Istio II traffic hijacking process

Previously, I introduced Istio Rely on the Envoy How it works , Next, a practical example is given to demonstrate Istio How to complete traffic hijacking and traffic forwarding . First, prepare to deploy two pod, One nginx pod As a server , One toolbox pod As a client ,toolbox Just one can support linux Just a container for commands . Here are two pod Deployment file for . Start through the following file nginx and toolbox pod.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - name: nginx
          image: nginx
---
apiVersion: v1
kind: Service
metadata:
  name: nginx
spec:
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: 80
  selector:
    app: nginx

apiVersion: apps/v1
kind: Deployment
metadata:
  name: toolbox
spec:
  replicas: 1
  selector:
    matchLabels:
      app: toolbox
  template:
    metadata:
      labels:
        app: toolbox
        access: "true"
    spec:
      containers:
        - name: toolbox
          image: centos
          command:
            - tail
            - -f
            - /dev/null

Then install on the cluster Istio. After successful installation, you can see 3 individual istio dependent pod Successful startup

curl -L https://istio.io/downloadIstio | sh -
cd istio-1.xx.0
cp bin/istioctl /usr/local/bin
istioctl install --set profile=demo -y

  Then start the previously defined nginx and toolbox pod, If the namespace add to istio-injection=enabled The label of , Then the namespace Under the pod istio Will automatically inject .

kubectl create ns sidecar
kubectl label ns sidecar istio-injection=enabled
kubectl apply -f nginx.yaml -n sidecar
kubectl apply -f toolbox-default.yaml -n sidecar

View started pod, You can see two pod Of container Quantity is no longer 1, It is 2.

Choose one by one pod for example toolboxpod, see pod Of details, You can see that except toolbox Self defined container Outside , It's started. istio-proxy Of container, This container The essence is to start a envoy Of proxy.

In addition to this container Outside , There's another. initcontainer, Yes Iptables Made some configuration changes .

Next, you can continue to see ,pod Medium iptables What does the configuration look like . On the left is the command view iptables The rules , On the right is to explain the meaning of each rule .

crictl pods|grep podName 
//get containerId of pod
crictl inspectp containerId | grep pid 
//get pid 
nsenter -t pid -n iptables 
//get iptables configuration

By looking at iptables Rules can be known , For simulated clients toolboxpod Come on , If you want to access the service nginx, It means you want to send out a request , So according to iptables The rules , Will execute ISTIO_OUTPUT, and ISTIO_OUTPUT Suffocate again ISTIO_REDIRECT, ISTIO_REDIRECT Finally forward to 15001 On port .

Then check 15001 Port configuration information .
(istioctl pc listener -n sidecar toolbox-68f79dd5f8-q5nvd --port 15001 -ojson)

You can see 15001 It's a virtual port , Not a real service port , in addition , There are attributes in this configuration useOritinalDst=true Indicates forwarding to virtual port 15001 Request on , What is the original destination address , Then forward to 15001 After the , Still send the request to the original destination address , The original destination address is to visit nginx Service 80 port .

  Then check 80 Port configuration information , see 80 port configuration , There is a real routing configuration , The routing configuration name is routeConfigName=80.
(istioctl pc listener -n sidecar toolbox-68f79dd5f8-q5nvd --port 80 -ojson)

Then check that the route name is equal to 80 Configuration information , There are many routing configuration information in this configuration file , It's about nginx Of , If it's a visit nginx, Well, let's go cluster=nginx.sidecar.svc.cluster.local Handle ( One thing to note , Described above envoy I mentioned envoy in cluster The meaning of is a pile ip A collection of addresses )
(istioctl pc route -n sidecar toolbox-68f79dd5f8-q5nvd --name=80 -ojson)

Then check cluster Contains IP The address information will know the destination of the final request IP Address .

istioctl pc cluster -n sidecar toolbox-68f79dd5f8-8gkp9
istioctl pc endpoint -n sidecar toolbox-68f79dd5f8-8gkp9

Cluster The target address included is nginx service Pod The address of . So the final request can be sent to nginx On . When the request is sent out , Eventually follow iptables The rules of , Look again iptables The rules of , There is a outbound The rule is ： If owner=1337, Then send it out directly , and envoy The process number of is 1337

The above describes in detail the process of sending the request , For the server, it is to receive requests , namely Iptables What's going on is Inbound The rules of .  about Inbound Request , adopt iptable The request will be sent to envoy Of 15006 On port , The service that this port finds needs to be accessed is the service that exists on this machine , So forward the request to the local nginx pod Handle .

For the top toolbox( Simulation client ),nginx( Simulation server ) The schematic diagram of the access relationship of is as follows ：

about Istio sidecar Schematic diagram of traffic hijacking , Here is a detailed diagram , The example used is Istio Official website bookInfo application .

That's right Istio sidecar How to explain traffic hijacking , Thoroughly understand the process of traffic hijacking , It is helpful in real projects if the traffic does not enter the expected destination address , Then group level troubleshooting can be carried out .