倍受关注的 Cilium Service Mesh 到底怎么玩？ ？cility

由Cilium Pods: 管理的集群3/3

镜像版本cilium quay.io/cilium/cilium-service-mesh:v1.11.0-beta.1: 4

cilium-operator quay.io/cilium/operator-generic-service-mesh:v1.11.0-beta.1: 1

复制代码

启用 Hubble

哈勃主要用于提供可观测能力。开启之前需要先加载图片，如果网络畅通的话可以跳过。

docker.io/envoyproxy/envoy:v1.18.2@sha256:e8b37c1d75787dd1e712ff389b0d37337dc8a174a63bed9c34ba73359dc67da7

复制代码

接下来，使用Cilium CLI 启动Hubble。

cilium-mesh cilium Hubble 启用–relay-image=\’quay.io/cilium/hubble-relay-service-mesh:v1.11.0-beta.1\’ –ui

在秘密纤毛CA 中发现CA

修补ConfigMap cilium-config 以启用Hubble.

重新启动Cilium pod

等待Cilium 准备好，然后再部署其他Hubble 组件.

正在生成中继证书.

从quay.io/cilium/hubble-relay-service-mesh:v1.11.0-beta.1 部署中继.

正在从quay.io/cilium/hubble-ui:v0.8.3 部署Hubble UI，从quay.io/cilium/hubble-ui-backend:v0.8.3 部署Hubble UI 后端.

等待Hubble 安装.

/￣￣\\

/￣￣__/￣￣\\ Cilium: 好的

_/￣￣_/接线员： 好的

/￣￣__/￣￣\\哈勃： 好的

_/￣￣_/ClusterMesh: 已被禁用

__/

DaemonSet cilium Desired: 4、Ready: 4/4、Available: 4/4

介绍cilium-operator Desired: 1、Ready: 1/1、Available: 1/1

简介Hubble 中继Desired: 1、Ready: 1/1、Available: 1/1

部署hubble-ui 首选： 1，不可用： 1/1

容器： 纤毛运行： 4

纤毛操作员正在运行： 1

哈勃中继运行： 1

哈勃UI 运行： 1

由Cilium Pods: 管理的集群5/5

镜像版本cilium quay.io/cilium/cilium-service-mesh:v1.11.0-beta.1: 4

cilium-operator quay.io/cilium/operator-generic-service-mesh:v1.11.0-beta.1: 1

哈勃中继quay.io/cilium/哈勃中继服务-Mesh :v1.11.0-beta.1: 1

哈勃用户界面quay.io/cilium/hubble-ui:v0.8.3: 1

哈勃用户界面quay.io/cilium/哈勃用户界面后端：v0.8.3: 1

hubble-ui docker.io/envoyproxy/envoy:v1.18.2@sha256:e8b37c1d75787dd1e712ff389b0d37337dc8a174a63bed9c34ba73359dc67da7: 1

复制代码

测试第7 层入站流量管理

安装LB

现在在您的KIND 集群上安装MetaLB，以便您可以使用LoadBalancer 类型的svc 资源（Cilium 默认情况下创建LoadBalancer 类型的svc）。如果未安装MetaLB，您可以使用NodePort代替。

具体过程我就不一一介绍了，请按照以下步骤操作。

cilium-mesh kubectl apply -f https://raw.githubusercontent.com/metalb/metalb/master/manifests/namespace.yaml

命名空间/metalb-系统已创建

cilium-mesh kubectl 创建秘密通用-n metallb-system memberlist –from-literal=secretkey=\”$(openssl rand -base64 128)\”

创建秘密/成员列表

cilium-mesh kubectl apply -f https://raw.githubusercontent.com/metalb/metalb/master/manifests/metalb.yaml

警告： Policy/v1beta1 PodSecurityPolicy 从v1.21 开始已弃用，从v1.25 开始不可用

podsecuritypolicy.policy/控制器已创建

已创建podsecuritypolicy.policy/speaker

创建服务帐户/控制器

已创建服务帐户/扬声器

clusterrole.rbac.authorization.k8s.io/metalb-system: 控制器已创建

clusterrole.rbac.authorization.k8s.io/metalb-system: 扬声器已创建

创建了role.rbac.authorization.k8s.io/config-watcher

创建了role.rbac.authorization.k8s.io/pod-lister

创建了role.rbac.authorization.k8s.io/controller

clusterrolebinding.rbac.authorization.k8s.io/metalb-system: 控制器已创建

clusterrolebinding.rbac.authorization.k8s.io/metalb-system: 扬声器已创建

创建了rolebinding.rbac.authorization.k8s.io/config-watcher

创建了rolebinding.rbac.authorization.k8s.io/pod-lister

创建了rolebinding.rbac.authorization.k8s.io/controller

daemonset.apps/speaker 已创建

创建了deployment.apps/controller

cilium-mesh docker 网络检查-f ‘{{.IPAM.Config}}’ 类型

[{172.18.0.0/16 172.18.0.1 地图[]} {fc00:f853:ccd:e793:/64 fc00:f853:ccd:e793:1 地图[]}]

纤毛网vim kind-lb-cm.yaml

纤毛网状猫类型-lb-cm.yaml

api版本： v1

kind:配置图

元数据：

命名空间： 金属系统

名称： 配置

数据：

配置：|

地址池：

名称： 默认

协议： 第2 层

地址：

172.18.255.200-172.18.255.250

cilium-mesh kubectl apply -f kind-lb-cm.yaml

配置映射/配置已创建

复制代码

加载镜像

这里我们使用hachicorp/http-echo:0.2.3 作为示例程序。它可以根据不同的启动参数响应不同的内容。

cilium-mesh docker pull hachicorp/http-echo:0.2.3

检索自0.2.3: hachicorp/http-echo

86399148984b: 拉取完成

摘要： sha256:ba27d460cd1f22a1a4331bdf74f4fccbc025552357e8a3249c40ae216275de96

已下载Status: hachicorp/http-echo:0.2.3 的新映像

docker.io/bashicorp/http-echo:0.2.3

加载cilium-mesh 类型docker-image hachicorp/http-echo:0.2.3

Image:“bashicorp/http-echo:0.2.3”在节点“kind-worker”上尚不存在，正在加载.

Image:“bashicorp/http-echo:0.2.3”在节点“kind-worker2”上尚不存在，正在加载.

Image:“bashicorp/http-echo:0.2.3”在节点“kind-control-plane”上尚不存在，正在加载.

Image:“bashicorp/http-echo:0.2.3”在节点“kind-worker3”上尚不存在，正在加载.

复制代码

部署测试服务

本文的所有配置文件都可以在github.com/tao12345666. 代码存储库中找到。

使用以下配置来部署测试服务：

api版本： v1

kind: 吊舱

元数据：

标签:

run: foo-app

name: foo-app

规格：

集装箱：

image: hachicorp/http-echo:0.2.3

参数：

“-文本=foo”

name: foo-app

端口：

集装箱港口： 5678

资源： {}

dnsPolicy: 集群优先

总是重启策略：

状态： {}

api版本： v1

kind:服务

元数据：

标签:

run: foo-app

name: foo-app

规格：

端口：

端口： 5678

协议： TCP

目标端口： 5678

选择器：

run: foo-app

api版本： v1

kind: 吊舱

元数据：

标签:

run: 酒吧应用程序

name: 酒吧应用程序

规格：

集装箱：

image: hachicorp/http-echo:0.2.3

参数：

“-文本=栏”

name: 酒吧应用程序

端口：

集装箱港口： 5678

资源： {}

dnsPolicy: 集群优先

总是重启策略：

api版本： v1

kind:服务

元数据：

标签:

run: 酒吧应用程序

name: 酒吧应用程序

规格：

端口：

端口： 5678

协议： TCP

目标端口： 5678

选择器：

run: 酒吧应用程序

复制代码

新建一个Ingress资源文件，如下：

apiVersion: 网络.k8s.io/v1

kind: 入口

元数据：

name: 纤毛入侵

命名空间： 的默认值

规格：

ingressClassName: 纤毛

规则：

http:

路径：

后端：

服务：

name: foo-app

端口：

号码： 5678

路径：/foo

pathType: 前缀

后端：

服务：

name: 酒吧应用程序

端口：

号码： 5678

通行证：/栏

pathType: 前缀

复制代码

您会注意到，当您创建Ingress 资源时，会生成一个新的LoadBalancer 类型svc。

cilium-mesh kubectl apply -f cilium-ingress.yaml

ingress.networking.k8s.io/cilium-ingress 创建

cilium-mesh kubectl 获取svc

名称类型集群IP 外部IP 端口期限

酒吧应用ClusterIP 10.96.229.141 5678/TCP 106s

cilium-ingress-cilium-ingress 负载均衡器10.96.161.128 172.18.255.200 80:31643/TCP 4s

foo-app ClusterIP 10.96.166.212 5678/TCP 106s

kubernetes集群IP 10.96.0.1 443/TCP 81m

获取纤毛网格的kubectl

名称类别主机地址端口年龄

纤毛- 入口纤毛* 172.18.255.200 80 1m

复制代码

测试

使用curl 命令测试访问并根据您的Ingress 资源配置验证您是否获得了正确的响应。如果你查看响应头，你会发现这里的代理实际上是使用Envoy 完成的。

纤毛网状卷曲172.18.255.200

纤毛网状卷曲172.18.255.200/foo

呵呵

纤毛网状卷曲172.18.255.200/条

酒吧

纤毛网状卷曲-I 172.18.255.200/bar

HTTP/1.1 200 好

内容长度： 4

连接：保持活动

内容类型： 文本/纯文本；

日期： 2021 年12 月18 日星期六06:02:56 GMT

保持活动： 超时=4

代理连接：保持活动

Server:特使

X-应用程序名称： http-echo

X-apps-版本： 0.2.3

X-Envoy-上游-服务-时间： 0

纤毛网状卷曲-I 172.18.255.200/foo

HTTP/1.1 200 好

内容长度： 4

连接：保持活动

内容类型： 文本/纯文本；

日期： 2021 年12 月18 日星期六06:03:01 GMT

保持活动： 超时=4

代理连接：保持活动

Server:特使

X-应用程序名称： http-echo

X-apps-版本： 0.2.3

X-Envoy-上游-服务-时间： 0

复制代码

测试CiliumEnvoyConfig

使用上述方法部署Cilium后，实际上也会安装一些CRD资源。其中之一是CiliumEnvoyConfig，它用于配置服务之间的代理。

cilium-mesh kubectl api-资源| cilium.io

ciliumclusterwidenetworkpolicies ccnp cilium.io/v2 false CiliumClusterwideNetworkPolicy

ciliumendpoints cep,ciliumep cilium.io/v2 true CiliumEndpoint

ciliumenvoyconfigs cec cilium.io/v2alpha1 false CiliumEnvoyConfig

ciliumexternalworkloads cew cilium.io/v2 false CiliumExternalWorkload

ciliumidentities ciliumid cilium.io/v2 false CiliumIdentity

ciliumnetworkpolicies cnp、ciliumnp cilium.io/v2 true CiliumNetworkPolicy

ciliumnodes cn,ciliumn cilium.io/v2 false CiliumNode

复制代码

部署测试服务

你可以先做一个hubble 端口转发

Cilia Mesh Cilia Hubble 端口转发

复制代码

默认情况下，它侦听端口4245。如果您不先执行此操作，您将看到以下内容：

启用哈勃望远镜.

无法连接哈勃中继，哈勃望远镜和流量验证被禁用： rpc error: code=unavailable desc=连接错误： desc=“transport: dial tcp [:1]:4245: connect: connection returned”

复制代码

如果启用Hubble 端口转发，您通常会看到以下输出：

cilium-mesh cilium 连接测试–test egress-l7

检测到监控聚合。跳过一些流程验证步骤

[kind-kind] 等待部署[client client2 echo-same-node] 准备就绪.

[kind-kind] 等待部署[echo-other-node] 准备就绪.

[kind-kind] 等待pod cilium-test/client-6488dcf5d4-pk6w9 的CiliumEndpoint 出现.

[kind-kind] 等待pod cilium-test/client2-5998d566b4-hrhrb 的CiliumEndpoint 出现.

[kind-kind] 等待pod cilium-test/echo-other-node-f4d46f75b-bqpcb 的CiliumEndpoint 出现.

[kind-kind] 等待pod cilium-test/echo-same-node-745bd5c77-zpzdn 的CiliumEndpoint 出现.

[kind-kind] 等待服务cilium-test/echo-other-node 重新启动

ady…

⌛ [kind-kind] Waiting for Service cilium-test/echo-same-node to become ready…

⌛ [kind-kind] Waiting for NodePort 172.18.0.5:32751 (cilium-test/echo-other-node) to become ready…

⌛ [kind-kind] Waiting for NodePort 172.18.0.5:32133 (cilium-test/echo-same-node) to become ready…

⌛ [kind-kind] Waiting for NodePort 172.18.0.3:32133 (cilium-test/echo-same-node) to become ready…

⌛ [kind-kind] Waiting for NodePort 172.18.0.3:32751 (cilium-test/echo-other-node) to become ready…

⌛ [kind-kind] Waiting for NodePort 172.18.0.2:32751 (cilium-test/echo-other-node) to become ready…

⌛ [kind-kind] Waiting for NodePort 172.18.0.2:32133 (cilium-test/echo-same-node) to become ready…

⌛ [kind-kind] Waiting for NodePort 172.18.0.4:32751 (cilium-test/echo-other-node) to become ready…

⌛ [kind-kind] Waiting for NodePort 172.18.0.4:32133 (cilium-test/echo-same-node) to become ready…

ℹ️ Skipping IPCache check

⌛ [kind-kind] Waiting for pod cilium-test/client-6488dcf5d4-pk6w9 to reach default/kubernetes service…

⌛ [kind-kind] Waiting for pod cilium-test/client2-5998d566b4-hrhrb to reach default/kubernetes service…

🔭 Enabling Hubble telescope…

ℹ️ Hubble is OK, flows: 16380/16380

🏃 Running tests…

[=] Skipping Test [no-policies]

[=] Skipping Test [allow-all]

[=] Skipping Test [client-ingress]

[=] Skipping Test [echo-ingress]

[=] Skipping Test [client-egress]

[=] Skipping Test [to-entities-world]

[=] Skipping Test [to-cidr-1111]

[=] Skipping Test [echo-ingress-l7]

[=] Test [client-egress-l7]

…

[=] Skipping Test [dns-only]

[=] Skipping Test [to-fqdns]

✅ All 1 tests (10 actions) successful, 10 tests skipped, 0 scenarios skipped.

复制代码

我们也可以同时打开UI看看：

➜ cilium-mesh cilium hubble ui

ℹ️ Opening “http://localhost:12000” in your browser…

复制代码

效果图如下：

这个操作实际上会进行如下部署：

➜ cilium-mesh kubectl -n cilium-test get all

NAME READY STATUS RESTARTS AGE

pod/client-6488dcf5d4-pk6w9 1/1 Running 0 66m

pod/client2-5998d566b4-hrhrb 1/1 Running 0 66m

pod/echo-other-node-f4d46f75b-bqpcb 1/1 Running 0 66m

pod/echo-same-node-745bd5c77-zpzdn 1/1 Running 0 66m

NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE

service/echo-other-node NodePort 10.96.124.211 8080:32751/TCP 66m

service/echo-same-node NodePort 10.96.136.252 8080:32133/TCP 66m

NAME READY UP-TO-DATE AVAILABLE AGE

deployment.apps/client 1/1 1 1 66m

deployment.apps/client2 1/1 1 1 66m

deployment.apps/echo-other-node 1/1 1 1 66m

deployment.apps/echo-same-node 1/1 1 1 66m

NAME DESIRED CURRENT READY AGE

replicaset.apps/client-6488dcf5d4 1 1 1 66m

replicaset.apps/client2-5998d566b4 1 1 1 66m

replicaset.apps/echo-other-node-f4d46f75b 1 1 1 66m

replicaset.apps/echo-same-node-745bd5c77 1 1 1 66m

复制代码

我们也可以看看它的 label：

➜ cilium-mesh kubectl get pods -n cilium-test –show-labels -o wide

NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES LABELS

client-6488dcf5d4-pk6w9 1/1 Running 0 67m 10.244.3.7 kind-worker3 kind=client,name=client,pod-template-hash=6488dcf5d4

client2-5998d566b4-hrhrb 1/1 Running 0 67m 10.244.3.18 kind-worker3 kind=client,name=client2,other=client,pod-template-hash=5998d566b4

echo-other-node-f4d46f75b-bqpcb 1/1 Running 0 67m 10.244.1.146 kind-worker2 kind=echo,name=echo-other-node,pod-template-hash=f4d46f75b

echo-same-node-745bd5c77-zpzdn 1/1 Running 0 67m 10.244.3.164 kind-worker3 kind=echo,name=echo-same-node,other=echo,pod-template-hash=745bd5c77

复制代码

测试

这里我们在主机上进行操作下， 先拿到 client2 的 Pod 名称，然后通过 Hubble 命令观察所有访问此 Pod 的流量。

➜ cilium-mesh export CLIENT2=client2-5998d566b4-hrhrb

➜ cilium-mesh hubble observe –from-pod cilium-test/$CLIENT2 -f

Dec 18 14:07:37.200: cilium-test/client2-5998d566b4-hrhrb:44805 <> kube-system/coredns-78fcd69978-7lbwh:53 to-overlay FORWARDED (UDP)

Dec 18 14:07:37.200: cilium-test/client2-5998d566b4-hrhrb:44805 -> kube-system/coredns-78fcd69978-7lbwh:53 to-endpoint FORWARDED (UDP)

Dec 18 14:07:37.200: cilium-test/client2-5998d566b4-hrhrb:44805 <> kube-system/coredns-78fcd69978-7lbwh:53 to-overlay FORWARDED (UDP)

Dec 18 14:07:37.200: cilium-test/client2-5998d566b4-hrhrb:44805 -> kube-system/coredns-78fcd69978-7lbwh:53 to-endpoint FORWARDED (UDP)

Dec 18 14:07:37.200: cilium-test/client2-5998d566b4-hrhrb:42260 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-endpoint FORWARDED (TCP Flags: SYN)

Dec 18 14:07:37.201: cilium-test/client2-5998d566b4-hrhrb:42260 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-endpoint FORWARDED (TCP Flags: ACK)

Dec 18 14:07:37.201: cilium-test/client2-5998d566b4-hrhrb:42260 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-endpoint FORWARDED (TCP Flags: ACK, PSH)

Dec 18 14:07:37.202: cilium-test/client2-5998d566b4-hrhrb:42260 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-endpoint FORWARDED (TCP Flags: ACK, FIN)

Dec 18 14:07:37.203: cilium-test/client2-5998d566b4-hrhrb:42260 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-endpoint FORWARDED (TCP Flags: ACK)

Dec 18 14:07:50.769: cilium-test/client2-5998d566b4-hrhrb:36768 <> kube-system/coredns-78fcd69978-7lbwh:53 to-overlay FORWARDED (UDP)

Dec 18 14:07:50.769: cilium-test/client2-5998d566b4-hrhrb:36768 <> kube-system/coredns-78fcd69978-7lbwh:53 to-overlay FORWARDED (UDP)

Dec 18 14:07:50.769: cilium-test/client2-5998d566b4-hrhrb:36768 -> kube-system/coredns-78fcd69978-7lbwh:53 to-endpoint FORWARDED (UDP)

Dec 18 14:07:50.769: cilium-test/client2-5998d566b4-hrhrb:36768 -> kube-system/coredns-78fcd69978-7lbwh:53 to-endpoint FORWARDED (UDP)

Dec 18 14:07:50.770: cilium-test/client2-5998d566b4-hrhrb:42068 <> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-overlay FORWARDED (TCP Flags: SYN)

Dec 18 14:07:50.770: cilium-test/client2-5998d566b4-hrhrb:42068 -> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-endpoint FORWARDED (TCP Flags: SYN)

Dec 18 14:07:50.770: cilium-test/client2-5998d566b4-hrhrb:42068 <> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-overlay FORWARDED (TCP Flags: ACK)

Dec 18 14:07:50.770: cilium-test/client2-5998d566b4-hrhrb:42068 -> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-endpoint FORWARDED (TCP Flags: ACK)

Dec 18 14:07:50.770: cilium-test/client2-5998d566b4-hrhrb:42068 <> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-overlay FORWARDED (TCP Flags: ACK, PSH)

Dec 18 14:07:50.770: cilium-test/client2-5998d566b4-hrhrb:42068 -> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-endpoint FORWARDED (TCP Flags: ACK, PSH)

Dec 18 14:07:50.771: cilium-test/client2-5998d566b4-hrhrb:42068 <> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-overlay FORWARDED (TCP Flags: ACK, FIN)

Dec 18 14:07:50.771: cilium-test/client2-5998d566b4-hrhrb:42068 -> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-endpoint FORWARDED (TCP Flags: ACK, FIN)

Dec 18 14:07:50.772: cilium-test/client2-5998d566b4-hrhrb:42068 <> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-overlay FORWARDED (TCP Flags: ACK)

Dec 18 14:07:50.772: cilium-test/client2-5998d566b4-hrhrb:42068 -> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-endpoint FORWARDED (TCP Flags: ACK)

复制代码

以上输出是由于我们执行了下面的操作：

kubectl exec -it -n cilium-test $CLIENT2 – curl -v echo-same-node:8080/

kubectl exec -it -n cilium-test $CLIENT2 – curl -v echo-other-node:8080/

复制代码

日志中基本上都是 to-endpoint 或者 to-overlay的。

测试使用 proxy

需要先安装 networkpolicy ， 我们可以直接从 Cilium CLI 的仓库中拿到。

kubectl apply -f https://raw.githubusercontent.com/cilium/cilium-cli/master/connectivity/manifests/client-egress-l7-http.yaml

kubectl apply -f https://raw.githubusercontent.com/cilium/cilium-cli/master/connectivity/manifests/client-egress-only-dns.yaml

复制代码

然后重复上面的请求：

Dec 18 14:33:40.570: cilium-test/client2-5998d566b4-hrhrb:44344 -> kube-system/coredns-78fcd69978-2ww28:53 L3-L4 REDIRECTED (UDP)

Dec 18 14:33:40.570: cilium-test/client2-5998d566b4-hrhrb:44344 -> kube-system/coredns-78fcd69978-2ww28:53 to-proxy FORWARDED (UDP)

Dec 18 14:33:40.570: cilium-test/client2-5998d566b4-hrhrb:44344 -> kube-system/coredns-78fcd69978-2ww28:53 to-proxy FORWARDED (UDP)

Dec 18 14:33:40.570: cilium-test/client2-5998d566b4-hrhrb:44344 -> kube-system/coredns-78fcd69978-2ww28:53 dns-request FORWARDED (DNS Query echo-other-node.cilium-test.svc.cluster.local. A)

Dec 18 14:33:40.570: cilium-test/client2-5998d566b4-hrhrb:44344 -> kube-system/coredns-78fcd69978-2ww28:53 dns-request FORWARDED (DNS Query echo-other-node.cilium-test.svc.cluster.local. AAAA)

Dec 18 14:33:40.571: cilium-test/client2-5998d566b4-hrhrb:42074 -> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 L3-L4 REDIRECTED (TCP Flags: SYN)

Dec 18 14:33:40.571: cilium-test/client2-5998d566b4-hrhrb:42074 -> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-proxy FORWARDED (TCP Flags: SYN)

Dec 18 14:33:40.571: cilium-test/client2-5998d566b4-hrhrb:42074 -> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-proxy FORWARDED (TCP Flags: ACK)

Dec 18 14:33:40.571: cilium-test/client2-5998d566b4-hrhrb:42074 -> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-proxy FORWARDED (TCP Flags: ACK, PSH)

Dec 18 14:33:40.572: cilium-test/client2-5998d566b4-hrhrb:42074 -> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 http-request FORWARDED (HTTP/1.1 GET http://echo-other-node:8080/)

Dec 18 14:33:40.573: cilium-test/client2-5998d566b4-hrhrb:42074 -> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-proxy FORWARDED (TCP Flags: ACK, FIN)

Dec 18 14:33:40.573: cilium-test/client2-5998d566b4-hrhrb:42074 -> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-proxy FORWARDED (TCP Flags: ACK)

复制代码

执行另一个请求：

➜ cilium-mesh kubectl exec -it -n cilium-test $CLIENT2 – curl -v echo-same-node:8080/

复制代码

也可以看到如下输出，其中有 to-proxy的字样。

Dec 18 14:45:18.857: cilium-test/client2-5998d566b4-hrhrb:58895 -> kube-system/coredns-78fcd69978-2ww28:53 L3-L4 REDIRECTED (UDP)

Dec 18 14:45:18.857: cilium-test/client2-5998d566b4-hrhrb:58895 -> kube-system/coredns-78fcd69978-2ww28:53 to-proxy FORWARDED (UDP)

Dec 18 14:45:18.857: cilium-test/client2-5998d566b4-hrhrb:58895 -> kube-system/coredns-78fcd69978-2ww28:53 to-proxy FORWARDED (UDP)

Dec 18 14:45:18.857: cilium-test/client2-5998d566b4-hrhrb:58895 -> kube-system/coredns-78fcd69978-2ww28:53 dns-request FORWARDED (DNS Query echo-same-node.cilium-test.svc.cluster.local. AAAA)

Dec 18 14:45:18.857: cilium-test/client2-5998d566b4-hrhrb:58895 -> kube-system/coredns-78fcd69978-2ww28:53 dns-request FORWARDED (DNS Query echo-same-node.cilium-test.svc.cluster.local. A)

Dec 18 14:45:18.858: cilium-test/client2-5998d566b4-hrhrb:42266 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 L3-L4 REDIRECTED (TCP Flags: SYN)

Dec 18 14:45:18.858: cilium-test/client2-5998d566b4-hrhrb:42266 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-proxy FORWARDED (TCP Flags: SYN)

Dec 18 14:45:18.858: cilium-test/client2-5998d566b4-hrhrb:42266 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-proxy FORWARDED (TCP Flags: ACK)

Dec 18 14:45:18.858: cilium-test/client2-5998d566b4-hrhrb:42266 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-proxy FORWARDED (TCP Flags: ACK, PSH)

Dec 18 14:45:18.858: cilium-test/client2-5998d566b4-hrhrb:42266 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 http-request FORWARDED (HTTP/1.1 GET http://echo-same-node:8080/)

Dec 18 14:45:18.859: cilium-test/client2-5998d566b4-hrhrb:42266 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-proxy FORWARDED (TCP Flags: ACK, FIN)

Dec 18 14:45:18.859: cilium-test/client2-5998d566b4-hrhrb:42266 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-proxy FORWARDED (TCP Flags: ACK)

复制代码

其实看请求头更加方便：

➜ cilium-mesh kubectl exec -it -n cilium-test $CLIENT2 – curl -I echo-same-node:8080/

HTTP/1.1 403 Forbidden

content-length: 15

content-type: text/plain

date: Sat, 18 Dec 2021 14:47:39 GMT

server: envoy

复制代码

之前都是如下：

没有 proxy

➜ cilium-mesh kubectl exec -it -n cilium-test $CLIENT2 – curl -v echo-same-node:8080/

Trying 10.96.136.252:8080…
Connected to echo-same-node (10.96.136.252) port 8080 (#0)

GET / HTTP/1.1

Host: echo-same-node:8080

User-Agent: curl/7.78.0

Accept: /

Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK

< X-Powered-By: Express

< Vary: Origin, Accept-Encoding

< Access-Control-Allow-Credentials: true

< Accept-Ranges: bytes

< Cache-Control: public, max-age=0

最后

很多程序员，整天沉浸在业务代码的 CRUD 中，业务中没有大量数据做并发，缺少实战经验，对并发仅仅停留在了解，做不到精通，所以总是与大厂擦肩而过。

我把私藏的这套并发体系的笔记和思维脑图分享出来，理论知识与项目实战的结合，我觉得只要你肯花时间用心学完这些，一定可以快速掌握并发编程。

不管是查缺补漏还是深度学习都能有非常不错的成效，需要的话记得帮忙点个赞支持一下

整理不易，觉得有帮助的朋友可以帮忙点赞分享支持一下小编~

#以上关于倍受关注的 Cilium Service Mesh 到底怎么玩？ 的相关内容来源网络仅供参考，相关信息请以官方公告为准！