EnvoyFilter
2023-01-05 本文已影响0人
程序员札记
EnvoyFilter CR
-
EnvoyFilter
-
EnvoyFilter CR提供了自定义Sidecar Envoy配置的接口,其支持的配置功能包括修改指定字段的值、添加特定的过滤器甚至是新增Listener和Cluster等
-
常在Istio原生的各CR未能提供足够的配置机制,或者无法支持到的配置场景中使用
- 简单来说,EnvoyFilter提供的是直接向Envoy配置文件打补丁的接口,从而为网格中的各Envoy实例提供了以Envoy原生方式进行配置的机制
-
同Sidecar等其它几个位于同一API群组(networking.istio.io/v1beta1)内的CR不同的是,EnvoyFilter CR资源对象通过自适应的方式应用于workload之上
-
一个名称空间当中可同时存在多个应用于同一workload实例的EnvoyFilter CR资源对象
-
多个EnvoyFilter资源对象在应用时会有着特定的次序:首先是root namespace中的所有EnvoyFilter,而后才是workload实例当前名称空间中所有匹配到的各EnvoyFilter资源对象
-
-
-
注意事项
-
对于不同的Istio发行版来说,EnvoyFilter提供的配置可能不具有向后兼容性;
-
Istio Proxy版本升级时,需要仔细识别配置字段的废弃和添加等所产生的影响;
-
多个EnvoyFilters资源对象应用于同一个workload时,它们会根据创建的时间顺次生效,而配置冲突时其结果将无从预料;
-
切记要谨慎使用该功能,不当的配置定义,可能会破坏网格的稳定性;
-
EnvoyFilter CR 的资源规范
image
~# kubectl explain envoyfilter
KIND: EnvoyFilter
VERSION: networking.istio.io/v1alpha3
DESCRIPTION:
<empty>
FIELDS:
apiVersion <string>
APIVersion defines the versioned schema of this representation of an
object. Servers should convert recognized schemas to the latest internal
value, and may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind <string>
Kind is a string value representing the REST resource this object
represents. Servers may infer this from the endpoint the client submits
requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata <Object>
Standard object's metadata. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
spec <Object>
Customizing Envoy configuration generated by Istio. See more details at:
https://istio.io/docs/reference/config/networking/envoy-filter.html
status <>
使用EnvoyFilter配置Envoy
-
EnvoyFilter的关键组成部分
-
使用workloadSelector指定要配置的Envoy实例
-
省略该字段,意味着将配置到同一个名称空间下的所有Envoy实例;
-
若EnvoyFilter定义在了根名称空间,且省略了该字段,则意味着配置到网格中所有名称空间中的Envoy实例
-
-
由configPatches给出配置补丁
-
补丁排序
-
多个补丁间存在依赖关系时,其应用次序举足轻重
-
EnvoyFilter API内置了两种应用次序
-
根名称空间下的EnvoyFilter将先于名称空间下的EnvoyFilter资源;
-
补丁集中的多个补丁以它们定义的顺序完成打补丁操作;
-
-
也可以为EnvoyFilter使用priority字段定义其优先级,可用的取值范围是0至2^32-1;
- 负数优先级,表示将于default EnvoyFilter之前应用
-
-
-
补丁及其位置
-
applyTo指定补丁在Envoy配置文件中要应用到的位置(配置段)
-
match指定补丁在Envoy配置文件中相应的位置上要应用到的具体配置对象(Listener、RouteConfiguration或Cluster)
-
补丁的内容及相应的操作则由patch字段定义
-
查看envoy filter
# kubectl get envoyfilter -n istio-system
NAME AGE
stats-filter-1.13 11d
stats-filter-1.14 11d
stats-filter-1.15 11d
tcp-stats-filter-1.13 11d
tcp-stats-filter-1.14 11d
tcp-stats-filter-1.15 11d
查看envoy filter配置
# kubectl get envoyfilter stats-filter-1.15 -n istio-system -o yaml
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"networking.istio.io/v1alpha3","kind":"EnvoyFilter","metadata":{"annotations":{},"labels":{"install.operator.istio.io/owning-resource-namespace":"istio-system","istio.io/rev":"default","operator.istio.io/component":"Pilot","operator.istio.io/managed":"Reconcile","operator.istio.io/version":"1.15.2"},"name":"stats-filter-1.15","namespace":"istio-system"},"spec":{"configPatches":[{"applyTo":"HTTP_FILTER","match":{"context":"SIDECAR_OUTBOUND","listener":{"filterChain":{"filter":{"name":"envoy.filters.network.http_connection_manager","subFilter":{"name":"envoy.filters.http.router"}}}},"proxy":{"proxyVersion":"^1\\.15.*"}},"patch":{"operation":"INSERT_BEFORE","value":{"name":"istio.stats","typed_config":{"@type":"type.googleapis.com/udpa.type.v1.TypedStruct","type_url":"type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm","value":{"config":{"configuration":{"@type":"type.googleapis.com/google.protobuf.StringValue","value":"{\n \"debug\": \"false\",\n \"stat_prefix\": \"istio\"\n}\n"},"root_id":"stats_outbound","vm_config":{"code":{"local":{"inline_string":"envoy.wasm.stats"}},"runtime":"envoy.wasm.runtime.null","vm_id":"stats_outbound"}}}}}}},{"applyTo":"HTTP_FILTER","match":{"context":"SIDECAR_INBOUND","listener":{"filterChain":{"filter":{"name":"envoy.filters.network.http_connection_manager","subFilter":{"name":"envoy.filters.http.router"}}}},"proxy":{"proxyVersion":"^1\\.15.*"}},"patch":{"operation":"INSERT_BEFORE","value":{"name":"istio.stats","typed_config":{"@type":"type.googleapis.com/udpa.type.v1.TypedStruct","type_url":"type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm","value":{"config":{"configuration":{"@type":"type.googleapis.com/google.protobuf.StringValue","value":"{\n \"debug\": \"false\",\n \"stat_prefix\": \"istio\",\n \"disable_host_header_fallback\": true\n}\n"},"root_id":"stats_inbound","vm_config":{"code":{"local":{"inline_string":"envoy.wasm.stats"}},"runtime":"envoy.wasm.runtime.null","vm_id":"stats_inbound"}}}}}}},{"applyTo":"HTTP_FILTER","match":{"context":"GATEWAY","listener":{"filterChain":{"filter":{"name":"envoy.filters.network.http_connection_manager","subFilter":{"name":"envoy.filters.http.router"}}}},"proxy":{"proxyVersion":"^1\\.15.*"}},"patch":{"operation":"INSERT_BEFORE","value":{"name":"istio.stats","typed_config":{"@type":"type.googleapis.com/udpa.type.v1.TypedStruct","type_url":"type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm","value":{"config":{"configuration":{"@type":"type.googleapis.com/google.protobuf.StringValue","value":"{\n \"debug\": \"false\",\n \"stat_prefix\": \"istio\",\n \"disable_host_header_fallback\": true\n}\n"},"root_id":"stats_outbound","vm_config":{"code":{"local":{"inline_string":"envoy.wasm.stats"}},"runtime":"envoy.wasm.runtime.null","vm_id":"stats_outbound"}}}}}}}],"priority":-1}}
creationTimestamp: "2022-10-20T10:34:44Z"
generation: 1
labels:
install.operator.istio.io/owning-resource-namespace: istio-system
istio.io/rev: default
operator.istio.io/component: Pilot
operator.istio.io/managed: Reconcile
operator.istio.io/version: 1.15.2
name: stats-filter-1.15
namespace: istio-system
resourceVersion: "93367"
uid: 11acfeea-cabb-4927-91bb-bd89242249b8
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_OUTBOUND
listener:
filterChain:
filter:
name: envoy.filters.network.http_connection_manager
subFilter:
name: envoy.filters.http.router
proxy:
proxyVersion: ^1\.15.*
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
'@type': type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
configuration:
'@type': type.googleapis.com/google.protobuf.StringValue
value: |
{
"debug": "false",
"stat_prefix": "istio"
}
root_id: stats_outbound
vm_config:
code:
local:
inline_string: envoy.wasm.stats
runtime: envoy.wasm.runtime.null
vm_id: stats_outbound
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
filterChain:
filter:
name: envoy.filters.network.http_connection_manager
subFilter:
name: envoy.filters.http.router
proxy:
proxyVersion: ^1\.15.*
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
'@type': type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
configuration:
'@type': type.googleapis.com/google.protobuf.StringValue
value: |
{
"debug": "false",
"stat_prefix": "istio",
"disable_host_header_fallback": true
}
root_id: stats_inbound
vm_config:
code:
local:
inline_string: envoy.wasm.stats
runtime: envoy.wasm.runtime.null
vm_id: stats_inbound
- applyTo: HTTP_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: envoy.filters.network.http_connection_manager
subFilter:
name: envoy.filters.http.router
proxy:
proxyVersion: ^1\.15.*
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
'@type': type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
configuration:
'@type': type.googleapis.com/google.protobuf.StringValue
value: |
{
"debug": "false",
"stat_prefix": "istio",
"disable_host_header_fallback": true
}
root_id: stats_outbound
vm_config:
code:
local:
inline_string: envoy.wasm.stats
runtime: envoy.wasm.runtime.null
vm_id: stats_outbound
priority: -1
EnvoyFilter配置示例
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: custom-protocol
namespace: istio-config # as defined in meshConfig resource.
spec:
configPatches:
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_OUTBOUND # will match outbound listeners in all sidecars
listener:
portNumber: 9307
filterChain:
filter:
name: "envoy.filters.network.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
# This is the full filter config including the name and typed_config section.
name: "envoy.extensions.filters.network.mongo_proxy"
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.network.mongo_proxy.v3.MongoProxy"
...
- applyTo: NETWORK_FILTER # http connection manager is a filter in Envoy
match:
# context omitted so that this applies to both sidecars and gateways
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
patch:
operation: MERGE
value:
name: "envoy.filters.network.http_connection_manager"
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
common_http_protocol_options:
idle_timeout: 30s
