0
istio: 隔离
source link: https://ieevee.com/tech/2022/06/27/08-isolation.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
namespace级别开关服务网格
kubectl label ns xxx istio-injection=enable --overwrite
关闭服务网格
kubectl label namespace default istio-injection-
全集群所有ns查看开启服务网格的namespace
kubectl get namespace -L istio-injection
Pod级别开关服务网格
可以通过在Pod的label上设置sidecar.istio.io/inject为true/false,在Pod级别进行控制是否开启服务网格。
template:
metadata:
labels:
app: nginx
sidecar.istio.io/inject: "false"
spec:
containers:
- image: nginx
从而针对性的对服务开启或关闭服务网格,即使这个namespace整体开启了服务网格。
kubectl get pods
NAME READY STATUS RESTARTS AGE
debian-77dc9c5f4f-q2hb2 2/2 Running 0 14h
nginx-58df487b65-4n2qc 1/1 Running 0 4m38s
exportTo
istio的策略(service entry, virtual service 等)支持namespace隔离。默认策略是全服务网格集群内可见,用户可以配置exportTo,从而限制其可见范围。
如下,将限制该service entry 仅 namespace istio-demo可见。
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: nginx
namespace: istio-demo
spec:
exportTo:
- .
hosts:
- nginx.example.com
location: MESH_INTERNAL
ports:
- name: http
number: 80
protocol: HTTP
resolution: STATIC
workloadSelector:
labels:
app: nginx
如果需要其他namespace可见,则需要在exportTo中增加对应的namespace。
https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK