为什么envoy sidecar可以控制我的流量?
Why can envoy sidecar control my traffic?
我 运行 istio 在 Kubernetes。我想知道 envoy sidecar 是如何工作的。比如在pod中注入sidecar后,原来的容器没有EgressRule就无法访问外网。它是如何工作的?
pod 内的所有流量都由 iptables commands and directed to the sidecar proxy. Then the sidecar proxy performs routing, according to routing tables it receives from Istio Pilot (a part of the Istio Control Plane). The routing tables are based on the Kubernetes services and on the Istio RouteRules. Since Istio cannot know anything about the external services, it cannot route the traffic to the external services without an EgressRule 定义捕获。 EgressRules 定义外部服务的路由表。
我 运行 istio 在 Kubernetes。我想知道 envoy sidecar 是如何工作的。比如在pod中注入sidecar后,原来的容器没有EgressRule就无法访问外网。它是如何工作的?
pod 内的所有流量都由 iptables commands and directed to the sidecar proxy. Then the sidecar proxy performs routing, according to routing tables it receives from Istio Pilot (a part of the Istio Control Plane). The routing tables are based on the Kubernetes services and on the Istio RouteRules. Since Istio cannot know anything about the external services, it cannot route the traffic to the external services without an EgressRule 定义捕获。 EgressRules 定义外部服务的路由表。