使用Istio端口外放以及路由规则

作者: OPS_Joy | 来源:发表于2020-09-23 09:59 被阅读0次

使用Istio端口外放以及路由规则
Istio 路由管理
Istio的路由规则配置
Istio 组件常用端口
Istio流量治理基础
使用 Istio 进行路由策略的配置
Internet中的数据链路层
[iptables] 端口转发
外网访问光猫
26-Openwrt 端口转发 dmz upnp

在 Kubernetes 环境中，使用Kubernetes Ingress 资源来指定需要暴露到集群外的服务。在 Istio 服务网格中，更好的选择（同样适用于 Kubernetes 及其他环境）是使用一种新的配置模型，名为 Istio Gateway允许应用一些诸如监控和路由规则的 Istio 特性来管理进入集群的流量。

将网格服务暴露到外网，允许网格外服务访问
配置网关和路由

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: myapp-gateway
  namespace: default
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: myapp
  namespace: default
spec:
  hosts:
  - "*"
  gateways:
  - myapp-gateway
  http:
  - route:
    - destination:
        host: myappv1.joy-ns.svc.cluster.local
      weight: 0
    - destination:
        host: myappv2.joy-ns.svc.cluster.local
      weight: 100

通过NodePort访问

图片.png

调整路由基于身份认证的策略

[root@harbor myapp]# cat myapp-vt.yaml 
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: myapp
  namespace: default
spec:
  hosts:
  - "*"
  gateways:
  - myapp-gateway
  http:
  - match:
    - headers:
        end-user:
          exact: joy
    route:
    - destination:
        host: myappv1
  - match:
    - headers:
        end-user:
          exact: jake
    route:
    - destination:
        host: myappv2

允许joy访问V1，jake访问V2

[root@harbor myapp]# curl 172.16.20.65:31380 -Hend-user:joy
Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a>
[root@harbor myapp]# curl 172.16.20.65:31380 -Hend-user:jake
Hello MyApp | Version: v2 | <a href="hostname.html">Pod Name</a>
[root@harbor myapp]# curl 172.16.20.65:31380 -Hend-user:jake
Hello MyApp | Version: v2 | <a href="hostname.html">Pod Name</a>
[root@harbor myapp]# curl 172.16.20.65:31380 -Hend-user:jake
Hello MyApp | Version: v2 | <a href="hostname.html">Pod Name</a>
[root@harbor myapp]# curl 172.16.20.65:31380 -Hend-user:joy
Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a>
[root@harbor myapp]# curl 172.16.20.65:31380 -Hend-user:joy
Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a>

基于浏览器的控制

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: myapp
  namespace: default
spec:
  hosts:
  - "*"
  gateways:
  - myapp-gateway
  http:
  - match:
    - headers:
        User-Agent:
          regex: '^.*Firefox.*$'
    route:
    - destination:
        host: myappv1
  - match:
    - headers:
        user-agent:
          regex: '^.*Chrome.*$'
    route:
    - destination:
        host: myappv2

图片.png

也可以基于移动设备来

 - match:
    - headers:
        user-agent:
          regex: '^.*(Android|iPhone).*$'

图片.png

基于URI的路由

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: myapp
  namespace: default
spec:
  hosts:
  - "*"
  gateways:
  - myapp-gateway
  http:
  - match:
    - uri:
        prefix: /admin
    - uri:
        prefix: /shop
    route:
    - destination:
        host: istio-demo
  - route:
    - destination:
        host: myappv2