目录

• istio sidecar自动注入过程分析
  • sidecar自动注入检查
    • 检查kube-apiserver
    • 检查sidecar-injector的configmap
    • 检查namespace标签
  • sidecar自动注入过程
    • webhook过程
    • proxy_init
    • proxyv2

istio sidecar自动注入过程分析

istio通过mutating webhook admission controller机制实现sidecar的自动注入.istio sidecard在每个服务创建pod时都会被自动注入.

sidecar自动注入检查

检查kube-apiserver

webhook支持需要Kubernets1.9或者更高的版本,使用以下命令查看

[root@test1 ~]# kubectl api-versions | grep admissionregistration
admissionregistration.k8s.io/v1beta1

同时检查kube-apiserver有没加入参数MutatingAdmissionWebhook和ValidatingAdmissionWebhook

如果kubernetes是二进制安装,在master结点没有安装kube-proxy的情况下,需要在kube-apiserver加入参数enable-aggregator-routing=true.

检查sidecar-injector的configmap

在sidecar-injector的configmap中设置policy=enabled字段来查看是否启用自动注入

[root@test1 ~]# kubectl describe cm istio-sidecar-injector -n istio-system
Name:         istio-sidecar-injector
Namespace:    istio-system
Labels:       app=istio
              chart=istio-1.0.3
              heritage=Tiller
              istio=sidecar-injector
              release=istio
...
Data
====
config:
----
policy: enabled

检查namespace标签

为需要自动注入的namespace打上标签istio-injection: enabled

[root@test1 ~]# kubectl get namespace -L istio-injection
NAME           STATUS    AGE       ISTIO-INJECTION
default        Active    3d        enabled
istio-system   Active    3d        
kube-public    Active    3d        
kube-system    Active    3d 

kubectl label namespace default istio-injection=enabled

sidecar自动注入过程

webhook过程

查看sidecar的webhook

[root@test1 ~]# kubectl get MutatingWebhookConfiguration -n istio-system
NAME                     CREATED AT
istio-sidecar-injector   2018-11-12T09:14:44Z

[root@test1 ~]# kubectl describe MutatingWebhookConfiguration istio-sidecar-injector -n istio-system
Name:         istio-sidecar-injector
Namespace:    
Labels:       app=istio-sidecar-injector
              chart=sidecarInjectorWebhook-1.0.3
              heritage=Tiller
              release=istio
... ...
Webhooks:
Client Config:
    ... ...
    Service:
      Name:        istio-sidecar-injector
      Namespace:   istio-system
      Path:        /inject
  Failure Policy:  Fail
  Name:            sidecar-injector.istio.io
  Namespace Selector:
    Match Labels:
      Istio - Injection:  enabled
  Rules:
    API Groups:
      
    API Versions:
      v1
    Operations:
      CREATE
    Resources:
      pods

由上面可以看出创建pod时会调用sidecar的webhook,接着向istio-sidecar-injector的服务发送inject注册(post https://istio-sidecar-injector.istio-system.svc:443/inject?timeout=30s).

查看istio-sidecar-injector的日志

[root@test-1 ~]# kubectl get pods -n istio-system | grep istio-sidecar
istio-sidecar-injector-d96cd9459-lbf66      1/1       Running       0          13d

[root@test-1 ~]# kubectl logs istio-sidecar-injector-d96cd9459-lbf66 -n istio-system
2018-11-09T06:40:53.895979Z info  AdmissionReview for Kind=/v1, Kind=Pod Namespace=default Name= () UID=67d96021-e3ea-11e8-a721-00163e0c1d10 Rfc6902PatchOperation=CREATE UserInfo={system:unsecured  [system:masters system:authenticated] map[]}
2018-11-09T06:40:53.897821Z info  AdmissionResponse: patch=[{"op":"add","path":"/spec/initContainers","value":[{"name":"istio-init","image":"docker.io/istio/proxy_init:1.0.0","args":["-p","15001","-u","1337","-m","REDIRECT","-i","10.0.0.1/24","-x","","-b","80,","-d",&