Istio 服务入口冲突和合并
Istio service entry conflicts and merging
我正在使用 istio 1.9.0。
只有在出现问题时,我才发现即使在清单中指定了命名空间,服务条目也会在集群级别应用。如果同一主机名在不同命名空间中有多个服务条目,这将变得特别棘手。
我后来找到了提到以下内容的文档:
exportTo:
A list of namespaces to which this service is exported. Exporting a
service allows it to be used by sidecars, gateways and virtual
services defined in other namespaces. This feature provides a
mechanism for service owners and mesh administrators to control the
visibility of services across namespace boundaries.
If no namespaces are specified then the service is exported to all
namespaces by default.
The value “.” is reserved and defines an export to the same namespace
that the service is declared in. Similarly the value “*” is reserved
and defines an export to all namespaces.
来自 here.
Q1。
然而,文档没有明确说明添加 exportTo='.' 是否确保我的命名空间中的服务条目始终优先。这是暗示吗?特别有兴趣找到一些说明预期行为的文档。
Q2。
另外,如果存在多个服务条目,您如何检查已为同一主机名应用了哪个服务条目? Istio 如何处理这个问题?
问题与ServiceEntry概念设计有关,比较复杂。
我对当前情况的理解是,应该在某个命名空间中明确定义 ServiceEntry,以防止 Istio 在另一个命名空间中为同一主机端点搜索其他 ServiceEntries。
您可以在 issue #13008 中找到有关该问题的更多信息:
更改已在 PR #13631 中进行:
有关详细信息,请参阅 design doc。我建议阅读整个文档以查看全貌。
更改的要点是实现以下内容:
Proposed Behavior
- Pilot will internally be modified to key Services by a hostname and namespace pair, rather than just hostname. When determining which Services to use for a hostname we will follow this resolution:
- If the hostname exists in the client's namespace, use only that namespace's service.
- If the hostname exists only in one namespace imported by the Sidecar, use that namespace's service.
Otherwise, if there are multiple namespaces with services, an arbitrary one can be chosen (based on creation timestamp, like other configs).
The end result of this is that while hostnames are not distinct at a global level, any given proxy will have a single unique hostname -> service mapping.
Additionally, a ServiceEntry for an internal service will be rejected if it is created in different namespace. For example, if foo.ns1.svc.cluster.local was defined in namespace ns2, it would be rejected. This prevents the case of a user importing [ns1/, ns2/] and having their requests to foo.ns1.svc.cluster.local hijacked.
不幸的是,我无法找到最新 Istio 版本的实施更改的最终状态。
没有您提供的最小可重现示例,我无法检查您是否面临实施缺陷,或者您的配置是更改不应该解决的极端情况。
遗憾的是,当前的 Istio 文档对这方面的解释不够好。
我正在使用 istio 1.9.0。
只有在出现问题时,我才发现即使在清单中指定了命名空间,服务条目也会在集群级别应用。如果同一主机名在不同命名空间中有多个服务条目,这将变得特别棘手。
我后来找到了提到以下内容的文档:
exportTo:
A list of namespaces to which this service is exported. Exporting a service allows it to be used by sidecars, gateways and virtual services defined in other namespaces. This feature provides a mechanism for service owners and mesh administrators to control the visibility of services across namespace boundaries.
If no namespaces are specified then the service is exported to all namespaces by default.
The value “.” is reserved and defines an export to the same namespace that the service is declared in. Similarly the value “*” is reserved and defines an export to all namespaces.
来自 here.
Q1。 然而,文档没有明确说明添加 exportTo='.' 是否确保我的命名空间中的服务条目始终优先。这是暗示吗?特别有兴趣找到一些说明预期行为的文档。
Q2。 另外,如果存在多个服务条目,您如何检查已为同一主机名应用了哪个服务条目? Istio 如何处理这个问题?
问题与ServiceEntry概念设计有关,比较复杂。
我对当前情况的理解是,应该在某个命名空间中明确定义 ServiceEntry,以防止 Istio 在另一个命名空间中为同一主机端点搜索其他 ServiceEntries。
您可以在 issue #13008 中找到有关该问题的更多信息:
更改已在 PR #13631 中进行:
有关详细信息,请参阅 design doc。我建议阅读整个文档以查看全貌。
更改的要点是实现以下内容:
Proposed Behavior
- Pilot will internally be modified to key Services by a hostname and namespace pair, rather than just hostname. When determining which Services to use for a hostname we will follow this resolution:
- If the hostname exists in the client's namespace, use only that namespace's service.
- If the hostname exists only in one namespace imported by the Sidecar, use that namespace's service. Otherwise, if there are multiple namespaces with services, an arbitrary one can be chosen (based on creation timestamp, like other configs).
The end result of this is that while hostnames are not distinct at a global level, any given proxy will have a single unique hostname -> service mapping.
Additionally, a ServiceEntry for an internal service will be rejected if it is created in different namespace. For example, if foo.ns1.svc.cluster.local was defined in namespace ns2, it would be rejected. This prevents the case of a user importing [ns1/, ns2/] and having their requests to foo.ns1.svc.cluster.local hijacked.
不幸的是,我无法找到最新 Istio 版本的实施更改的最终状态。
没有您提供的最小可重现示例,我无法检查您是否面临实施缺陷,或者您的配置是更改不应该解决的极端情况。
遗憾的是,当前的 Istio 文档对这方面的解释不够好。