev lo scope host
● 判斷目標端口是否為 15008,是代表有 TLS,否則是明文,一樣使用 Transparent Proxy
● 將封包由 loopback 網路介面傳送到 ztunnel 的 Process