Istio-proxy Iptable规则
Isito官网bookinfo示例
进入Product Page容器查看Iptables配置(注:蓝色:入站流量路由,粉色:出站流量路由,绿色:注释)
# 查看 NAT 表中规则配置的详细信息
$ iptables -t nat -L -v
# PREROUTING 链:用于目标地址转换(DNAT),将所有入站 TCP 流量跳转到 ISTIO_INBOUND 链上
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2 120 ISTIO_INBOUND tcp -- any any anywhere anywhere# INPUT 链:处理输入数据包,非 TCP 流量将继续 OUTPUT 链
Chain INPUT (policy ACCEPT 2 packets, 120 bytes)
pkts bytes target prot opt in out source destination# OUTPUT 链:将所有出站数据包跳转到 ISTIO_OUTPUT 链上
Chain OUTPUT (policy ACCEPT 41146 packets, 3845K bytes)
pkts bytes target prot opt in out source destination
93 5580 ISTIO_OUTPUT tcp -- any any anywhere anywhere# POSTROUTING 链:所有数据包流出网卡时都要先进入POSTROUTING 链,内核根据数据包目的地判断是否需要转发出去,我们看到此处未做任何处理
Chain POSTROUTING (policy ACCEPT 41199 packets, 3848K bytes)
pkts bytes target prot opt in out source destination# ISTIO_INBOUND 链:将所有目的地为 9080 端口的入站流量重定向到 ISTIO_IN_REDIRECT 链上
Chain ISTIO_INBOUND (1 references)
pkts bytes target prot opt in out source destination
2 120 ISTIO_IN_REDIRECT tcp -- any any anywhere anywhere tcp dpt:9080# ISTIO_IN_REDIRECT 链:将所有的入站流量跳转到本地的 15001 端口,至此成功的拦截了流量到 Envoy
Chain ISTIO_IN_REDIRECT (1 references)
pkts bytes target prot opt in out source destination
2 120 REDIRECT tcp -- any any anywhere anywhere redir ports 15001# ISTIO_OUTPUT 链:选择需要重定向到 Envoy(即本地) 的出站流量
(1)非localhost->envoy
(2)istio-proxy发起请求->跳过iptables直接访问
(3)非istio-proxy(app)发起localhost请求->跳过iptables直接访问
(4)其他请求->envoy
Chain ISTIO_OUTPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 ISTIO_REDIRECT all -- any lo anywhere !localhost
40 2400 RETURN all -- any any anywhere anywhere owner UID match istio-proxy
0 0 RETURN all -- any any anywhere anywhere owner GID match istio-proxy
0 0 RETURN all -- any any anywhere localhost
53 3180 ISTIO_REDIRECT all -- any any anywhere anywhere# ISTIO_REDIRECT 链:将所有流量重定向到 Envoy(即本地) 的 15001 端口
Chain ISTIO_REDIRECT (2 references)
pkts bytes target prot opt in out source destination
53 3180 REDIRECT tcp -- any any anywhere anywhere redir ports 15001
入站:PREROUTING->ISTIO_INBOUND-(app port)->ISTIO_IN_REDIRECT-(envoy 15001)->REDIRECT
出站:OUTPUT->ISTIO_OUTPUT-(!localhost)->ISTIO_REDIRECT-(envoy 15001)->REDIRECT
OUTPUT->ISTIO_OUTPUT-(UID or GID istio-proxy)->RETURN->POSTROUTING
OUTPUT->ISTIO_OUTPUT-(localhost and !istio-proxy)->RETURN->POSTROUTING
OUTPUT->ISTIO_OUTPUT-(others)->ISTIO_REDIRECT-(envoy 15001)->REDIRECT
iptables 显示的链的顺序,即流量规则匹配的顺序。其中要特别注意 ISTIO_OUTPUT 链中的规则配置。为了避免流量一直在 Pod 中无限循环,所有到 istio-proxy 用户空间的流量都返回到它的调用点中的下一条规则,本例中即 OUTPUT 链,因为跳出 ISTIO_OUTPUT 规则之后就进入下一条链 POSTROUTING。
ISTIO_OUTPUT 链规则匹配的详细过程如下:
(1)如果目的地非 localhost 就跳转到 ISTIO_REDIRECT 链
(2)所有来自 istio-proxy 用户空间的流量跳转到它的调用点 OUTPUT 继续执行 OUTPUT 链的下一条规则
注:因为 OUTPUT 链中没有下一条规则了,所以会继续执行 POSTROUTING 链然后跳出 iptables,直接访问目的地
(4)如果流量不是来自 istio-proxy 用户空间,又是对 localhost 的访问,那么就跳出 iptables,直接访问目的地
(5)其它所有情况都跳转到 ISTIO_REDIRECT 链
Istio proxy路由流程图
注:服务调用链路 Product Page->Reviews->Ratings
入站(1-8):Product Page->PREROUTING->ISTIO_INBOUND-(app port)->ISTIO_IN_REDIRECT-(envoy 15001)-REDIRECT->Envoy Inbound Handler->OUTPUT->ISTIO_OUTPUT->ISTIO_REDIRECT-(UID|GID istio-proxy and localhost)->RETURN->POSTROUTING->Reviews
出站(9-17): Reviews->OUTPUT->ISTIO_OUTPUT-(!localhost)->ISTIO_REDIRECT-(envoy 15001)->REDIRECT->Envoy Outbound Handler->OUTPUT->ISTIO_OUTPUT-(UID or GID istio-proxy)->ISTIO_REDIRECT->RETURN->POSTROUTING->Ratings
参考连接:https://jimmysong.io/posts/envoy-sidecar-routing-of-istio-service-mesh-deep-dive/