istio를 사용함에 있어서 자료를 찾다보면 오래된 버전의 자료들이 나오는 경우가 있어 정리한다.
Istiod
istio version 1.5부터 mixer, galley, pilot, citadel 컨트롤 플레인이 istiod로 통합되었다.
istiod api조회
1.22 버전 기준으로 확인(삭제됨) 표시는 1.22버전에서 동작안하는듯.
| 라우팅 정보 종류 | 확인 방법 |
|---|---|
| VirtualService / DestinationRule 등 Istio 리소스 전체 | curl localhost:8080/debug/configz |
| (삭제됨)Envoy에게 푸시된 Route 정보 (RDS) | curl localhost:8080/debug/rdsz |
| (삭제됨)Envoy에게 푸시된 Cluster 정보 (CDS) | curl localhost:8080/debug/cdsz |
| 연결된 envoy 프록시 목록 및 상태 | curl localhost:8080/debug/adsz |
| 각 envoy 프록시에 적용된 설정 상세 | curl localhost:8080/debug/adsz?proxy=<pod.namespace> |
istioctl proxy-config를 이용한 디버깅
특정 Pod에 적용된 라우팅(RDS) 정보 보기
./bin/istioctl proxy-config route msa-fe-dp-fbb8b56d8-mfmgc.msa-fe -n msa-feCDS (Cluster 설정) 보기
istioctl proxy-config clusters <pod-name>.<namespace> -n <namespace>Envoy 상태보기
[ubuntu@dev istio-1.23.1-hm (⎈|hk8s:istio-system)]$ ./bin/istioctl proxy-status
NAME CLUSTER CDS LDS EDS RDS ECDS ISTIOD VERSION
butler-app-dp-764886494f-qqpgw.buttler-ddochi Kubernetes SYNCED (93s) SYNCED (93s) SYNCED (93s) SYNCED (93s) IGNORED istiod-7778bb89b8-l76f2 1.23.1
istio-ingressgateway-5bb9db885d-n8pfp.istio-system Kubernetes SYNCED (32m) SYNCED (32m) SYNCED (32m) SYNCED (32m) IGNORED istiod-7778bb89b8-l76f2 1.23.1
kimchirun-dp-5c7749dff9-jgsj6.buttler-ddochi Kubernetes SYNCED (26m) SYNCED (26m) SYNCED (26m) SYNCED (26m) IGNORED istiod-7778bb89b8-l76f2 1.23.1
msa-django-ansible-6c977cb788-745kq.msa-django-ansible Kubernetes SYNCED (21m) SYNCED (21m) SYNCED (21m) SYNCED (21m) IGNORED istiod-7778bb89b8-l76f2 1.23.1
msa-django-auth-86bcbfc6b7-9ldhs.msa-django-auth Kubernetes SYNCED (2m19s) SYNCED (2m19s) SYNCED (2m19s) SYNCED (2m19s) IGNORED istiod-7778bb89b8-l76f2 1.23.1
msa-django-blog-5f86bb4f87-s7crh.msa-django-blog Kubernetes SYNCED (20m) SYNCED (20m) SYNCED (20m) SYNCED (20m) IGNORED istiod-7778bb89b8-l76f2 1.23.1
msa-django-board-65d98678d8-86rmm.msa-django-board Kubernetes SYNCED (25m) SYNCED (25m) SYNCED (25m) SYNCED (25m) IGNORED istiod-7778bb89b8-l76f2 1.23.1
msa-django-todo-7cf9bc7c95-kkbzs.msa-django-todo Kubernetes SYNCED (16m) SYNCED (16m) SYNCED (16m) SYNCED (16m) IGNORED istiod-7778bb89b8-l76f2 1.23.1
msa-fe-dp-fbb8b56d8-mfmgc.msa-fe Kubernetes SYNCED (10m) SYNCED (10m) SYNCED (10m) SYNCED (10m) IGNORED istiod-7778bb89b8-l76f2 1.23.1Listener (LDS)
istioctl proxy-config listener <pod-name>.<namespace> -n <namespace>Istio 개인 참고자료(작성중)
Check Activate
mTLS가 활성되어있는지 확인하는 방식 중 하나
./bin/istioctl proxy-config clusters msa-fe-dp-fbb8b56d8-mfmgc.msa-fe -n msa-fe -o json \
| jq '.[] | select(.name == "outbound|80||msa-django-auth.msa-django-auth.svc.cluster.local")'
# istioctl proxy-config clusters <pod_name>.<namespace> -n <namespace> -o json \
# | jq '.[] | select(.name | contains("msa-django-auth")) | .transportSocketMatches'
# ./bin/istioctl proxy-config clusters msa-fe-dp-fbb8b56d8-mfmgc.msa-fe -n msa-fe -o json{
"transportSocketMatches": [
{
"name": "tlsMode-istio",
"match": {
"tlsMode": "istio"
},
"transportSocket": { // mTLS적용상태 확인
"name": "envoy.transport_sockets.tls",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext",
"commonTlsContext": {
"tlsParams": {
"tlsMinimumProtocolVersion": "TLSv1_2",
"tlsMaximumProtocolVersion": "TLSv1_3"
},
"tlsCertificateSdsSecretConfigs": [
{
"name": "default",
"sdsConfig": {
"apiConfigSource": {
"apiType": "GRPC",
"transportApiVersion": "V3",
"grpcServices": [
{
"envoyGrpc": {
"clusterName": "sds-grpc"
}
}
],
"setNodeOnFirstMessageOnly": true
},
"initialFetchTimeout": "0s",
"resourceApiVersion": "V3"
}
}
],
"combinedValidationContext": {
"defaultValidationContext": {
"matchSubjectAltNames": [
{
"exact": "spiffe://cluster.local/ns/msa-django-auth/sa/default"
}
]
},
"validationContextSdsSecretConfig": {
"name": "ROOTCA", // ROOT CA 정보
"sdsConfig": {
"apiConfigSource": {
"apiType": "GRPC",
"transportApiVersion": "V3",
"grpcServices": [
{
"envoyGrpc": {
"clusterName": "sds-grpc"
}
}
],
"setNodeOnFirstMessageOnly": true
},
"initialFetchTimeout": "0s",
"resourceApiVersion": "V3"
}
}
},
"alpnProtocols": [ // 적용 프로토콜정보
"istio-peer-exchange",
"istio"
]
},
"sni": "outbound_.80_._.msa-django-auth.msa-django-auth.svc.cluster.local"
}
}
},
{
"name": "tlsMode-disabled",
"match": {},
"transportSocket": {
"name": "envoy.transport_sockets.raw_buffer",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.raw_buffer.v3.RawBuffer"
}
}
}
],
"name": "outbound|80||msa-django-auth.msa-django-auth.svc.cluster.local",
"altStatName": "outbound|80||msa-django-auth.msa-django-auth.svc.cluster.local;",
"type": "EDS",
"edsClusterConfig": {
"edsConfig": {
"ads": {},
"initialFetchTimeout": "0s",
"resourceApiVersion": "V3"
},
"serviceName": "outbound|80||msa-django-auth.msa-django-auth.svc.cluster.local"
},
"connectTimeout": "10s",
"lbPolicy": "LEAST_REQUEST",
"circuitBreakers": {
"thresholds": [
{
"maxConnections": 4294967295,
"maxPendingRequests": 4294967295,
"maxRequests": 4294967295,
"maxRetries": 4294967295,
"trackRemaining": true
}
]
},
"typedExtensionProtocolOptions": {
"envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
"@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
"useDownstreamProtocolConfig": {
"httpProtocolOptions": {},
"http2ProtocolOptions": {}
}
}
},
"commonLbConfig": {
"localityWeightedLbConfig": {}
},
"metadata": {
"filterMetadata": {
"istio": {
"services": [
{
"host": "msa-django-auth.msa-django-auth.svc.cluster.local",
"name": "msa-django-auth",
"namespace": "msa-django-auth"
}
]
}
}
},
"filters": [
{
"name": "istio.metadata_exchange",
"typedConfig": {
"@type": "type.googleapis.com/udpa.type.v1.TypedStruct",
"typeUrl": "type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange",
"value": {
"enable_discovery": true,
"protocol": "istio-peer-exchange"
}
}
}
]
}