kubernetes 为什么显式协议设置会导致流量路由错误?

41zrol4v  于 2023-10-17  发布在  Kubernetes
关注(0)|答案(1)|浏览(127)

我写了一个虚拟服务来测试基于头的路由

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: http-app
  namespace: default
spec:
  hosts:
    - http-app.default.svc.cluster.local
  http:
    - match:
        - headers:
            canary-token:
              exact: haha
      route:
        - destination:
            host: http-app.default.svc.cluster.local
            subset: canary
    - route:
        - destination:
            host: http-app.default.svc.cluster.local
            subset: stable

当服务是正确的时候,

apiVersion: v1
kind: Service
metadata:
  name: http-app
  namespace: default
  labels:
    env: prod
spec:
  type: ClusterIP
  selector:
    app: http-app
  ports:
    - port: 3011
      targetPort: 3011
[2023-08-28T04:00:01.156Z] "GET /mesh HTTP/1.1" 200 - via_upstream - "-" 0 78 645 644 "192.168.65.4, 127.0.0.6" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.54" "24cb1d39-33f6-4e07-8ba5-fefc4c656498" "nginx-app.local" "10.1.13.85:3011" outbound|3011|canary|http-app.default.svc.cluster.local 10.1.13.93:44452 10.104.186.154:3011 127.0.0.6:0 - -

但是当我像这样显式地将protocol设置为http时,

ports:
    - port: 3011
      targetPort: 3011
      appProtocol: http

或本

ports:
    - name: http-app
      port: 3011
      targetPort: 3011

流量路由将为allow_any

[2023-08-28T11:23:10.344Z] "GET /mesh HTTP/1.1" 200 - via_upstream - "-" 0 78 652 652 "192.168.113.118,192.168.65.4, 127.0.0.6" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.54" "f54af48b-6f67-4f64-ba05-2d5d9215fd8c" "nginx-app.local" "10.104.186.154:3011" PassthroughCluster 10.1.13.93:38016 10.104.186.154:3011 127.0.0.6:0 - allow_any

为什么在显式设置协议后,基于报头的路由不起作用?

w7t8yxp5

w7t8yxp51#

ports:
    - port: 3011
      appProtocol: http
or 
    - name: http-app

注意:当您配置name或appProtocol时,Istio会将该端口上的流量视为普通HTTP。这意味着Istio不会出于路由目的检查或操作HTTP头,包括canary-token头。这意味着VirtualService中定义的基于头的路由规则将不会被应用,流量将被允许自由地流向指定的端口,而不考虑金丝雀令牌头。
解决方案:

ports:
    - port: 3011
      targetPort: 3011

如果您希望Istio基于canary-token头执行基于头的路由,则不应显式将协议设置为http或将端口命名为http-app。默认情况下,Istio执行L7路由,检查HTTP头和其他应用层属性以做出路由决策。
因此,要启用基于头的路由,您应该使用服务端口的原始配置,而不指定appProtocol或使用名称http-app。这样,Istio将继续检查HTTP头并应用您在VirtualService中定义的路由规则。
参考:https://istio.io/latest/docs/reference/config/networking/virtual-service/
What is the difference between Istio VirtualService and Kubernetes Service?

相关问题