每週閱讀（3/11/2019）

摘要： Hand-crafting a Sidecar Proxy like Istio 如何實現 sidecar 模式？文中用 golang 實現了一個示例： 用 sidecar 容器代理流量和轉發 用 init 容器修改 iptable 實現流量攔截 ...

Hand-crafting a Sidecar Proxy like Istio

如何實現 sidecar 模式？文中用 golang 實現了一個示例：

• 用 sidecar 容器代理流量和轉發
• 用 init 容器修改 iptable 實現流量攔截

Istio v1.10 sidecar 資源

1.10 有一個對於提高 pilot 和代理效能的新增資源配置 - Sidecar。

apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: default
namespace: prod-us1
spec:
ingress:
- port:
number: 9080
protocol: HTTP
name: somename
defaultEndpoint: unix:///var/run/someuds.sock
egress:
- hosts:
- "istio-system/*"
- port:
number: 9080
protocol: HTTP
name: egresshttp
hosts:
- "prod-us1/*"

Sidecar describes the configuration of the sidecar proxy that mediates inbound and outbound communication to the workload it is attached to. By default, Istio will program all sidecar proxies in the mesh with the necessary configuration required to reach every workload in the mesh, as well as accept traffic on all the ports associated with the workload. The Sidecar resource provides a way to fine tune the set of ports, protocols that the proxy will accept when forwarding traffic to and from the workload. In addition, it is possible to restrict the set of services that the proxy can reach when forwarding outbound traffic from the workload.

目前版本中，Sidecar 會包含整個網格內的服務資訊，在 1.1 中，新建了 Sidecar 資源，通過對這一 CRD 的配置，不但能夠限制 Sidecar 的相關服務的數量，從而降低資源佔用，提高傳播效率；還能方便的對 Sidecar 的代理行為做出更多的精細控制——例如對 Ingress 場景中的被代理端點的配置能力。