备考ICA----Istio实验14---出向流量管控Egress Gateways实验

备考ICA----Istio实验14---出向流量管控Egress Gateways实验

1. 发布测试用 pod

kubectl apply -f istio/samples/sleep/sleep.yaml
kubectl get pods -l app=sleep

2. ServiceEntry

创建一个ServiceEntry允许流量访问edition.cnn.com

egressgw/edition-ServiceEntry.yaml

apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: cnn
spec:
  hosts:
  - edition.cnn.com
  ports:
  - number: 80
    name: http-port
    protocol: HTTP
  - number: 443
    name: https
    protocol: HTTPS
  resolution: DNS

部署ServiceEntry

kubectl apply -f egressgw/edition-ServiceEntry.yaml

访问测试

kubectl exec deploy/sleep -- curl -sSL -o /dev/null \
-D - http://edition.cnn.com/politics

检查egress的日志

kubectl logs -l istio=egressgateway -c istio-proxy -n istio-system | tail

此时流量是从pod上的envoy直出到公网的.

kubectl logs sleep-7656cf8794-xwqww -c istio-proxy  | tail

3.将流量导向egress

3.1 定义出口网关规则

为 edition.cnn.com 创建一个出口，端口 80，并为定向到出口网关的流量创建一个目标规则

egressgw/cnn-egressgateway.yaml

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: istio-egressgateway
spec:
  selector:
    istio: egressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - edition.cnn.com
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: egressgateway-for-cnn
spec:
  host: istio-egressgateway.istio-system.svc.cluster.local
  subsets:
  - name: cnn

部署

kubectl apply -f egressgw/cnn-egressgateway.yaml 

3.2 配置egress规则

配置路由规则，将流量从边车导向到 Egress Gateway，再从 Egress Gateway 导向到外部服务

egressgw/direct-cnn-through-egress-gateway.yaml

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: direct-cnn-through-egress-gateway
spec:
  hosts:
  - edition.cnn.com
  gateways:
  - istio-egressgateway
  - mesh
  http:
  - match:
    - gateways:
      - mesh
      port: 80
    route:
    - destination:
        host: istio-egressgateway.istio-system.svc.cluster.local
        subset: cnn
        port:
          number: 80
      weight: 100
  - match:
    - gateways:
      - istio-egressgateway
      port: 80
    route:
    - destination:
        host: edition.cnn.com
        port:
          number: 80
      weight: 100

部署

kubectl apply -f egressgw/direct-cnn-through-egress-gateway.yaml

3.3 再次测试访问

kubectl exec deploy/sleep -- curl -sSL \
-o /dev/null -D - http://edition.cnn.com/politics

看上去和之前一样,再看下sleep的envoy日志,本次的流量也从envoy sidecar上出去了

kubectl logs sleep-7656cf8794-xwqww -c istio-proxy  | tail

再看egress的envoy上的日志,之前那次是没有经过egress的,这次流量明显是从egress出去的

kubectl logs -l istio=egressgateway -c istio-proxy -n istio-system | tail

我们已经将出向的流量配置成由Egress转发

至此备考ICA----Istio实验14---出向流量管控Egress Gateways实验完成