什么是fault filter
fault filter是envoy用来实现故障注入的一个http类型的filter,名称为 envoy.filters.http.fault ,type url为envoy.extensions.filters.http.fault.v3.HTTPFault.故障注入有两种类型,一种是注入延迟,还有一种是返回错误。
配置详解
{
"delay": "{...}", 注入延迟
"abort": "{...}", 注入错误
"upstream_cluster": "...",匹配上游cluster
"headers": [], 匹配请求头
"downstream_nodes": [],匹配下游node
"max_active_faults": "{...}",最大活跃错误
"response_rate_limit": "{...}",限流
"delay_percent_runtime": "...", 下面是运行时key
"abort_percent_runtime": "...",
"delay_duration_runtime": "...",
"abort_http_status_runtime": "...",
"max_active_faults_runtime": "...",
"response_rate_limit_percent_runtime": "...",
"abort_grpc_status_runtime": "...",
"disable_downstream_cluster_stats": "..."
}实战
abort
VirtualService实现
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: bookinfo
namespace: istio
spec:
gateways:
- bookinfo-gateway
hosts:
- '*'
http:
- fault:
abort:
httpStatus: 500
percentage:
value: 100
match:
- uri:
exact: /productpage
- uri:
prefix: /static
- uri:
exact: /login
- uri:
exact: /logout
- uri:
prefix: /api/v1/products
route:
- destination:
host: productpage
port:
number: 9080envoyfilter实现
cat << EOF > ef-fault-abort.yaml
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: fault
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: NETWORK_FILTER
match:
listener:
#name: 0.0.0.0_8080
portNumber: 8080
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
patch:
operation: MERGE
value:
name: envoy.filters.network.http_connection_manager
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
codec_type: AUTO
stat_prefix: ingress_http
route_config:
name: http.8080
virtual_hosts:
- name: “*.80”
domains:
- "*"
routes:
- match:
path: "/productpage"
route:
cluster: outbound|9080||productpage.istio.svc.cluster.local
typed_per_filter_config:
envoy.filters.http.fault:
'@type': type.googleapis.com/envoy.extensions.filters.http.fault.v3.HTTPFault
abort:
httpStatus: 500
percentage:
denominator: MILLION
numerator: 1000000
- match:
prefix: "/static"
route:
cluster: outbound|9080||productpage.istio.svc.cluster.local
typed_per_filter_config:
envoy.filters.http.fault:
'@type': type.googleapis.com/envoy.extensions.filters.http.fault.v3.HTTPFault
abort:
httpStatus: 500
percentage:
denominator: MILLION
numerator: 1000000
EOF
kubectl apply -f ef-fault-abort.yaml -n istio-system --context context-cluster1delay
VirtualService实现
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: bookinfo
namespace: istio
spec:
gateways:
- bookinfo-gateway
hosts:
- '*'
http:
- fault:
delay:
percentage:
value: 100.0
fixedDelay: 7s
match:
- uri:
exact: /productpage
- uri:
prefix: /static
- uri:
exact: /login
- uri:
exact: /logout
- uri:
prefix: /api/v1/products
route:
- destination:
host: productpage
port:
number: 9080envoyfilter实现
cat << EOF > ef-fault-delay.yaml
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: fault
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: NETWORK_FILTER
match:
listener:
#name: 0.0.0.0_8080
portNumber: 8080
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
patch:
operation: MERGE
value:
name: envoy.filters.network.http_connection_manager
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
codec_type: AUTO
stat_prefix: ingress_http
route_config:
name: http.8080
virtual_hosts:
- name: “*.80”
domains:
- "*"
routes:
- match:
path: "/productpage"
route:
cluster: outbound|9080||productpage.istio.svc.cluster.local
typed_per_filter_config:
envoy.filters.http.fault:
'@type': type.googleapis.com/envoy.extensions.filters.http.fault.v3.HTTPFault
delay:
fixedDelay: 7s
percentage:
denominator: MILLION
numerator: 1000000
- match:
prefix: "/static"
route:
cluster: outbound|9080||productpage.istio.svc.cluster.local
typed_per_filter_config:
envoy.filters.http.fault:
'@type': type.googleapis.com/envoy.extensions.filters.http.fault.v3.HTTPFault
delay:
fixedDelay: 7s
percentage:
denominator: MILLION
numerator: 1000000
EOF
kubectl apply -f ef-fault-delay.yaml -n istio-system --context context-cluster1headers
VirtualService没有实现方式
envoyfilter实现
abort
cat << EOF > ef-fault-abort-headers.yaml
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: fault
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: NETWORK_FILTER
match:
listener:
#name: 0.0.0.0_8080
portNumber: 8080
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
patch:
operation: MERGE
value:
name: envoy.filters.network.http_connection_manager
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
codec_type: AUTO
stat_prefix: ingress_http
route_config:
name: http.8080
virtual_hosts:
- name: “*.80”
domains:
- "*"
routes:
- match:
path: "/productpage"
route:
cluster: outbound|9080||productpage.istio.svc.cluster.local
typed_per_filter_config:
envoy.filters.http.fault:
'@type': type.googleapis.com/envoy.extensions.filters.http.fault.v3.HTTPFault
abort:
httpStatus: 500
percentage:
denominator: MILLION
numerator: 1000000
headers:
- name: test
exact_match: test
- match:
prefix: "/static"
route:
cluster: outbound|9080||productpage.istio.svc.cluster.local
typed_per_filter_config:
envoy.filters.http.fault:
'@type': type.googleapis.com/envoy.extensions.filters.http.fault.v3.HTTPFault
abort:
httpStatus: 500
percentage:
denominator: MILLION
numerator: 1000000
headers:
- name: test
exact_match: test
EOF
kubectl apply -f ef-fault-abort-headers.yaml -n istio-system --context context-cluster1访问:curl http://192.168.229.134:32688/productpage -H "test:test"
delay
cat << EOF > ef-fault-delay-headers.yaml
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: fault
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: NETWORK_FILTER
match:
listener:
#name: 0.0.0.0_8080
portNumber: 8080
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
patch:
operation: MERGE
value:
name: envoy.filters.network.http_connection_manager
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
codec_type: AUTO
stat_prefix: ingress_http
route_config:
name: http.8080
virtual_hosts:
- name: “*.80”
domains:
- "*"
routes:
- match:
path: "/productpage"
route:
cluster: outbound|9080||productpage.istio.svc.cluster.local
typed_per_filter_config:
envoy.filters.http.fault:
'@type': type.googleapis.com/envoy.extensions.filters.http.fault.v3.HTTPFault
delay:
fixedDelay: 7s
percentage:
denominator: MILLION
numerator: 1000000
headers:
- name: test
exact_match: test
- match:
prefix: "/static"
route:
cluster: outbound|9080||productpage.istio.svc.cluster.local
typed_per_filter_config:
envoy.filters.http.fault:
'@type': type.googleapis.com/envoy.extensions.filters.http.fault.v3.HTTPFault
delay:
fixedDelay: 7s
percentage:
denominator: MILLION
numerator: 1000000
headers:
- name: test
exact_match: test
EOF
kubectl apply -f ef-fault-delay-headers.yaml -n istio-system --context context-cluster1upstream_cluster
VirtualService没有实现方式
envoyfilter实现
abort
cat << EOF > ef-fault-abort-upstream-clusters.yaml
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: fault
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: NETWORK_FILTER
match:
listener:
#name: 0.0.0.0_8080
portNumber: 8080
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
patch:
operation: MERGE
value:
name: envoy.filters.network.http_connection_manager
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
codec_type: AUTO
stat_prefix: ingress_http
route_config:
name: http.8080
virtual_hosts:
- name: “*.80”
domains:
- "*"
routes:
- match:
path: "/productpage"
route:
cluster: outbound|9080||productpage.istio.svc.cluster.local
typed_per_filter_config:
envoy.filters.http.fault:
'@type': type.googleapis.com/envoy.extensions.filters.http.fault.v3.HTTPFault
abort:
httpStatus: 500
percentage:
denominator: MILLION
numerator: 1000000
upstream_cluster: outbound|9080||productpage.istio.svc.cluster.local
- match:
prefix: "/static"
route:
cluster: outbound|9080||productpage.istio.svc.cluster.local
typed_per_filter_config:
envoy.filters.http.fault:
'@type': type.googleapis.com/envoy.extensions.filters.http.fault.v3.HTTPFault
abort:
httpStatus: 500
percentage:
denominator: MILLION
numerator: 1000000
upstream_cluster: outbound|9080||productpage.istio.svc.cluster.local
EOF
kubectl apply -f ef-fault-abort-upstream-clusters.yaml -n istio-system --context context-cluster1delay
cat << EOF > ef-fault-delay-upstream-clusters.yaml
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: fault
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: NETWORK_FILTER
match:
listener:
#name: 0.0.0.0_8080
portNumber: 8080
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
patch:
operation: MERGE
value:
name: envoy.filters.network.http_connection_manager
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
codec_type: AUTO
stat_prefix: ingress_http
route_config:
name: http.8080
virtual_hosts:
- name: “*.80”
domains:
- "*"
routes:
- match:
path: "/productpage"
route:
cluster: outbound|9080||productpage.istio.svc.cluster.local
typed_per_filter_config:
envoy.filters.http.fault:
'@type': type.googleapis.com/envoy.extensions.filters.http.fault.v3.HTTPFault
delay:
fixedDelay: 7s
percentage:
denominator: MILLION
numerator: 1000000
upstream_cluster: outbound|9080||productpage.istio.svc.cluster.local
- match:
prefix: "/static"
route:
cluster: outbound|9080||productpage.istio.svc.cluster.local
typed_per_filter_config:
envoy.filters.http.fault:
'@type': type.googleapis.com/envoy.extensions.filters.http.fault.v3.HTTPFault
delay:
fixedDelay: 7s
percentage:
denominator: MILLION
numerator: 1000000
upstream_cluster: outbound|9080||productpage.istio.svc.cluster.local
EOF
kubectl apply -f ef-fault-delay-upstream-clusters.yaml -n istio-system --context context-cluster1downstream_nodes
VirtualService没有实现方式
envoyfilter实现
不知道downstream_nodes的值
abort
cat << EOF > ef-fault-abort-downstream_nodes.yaml
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: fault
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: NETWORK_FILTER
match:
listener:
#name: 0.0.0.0_8080
portNumber: 8080
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
patch:
operation: MERGE
value:
name: envoy.filters.network.http_connection_manager
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
codec_type: AUTO
stat_prefix: ingress_http
route_config:
name: http.8080
virtual_hosts:
- name: “*.80”
domains:
- "*"
routes:
- match:
path: "/productpage"
route:
cluster: outbound|9080||productpage.istio.svc.cluster.local
typed_per_filter_config:
envoy.filters.http.fault:
'@type': type.googleapis.com/envoy.extensions.filters.http.fault.v3.HTTPFault
abort:
httpStatus: 500
percentage:
denominator: MILLION
numerator: 1000000
downstream_nodes:
- router~172.20.0.105~istio-ingressgateway-67b6dd64bc-7wwk7.istio-system~istio-system.svc.cluster.local
- match:
prefix: "/static"
route:
cluster: outbound|9080||productpage.istio.svc.cluster.local
typed_per_filter_config:
envoy.filters.http.fault:
'@type': type.googleapis.com/envoy.extensions.filters.http.fault.v3.HTTPFault
abort:
httpStatus: 500
percentage:
denominator: MILLION
numerator: 1000000
downstream_nodes:
- router~172.20.0.105~istio-ingressgateway-67b6dd64bc-7wwk7.istio-system~istio-system.svc.cluster.local
EOF
kubectl apply -f ef-fault-abort-downstream_nodes.yaml -n istio-system --context context-cluster1max_active_faults
abort
测试没效果
cat << EOF > ef-fault-abort-max_active_faults.yaml
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: fault
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: NETWORK_FILTER
match:
listener:
#name: 0.0.0.0_8080
portNumber: 8080
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
patch:
operation: MERGE
value:
name: envoy.filters.network.http_connection_manager
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
codec_type: AUTO
stat_prefix: ingress_http
route_config:
name: http.8080
virtual_hosts:
- name: “*.80”
domains:
- "*"
routes:
- match:
path: "/productpage"
route:
cluster: outbound|9080||productpage.istio.svc.cluster.local
typed_per_filter_config:
envoy.filters.http.fault:
'@type': type.googleapis.com/envoy.extensions.filters.http.fault.v3.HTTPFault
abort:
httpStatus: 500
percentage:
denominator: MILLION
numerator: 100000
max_active_faults: 1
- match:
prefix: "/static"
route:
cluster: outbound|9080||productpage.istio.svc.cluster.local
typed_per_filter_config:
envoy.filters.http.fault:
'@type': type.googleapis.com/envoy.extensions.filters.http.fault.v3.HTTPFault
abort:
httpStatus: 500
percentage:
denominator: MILLION
numerator: 100000
max_active_faults: 1
EOF
kubectl apply -f ef-fault-abort-max_active_faults.yaml -n istio-system --context context-cluster1response_rate_limit
abort
cat << EOF > ef-fault-abort-response_rate_limit.yaml
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: fault
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: NETWORK_FILTER
match:
listener:
#name: 0.0.0.0_8080
portNumber: 8080
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
patch:
operation: MERGE
value:
name: envoy.filters.network.http_connection_manager
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
codec_type: AUTO
stat_prefix: ingress_http
route_config:
name: http.8080
virtual_hosts:
- name: “*.80”
domains:
- "*"
routes:
- match:
path: "/productpage"
route:
cluster: outbound|9080||productpage.istio.svc.cluster.local
typed_per_filter_config:
envoy.filters.http.fault:
'@type': type.googleapis.com/envoy.extensions.filters.http.fault.v3.HTTPFault
response_rate_limit:
fixed_limit:
limit_kbps: 1
percentage:
denominator: MILLION
numerator: 1000000
- match:
prefix: "/static"
route:
cluster: outbound|9080||productpage.istio.svc.cluster.local
typed_per_filter_config:
envoy.filters.http.fault:
'@type': type.googleapis.com/envoy.extensions.filters.http.fault.v3.HTTPFault
abort:
httpStatus: 500
percentage:
denominator: MILLION
numerator: 10000
response_rate_limit:
fixed_limit:
limit_kbps: 1
percentage:
denominator: MILLION
numerator: 1000000
EOF
kubectl apply -f ef-fault-abort-response_rate_limit.yaml -n istio-system --context context-cluster1
WEB架构
安全监控体系
集群架构
