1. 简介
如果想控制被注入的pod访问外部流量,那么需要把外界主机拉入到网格,serviceEntry把网格之外的主机,假象是在网格里,之后便可通过vs控制出口流量。
2. 创建se
2.1 DNS解析
1
2
3
4
5
6
7
8
9
10
11
12
13
| apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: myes
spec:
hosts:
- www.baidu.com
ports:
- number: 443
name: https
protocol: HTTPS
resolution: DNS
location: MESH_EXTERNAL
|
MESH_EXTERNAL – 网格外部
MESH_INTERNAL – 网格内
2.2 静态指定
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: myes
spec:
hosts:
- test.k8s.com
ports:
- number: 8888
name: http
protocol: HTTP
resolution: STATIC
location: MESH_EXTERNAL
endpoints:
- address: 192.168.10.10
|
2.3 创建vs
延迟4秒响应
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: myvs3
spec:
hosts:
- test.k8s.com
http:
- timeout: 5s
fault:
delay:
percent: 100
fixedDelay: 4s
route:
- destination:
host: test.k8s.com
|
2.4 exportTo
是否影响其他命名空间,如果是.则不影响,如果是*则影响,默认是 *
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: myes
spec:
hosts:
- test.k8s.com
exportTo:
- "."
ports:
- number: 8888
name: http
protocol: HTTP
resolution: STATIC
location: MESH_EXTERNAL
endpoints:
- address: 192.168.10.10
|
3. 默认策略
默认允许访问所有地址,修改为只允许访问注入的地址
1
| istioctl install --set profile=demo -y --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY
|
kubectl edit configmap istio -n istio-system
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| data:
mesh: |-
accessLogFile: /dev/stdout
defaultConfig:
discoveryAddress: istiod.istio-system.svc:15012
proxyMetadata: {}
tracing:
zipkin:
address: zipkin.istio-system:9411
enablePrometheusMerge: true
outboundTrafficPolicy:
mode: REGISTRY_ONLY
rootNamespace: istio-system
trustDomain: cluster.local
meshNetworks:
'
networks: {}'
|
3.1 创建se
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: myes
spec:
hosts:
- www.baidu.com
ports:
- number: 443
name: https
protocol: HTTPS
- number: 80
name: http
protocol: HTTP
resolution: DNS
location: MESH_EXTERNAL
|
微信
支付宝
