1、注入的本质和后果

2、那些资源能够被注入

Job、DaemonSet、ReplicaSet、Pod、Deployment(产生孩子)

Service、ConfigMap、Secret(没有什么结果)

3、inject注入实例

3-istio inject - 图1

1. 模拟注入

  1. 创建一个deployment
  1. kubectl create deployment inject --image=nginx --replicas=1 --dry-run -o yaml > inject-deployment.yaml
  2. kubectl create -f inject-deployment.yaml

查看创建的资源

  1. kubectl get po 
  2. NAME                                      READY   STATUS    RESTARTS        AGE
  3. inject-994587885-fbxfk                    1/1     Running   0               67s
  1. 使用生成的该清单手动注入
  1. istioctl kube-inject -f inject-deployment.yaml | kubectl apply -f - -n default 
  2. Warning: resource deployments/inject is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
  3. deployment.apps/inject configured
  1. 再次查看,观察pod变化
  1. kubectl get pod
  2. NAME                                      READY   STATUS    RESTARTS         AGE
  3. inject-8565f4c47-srwzd                    2/2     Running   0                37s

可以看到READY由1/1变成了2/2.通过describe命令可以清楚的看到pod内部已经注入了一个名为istio-proxy的容器,还会注入一个istio-init容器,注入之后会死掉(用于初始化网络空间等)

而且pod名称也变了,由此可见已近创建了一个全新的pod

  1. 可以打印出注入的资源清单进行分析
  1. istioctl kube-inject -f inject-deployment.yaml 
  2. apiVersion: apps/v1
  3. kind: Deployment
  4. metadata:
  5.   creationTimestamp: null
  6.   labels:
  7.     app: inject
  8.   name: inject
  9. spec:
  10.   replicas: 1
  11.   selector:
  12.     matchLabels:
  13.       app: inject
  14.   strategy: {}
  15.   template:
  16.     metadata:
  17.       annotations:
  18.         kubectl.kubernetes.io/default-container: nginx
  19.         kubectl.kubernetes.io/default-logs-container: nginx
  20.         prometheus.io/path: /stats/prometheus
  21.         prometheus.io/port: "15020"
  22.         prometheus.io/scrape: "true"
  23.         sidecar.istio.io/status: '{"initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["workload-socket","credential-socket","workload-certs","istio-envoy","istio-data","istio-podinfo","istio-token","istiod-ca-cert"],"imagePullSecrets":null,"revision":"default"}'
  24.       creationTimestamp: null
  25.       labels:
  26.         app: inject
  27.         security.istio.io/tlsMode: istio
  28.         service.istio.io/canonical-name: inject
  29.         service.istio.io/canonical-revision: latest
  30.     spec:
  31.       containers:
  32.       - image: nginx
  33.         name: nginx
  34.         resources: {}
  35.       - args:
  36.         - proxy
  37.         - sidecar
  38.         - --domain
  39.         - $(POD_NAMESPACE).svc.cluster.local
  40.         - --proxyLogLevel=warning
  41.         - --proxyComponentLogLevel=misc:error
  42.         - --log_output_level=default:info
  43.         - --concurrency
  44.         - "2"
  45.         env:
  46.         - name: JWT_POLICY
  47.           value: third-party-jwt
  48.         - name: PILOT_CERT_PROVIDER
  49.           value: istiod
  50.         - name: CA_ADDR
  51.           value: istiod.istio-system.svc:15012
  52.         - name: POD_NAME
  53.           valueFrom:
  54.             fieldRef:
  55.               fieldPath: metadata.name
  56.         - name: POD_NAMESPACE
  57.           valueFrom:
  58.             fieldRef:
  59.               fieldPath: metadata.namespace
  60.         - name: INSTANCE_IP
  61.           valueFrom:
  62.             fieldRef:
  63.               fieldPath: status.podIP
  64.         - name: SERVICE_ACCOUNT
  65.           valueFrom:
  66.             fieldRef:
  67.               fieldPath: spec.serviceAccountName
  68.         - name: HOST_IP
  69.           valueFrom:
  70.             fieldRef:
  71.               fieldPath: status.hostIP
  72.         - name: PROXY_CONFIG
  73.           value: |
  74.             {}
  75.         - name: ISTIO_META_POD_PORTS
  76.           value: |-
  77.             [
  78.             ]
  79.         - name: ISTIO_META_APP_CONTAINERS
  80.           value: nginx
  81.         - name: ISTIO_META_CLUSTER_ID
  82.           value: Kubernetes
  83.         - name: ISTIO_META_INTERCEPTION_MODE
  84.           value: REDIRECT
  85.         - name: ISTIO_META_MESH_ID
  86.           value: cluster.local
  87.         - name: TRUST_DOMAIN
  88.           value: cluster.local
  89.         image: docker.io/istio/proxyv2:1.16.2
  90.         name: istio-proxy
  91.         ports:
  92.         - containerPort: 15090
  93.           name: http-envoy-prom
  94.           protocol: TCP
  95.         readinessProbe:
  96.           failureThreshold: 30
  97.           httpGet:
  98.             path: /healthz/ready
  99.             port: 15021
  100.           initialDelaySeconds: 1
  101.           periodSeconds: 2
  102.           timeoutSeconds: 3
  103.         resources:
  104.           limits:
  105.             cpu: "2"
  106.             memory: 1Gi
  107.           requests:
  108.             cpu: 10m
  109.             memory: 40Mi
  110.         securityContext:
  111.           allowPrivilegeEscalation: false
  112.           capabilities:
  113.             drop:
  114.             - ALL
  115.           privileged: false
  116.           readOnlyRootFilesystem: true
  117.           runAsGroup: 1337
  118.           runAsNonRoot: true
  119.           runAsUser: 1337
  120.         volumeMounts:
  121.         - mountPath: /var/run/secrets/workload-spiffe-uds
  122.           name: workload-socket
  123.         - mountPath: /var/run/secrets/credential-uds
  124.           name: credential-socket
  125.         - mountPath: /var/run/secrets/workload-spiffe-credentials
  126.           name: workload-certs
  127.         - mountPath: /var/run/secrets/istio
  128.           name: istiod-ca-cert
  129.         - mountPath: /var/lib/istio/data
  130.           name: istio-data
  131.         - mountPath: /etc/istio/proxy
  132.           name: istio-envoy
  133.         - mountPath: /var/run/secrets/tokens
  134.           name: istio-token
  135.         - mountPath: /etc/istio/pod
  136.           name: istio-podinfo
  137.       initContainers:
  138.       - args:
  139.         - istio-iptables
  140.         - -p
  141.         - "15001"
  142.         - -z
  143.         - "15006"
  144.         - -u
  145.         - "1337"
  146.         - -m
  147.         - REDIRECT
  148.         - -i
  149.         - '*'
  150.         - -x
  151.         - ""
  152.         - -b
  153.         - '*'
  154.         - -d
  155.         - 15090,15021,15020
  156.         - --log_output_level=default:info
  157.         image: docker.io/istio/proxyv2:1.16.2
  158.         name: istio-init
  159.         resources:
  160.           limits:
  161.             cpu: "2"
  162.             memory: 1Gi
  163.           requests:
  164.             cpu: 10m
  165.             memory: 40Mi
  166.         securityContext:
  167.           allowPrivilegeEscalation: false
  168.           capabilities:
  169.             add:
  170.             - NET_ADMIN
  171.             - NET_RAW
  172.             drop:
  173.             - ALL
  174.           privileged: false
  175.           readOnlyRootFilesystem: false
  176.           runAsGroup: 0
  177.           runAsNonRoot: false
  178.           runAsUser: 0
  179.       volumes:
  180.       - name: workload-socket
  181.       - name: credential-socket
  182.       - name: workload-certs
  183.       - emptyDir:
  184.           medium: Memory
  185.         name: istio-envoy
  186.       - emptyDir: {}
  187.         name: istio-data
  188.       - downwardAPI:
  189.           items:
  190.           - fieldRef:
  191.               fieldPath: metadata.labels
  192.             path: labels
  193.           - fieldRef:
  194.               fieldPath: metadata.annotations
  195.             path: annotations
  196.         name: istio-podinfo
  197.       - name: istio-token
  198.         projected:
  199.           sources:
  200.           - serviceAccountToken:
  201.               audience: istio-ca
  202.               expirationSeconds: 43200
  203.               path: istio-token
  204.       - configMap:
  205.           name: istio-ca-root-cert
  206.         name: istiod-ca-cert
  207. status: {}
  208. ---

4、从进程角度分析注入后会发生那些变化(重点)

pod中对外服务端口号多增加5个(四个)(新本版发现新增加了10个)

  1. kubectl exec -it -n geray nginx-786dd96cc9-4vdzh -c istio-proxy -- netstat -tnlp
  2. Active Internet connections (only servers)
  3. Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
  4. tcp        0      0 0.0.0.0:15006           0.0.0.0:*               LISTEN      19/envoy            
  5. tcp        0      0 0.0.0.0:15006           0.0.0.0:*               LISTEN      19/envoy            
  6. tcp        0      0 0.0.0.0:15021           0.0.0.0:*               LISTEN      19/envoy            
  7. tcp        0      0 0.0.0.0:15021           0.0.0.0:*               LISTEN      19/envoy            
  8. tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                   
  9. tcp        0      0 0.0.0.0:15090           0.0.0.0:*               LISTEN      19/envoy            
  10. tcp        0      0 0.0.0.0:15090           0.0.0.0:*               LISTEN      19/envoy            
  11. tcp        0      0 127.0.0.1:15000         0.0.0.0:*               LISTEN      19/envoy            
  12. tcp        0      0 0.0.0.0:15001           0.0.0.0:*               LISTEN      19/envoy            
  13. tcp        0      0 0.0.0.0:15001           0.0.0.0:*               LISTEN      19/envoy            
  14. tcp        0      0 127.0.0.1:15004         0.0.0.0:*               LISTEN      1/pilot-agent       
  15. tcp6       0      0 :::15020                :::*                    LISTEN      1/pilot-agent       
  16. tcp6       0      0 :::80                   :::*                    LISTEN      -

3-istio inject - 图2

3-istio inject - 图3

istio-init干得事

  1. kubectl logs -f -n geray nginx-786dd96cc9-4vdzh -c istio-init
  2. 2023-02-10T02:01:12.144483Z     info    Istio iptables environment:
  3. ENVOY_PORT=
  4. INBOUND_CAPTURE_PORT=
  5. ISTIO_INBOUND_INTERCEPTION_MODE=
  6. ISTIO_INBOUND_TPROXY_ROUTE_TABLE=
  7. ISTIO_INBOUND_PORTS=
  8. ISTIO_OUTBOUND_PORTS=
  9. ISTIO_LOCAL_EXCLUDE_PORTS=
  10. ISTIO_EXCLUDE_INTERFACES=
  11. ISTIO_SERVICE_CIDR=
  12. ISTIO_SERVICE_EXCLUDE_CIDR=
  13. ISTIO_META_DNS_CAPTURE=
  14. INVALID_DROP=
  16. 2023-02-10T02:01:12.144575Z     info    Istio iptables variables:
  17. PROXY_PORT=15001
  18. PROXY_INBOUND_CAPTURE_PORT=15006
  19. PROXY_TUNNEL_PORT=15008
  20. PROXY_UID=1337
  21. PROXY_GID=1337
  22. INBOUND_INTERCEPTION_MODE=REDIRECT
  23. INBOUND_TPROXY_MARK=1337
  24. INBOUND_TPROXY_ROUTE_TABLE=133
  25. INBOUND_PORTS_INCLUDE=*
  26. INBOUND_PORTS_EXCLUDE=15090,15021,15020
  27. OUTBOUND_OWNER_GROUPS_INCLUDE=*
  28. OUTBOUND_OWNER_GROUPS_EXCLUDE=
  29. OUTBOUND_IP_RANGES_INCLUDE=*
  30. OUTBOUND_IP_RANGES_EXCLUDE=
  31. OUTBOUND_PORTS_INCLUDE=
  32. OUTBOUND_PORTS_EXCLUDE=
  33. KUBE_VIRT_INTERFACES=
  34. ENABLE_INBOUND_IPV6=false
  35. DNS_CAPTURE=false
  36. DROP_INVALID=false
  37. CAPTURE_ALL_DNS=false
  38. DNS_SERVERS=[],[]
  39. OUTPUT_PATH=
  40. NETWORK_NAMESPACE=
  41. CNI_MODE=false
  42. HOST_NSENTER_EXEC=false
  43. EXCLUDE_INTERFACES=
  45. 2023-02-10T02:01:12.144905Z     info    Writing following contents to rules file: /tmp/iptables-rules-1675994472144631139.txt2300041476
  46. * nat
  47. -N ISTIO_INBOUND
  48. -N ISTIO_REDIRECT
  49. -N ISTIO_IN_REDIRECT
  50. -N ISTIO_OUTPUT
  51. -A ISTIO_INBOUND -p tcp --dport 15008 -j RETURN
  52. -A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15001
  53. -A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-ports 15006
  54. -A PREROUTING -p tcp -j ISTIO_INBOUND
  55. -A ISTIO_INBOUND -p tcp --dport 15090 -j RETURN
  56. -A ISTIO_INBOUND -p tcp --dport 15021 -j RETURN
  57. -A ISTIO_INBOUND -p tcp --dport 15020 -j RETURN
  58. -A ISTIO_INBOUND -p tcp -j ISTIO_IN_REDIRECT
  59. -A OUTPUT -p tcp -j ISTIO_OUTPUT
  60. -A ISTIO_OUTPUT -o lo -s 127.0.0.6/32 -j RETURN
  61. -A ISTIO_OUTPUT -o lo ! -d 127.0.0.1/32 -m owner --uid-owner 1337 -j ISTIO_IN_REDIRECT
  62. -A ISTIO_OUTPUT -o lo -m owner ! --uid-owner 1337 -j RETURN
  63. -A ISTIO_OUTPUT -m owner --uid-owner 1337 -j RETURN
  64. -A ISTIO_OUTPUT -o lo ! -d 127.0.0.1/32 -m owner --gid-owner 1337 -j ISTIO_IN_REDIRECT
  65. -A ISTIO_OUTPUT -o lo -m owner ! --gid-owner 1337 -j RETURN
  66. -A ISTIO_OUTPUT -m owner --gid-owner 1337 -j RETURN
  67. -A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN
  68. -A ISTIO_OUTPUT -j ISTIO_REDIRECT
  69. COMMIT
  70. 2023-02-10T02:01:12.144996Z     info    Running command: iptables-restore --noflush /tmp/iptables-rules-1675994472144631139.txt2300041476
  71. 2023-02-10T02:01:12.150882Z     info    Writing following contents to rules file: /tmp/ip6tables-rules-1675994472150846159.txt1418190399
  73. 2023-02-10T02:01:12.150937Z     info    Running command: ip6tables-restore --noflush /tmp/ip6tables-rules-1675994472150846159.txt1418190399
  74. 2023-02-10T02:01:12.154122Z     info    Running command: iptables-save 
  75. 2023-02-10T02:01:12.159165Z     info    Command output: 
  76. # Generated by iptables-save v1.8.7 on Fri Feb 10 02:01:12 2023
  77. *raw
  78. :PREROUTING ACCEPT [0:0]
  79. :OUTPUT ACCEPT [0:0]
  80. COMMIT
  81. # Completed on Fri Feb 10 02:01:12 2023
  82. # Generated by iptables-save v1.8.7 on Fri Feb 10 02:01:12 2023
  83. *mangle
  84. :PREROUTING ACCEPT [0:0]
  85. :INPUT ACCEPT [0:0]
  86. :FORWARD ACCEPT [0:0]
  87. :OUTPUT ACCEPT [0:0]
  88. :POSTROUTING ACCEPT [0:0]
  89. COMMIT
  90. # Completed on Fri Feb 10 02:01:12 2023
  91. # Generated by iptables-save v1.8.7 on Fri Feb 10 02:01:12 2023
  92. *filter
  93. :INPUT ACCEPT [0:0]
  94. :FORWARD ACCEPT [0:0]
  95. :OUTPUT ACCEPT [0:0]
  96. COMMIT
  97. # Completed on Fri Feb 10 02:01:12 2023
  98. # Generated by iptables-save v1.8.7 on Fri Feb 10 02:01:12 2023
  99. *nat
  100. :PREROUTING ACCEPT [0:0]
  101. :INPUT ACCEPT [0:0]
  102. :OUTPUT ACCEPT [0:0]
  103. :POSTROUTING ACCEPT [0:0]
  104. :ISTIO_INBOUND - [0:0]
  105. :ISTIO_IN_REDIRECT - [0:0]
  106. :ISTIO_OUTPUT - [0:0]
  107. :ISTIO_REDIRECT - [0:0]
  108. -A PREROUTING -p tcp -j ISTIO_INBOUND
  109. -A OUTPUT -p tcp -j ISTIO_OUTPUT
  110. -A ISTIO_INBOUND -p tcp -m tcp --dport 15008 -j RETURN
  111. -A ISTIO_INBOUND -p tcp -m tcp --dport 15090 -j RETURN
  112. -A ISTIO_INBOUND -p tcp -m tcp --dport 15021 -j RETURN
  113. -A ISTIO_INBOUND -p tcp -m tcp --dport 15020 -j RETURN
  114. -A ISTIO_INBOUND -p tcp -j ISTIO_IN_REDIRECT
  115. -A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-ports 15006
  116. -A ISTIO_OUTPUT -s 127.0.0.6/32 -o lo -j RETURN
  117. -A ISTIO_OUTPUT ! -d 127.0.0.1/32 -o lo -m owner --uid-owner 1337 -j ISTIO_IN_REDIRECT
  118. -A ISTIO_OUTPUT -o lo -m owner ! --uid-owner 1337 -j RETURN
  119. -A ISTIO_OUTPUT -m owner --uid-owner 1337 -j RETURN
  120. -A ISTIO_OUTPUT ! -d 127.0.0.1/32 -o lo -m owner --gid-owner 1337 -j ISTIO_IN_REDIRECT
  121. -A ISTIO_OUTPUT -o lo -m owner ! --gid-owner 1337 -j RETURN
  122. -A ISTIO_OUTPUT -m owner --gid-owner 1337 -j RETURN
  123. -A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN
  124. -A ISTIO_OUTPUT -j ISTIO_REDIRECT
  125. -A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15001
  126. COMMIT
  127. # Completed on Fri Feb 10 02:01:12 2023
  • 进入到容器查看iptable路由规则
  1. crictl ps | grep proxy
  2. 851999992cdc5       0ed03fb4d64c2       28 minutes ago      Running             istio-proxy                          1                   39d2b59c0c6d1       nginx-786dd96cc9-4vdzh

2. 基于进程分析

  1. kubectl exec -it -n geray nginx-786dd96cc9-4vdzh -c istio-proxy -- ps -ef       
  2. UID        PID  PPID  C STIME TTY          TIME CMD
  3. istio-p+     1     0  0 02:01 ?        00:00:05 /usr/local/bin/pilot-agent proxy sidecar --domain geray.svc.cluster.local --proxyLogLevel=warning --proxyComponentLogL
  4. istio-p+    19     1  0 02:01 ?        00:00:26 /usr/local/bin/envoy -c etc/istio/proxy/envoy-rev.json --drain-time-s 45 --drain-strategy immediate --parent-shutdown-
  5. istio-p+    91     0  0 02:56 pts/0    00:00:00 ps -ef
  • pilot-agent进程
  • envoy进程

5、自动化注入