什么是连接池断路器
连接池指的是http或tcp连接完成时,不销毁连接把他放到池里,供下次连接使用,这样就可以提高效率。这里的连接池通过destinationrule实现,分为tcp配置和http配置。断路器概念来自电源保险丝的概念,当电流过大保险丝就熔断,起到防止电流过载的保护作用。istio中的断路器指的是当错误达到一定的值,就断开开关,直接返回错误,这时处于半开放状态,过一段时间合上开关,如果继续错误就继续断开开关返回错误等待baseEjectionTime时间。
实战
connectionPool
tcp
dr实现
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: productpage
spec:
host: productpage
trafficPolicy:
connectionPool:
tcp:
maxConnections: 100
connectTimeout: 30ms
tcpKeepalive:
time: 7200s
interval: 75s
probes: 10envoyfilter实现
cat << EOF > ef-connectionPool-tcp.yaml
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: match
spec:
workloadSelector:
labels:
app: productpage
configPatches:
- applyTo: CLUSTER
match:
cluster:
portNumber: 9080
name: outbound|9080||productpage.istio.svc.cluster.local
patch:
operation: REMOVE
- applyTo: CLUSTER
patch:
operation: ADD
value:
circuitBreakers:
thresholds:
- max_connections: 100
maxPendingRequests: 4294967295
maxRequests: 4294967295
maxRetries: 4294967295
trackRemaining: true
connect_timeout: "0.030s"
edsClusterConfig:
edsConfig:
ads: {}
initialFetchTimeout: 0s
resourceApiVersion: V3
serviceName: outbound|9080||productpage.istio.svc.cluster.local
filters:
- name: istio.metadata_exchange
typedConfig:
'@type': type.googleapis.com/udpa.type.v1.TypedStruct
typeUrl: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange
value:
protocol: istio-peer-exchange
metadata:
filterMetadata:
istio:
default_original_port: 9080
services:
host: productpage.istio.svc.cluster.local
name: productpage
namespace: istio
name: outbound|9080||productpage.slime.svc.cluster.local
transportSocketMatches:
- match:
tlsMode: istio
name: tlsMode-istio
transportSocket:
name: envoy.transport_sockets.tls
typedConfig:
'@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
commonTlsContext:
alpnProtocols:
- istio-peer-exchange
- istio
combinedValidationContext:
defaultValidationContext: {}
validationContextSdsSecretConfig:
name: ROOTCA
sdsConfig:
apiConfigSource:
apiType: GRPC
grpcServices:
- envoyGrpc:
clusterName: sds-grpc
setNodeOnFirstMessageOnly: true
transportApiVersion: V3
initialFetchTimeout: 0s
resourceApiVersion: V3
tlsCertificateSdsSecretConfigs:
- name: default
sdsConfig:
apiConfigSource:
apiType: GRPC
grpcServices:
- envoyGrpc:
clusterName: sds-grpc
setNodeOnFirstMessageOnly: true
transportApiVersion: V3
initialFetchTimeout: 0s
resourceApiVersion: V3
sni: outbound_.443_._.kubernetes.default.svc.cluster.local
- match: {}
name: tlsMode-disabled
transportSocket:
name: envoy.transport_sockets.raw_buffer
type: EDS
upstreamConnectionOptions:
tcp_keepalive:
keepalive_probes: 10
keepalive_time: 7200
keepalive_interval: 75
EOF
kubectl apply -f ef-connectionPool-tcp.yaml -n istio --context context-cluster1http
dr实现
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: productpage
spec:
host: productpage.istio.svc.cluster.local
trafficPolicy:
connectionPool:
tcp:
maxConnections: 115
connectTimeout: 30ms
tcpKeepalive:
time: 7200s
interval: 75s
probes: 10
http:
maxRequestsPerConnection: 115
http1MaxPendingRequests: 115
maxRetries: 115
http2MaxRequests: 115
h2UpgradePolicy: DEFAULTenvoyfilter实现
cat << EOF > ef-connectionPool-http.yaml
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: match
spec:
workloadSelector:
labels:
app: productpage
configPatches:
- applyTo: CLUSTER
match:
cluster:
portNumber: 9080
name: outbound|9080||productpage.istio.svc.cluster.local
patch:
operation: REMOVE
- applyTo: CLUSTER
patch:
operation: ADD
value:
circuitBreakers:
thresholds:
- maxConnections: 115
maxPendingRequests: 115
maxRequests: 115
maxRetries: 115
trackRemaining: true
connectTimeout: 0.030s
edsClusterConfig:
edsConfig:
ads: {}
initialFetchTimeout: 0s
resourceApiVersion: V3
serviceName: outbound|9080||productpage.istio.svc.cluster.local
filters:
- name: istio.metadata_exchange
typedConfig:
'@type': type.googleapis.com/udpa.type.v1.TypedStruct
typeUrl: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange
value:
protocol: istio-peer-exchange
maxRequestsPerConnection: 115
metadata:
filterMetadata:
istio:
default_original_port: 9080
services:
host: productpage.istio.svc.cluster.local
name: productpage
namespace: istio
name: outbound|9080||productpage.istio.svc.cluster.local
transportSocketMatches:
- match:
tlsMode: istio
name: tlsMode-istio
transportSocket:
name: envoy.transport_sockets.tls
typedConfig:
'@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
commonTlsContext:
alpnProtocols:
- istio-peer-exchange
- istio
combinedValidationContext:
defaultValidationContext:
matchSubjectAltNames:
- exact: spiffe://cluster.local/ns/istio/sa/bookinfo-productpage
validationContextSdsSecretConfig:
name: ROOTCA
sdsConfig:
apiConfigSource:
apiType: GRPC
grpcServices:
- envoyGrpc:
clusterName: sds-grpc
setNodeOnFirstMessageOnly: true
transportApiVersion: V3
initialFetchTimeout: 0s
resourceApiVersion: V3
tlsCertificateSdsSecretConfigs:
- name: default
sdsConfig:
apiConfigSource:
apiType: GRPC
grpcServices:
- envoyGrpc:
clusterName: sds-grpc
setNodeOnFirstMessageOnly: true
transportApiVersion: V3
initialFetchTimeout: 0s
resourceApiVersion: V3
sni: outbound_.443_._.kubernetes.default.svc.cluster.local
- match: {}
name: tlsMode-disabled
transportSocket:
name: envoy.transport_sockets.raw_buffer
type: EDS
upstreamConnectionOptions:
tcpKeepalive:
keepaliveInterval: 75
keepaliveProbes: 10
keepaliveTime: 7200
EOF
kubectl apply -f ef-connectionPool-http.yaml -n istio --context context-cluster1outlierDetection
dr实现
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: productpage
spec:
host: productpage.istio.svc.cluster.local
trafficPolicy:
connectionPool:
tcp:
maxConnections: 1
connectTimeout: 30ms
http:
maxRequestsPerConnection: 1
http1MaxPendingRequests: 1
outlierDetection:
consecutive5xxErrors: 1
interval: 5s
baseEjectionTime: 5s
maxEjectionPercent: 100envoyfilter实现
cat << EOF > ef-outlierDetection.yaml
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: match
spec:
workloadSelector:
labels:
app: productpage
configPatches:
- applyTo: CLUSTER
match:
cluster:
portNumber: 9080
name: outbound|9080||productpage.istio.svc.cluster.local
patch:
operation: REMOVE
- applyTo: CLUSTER
patch:
operation: ADD
value:
circuitBreakers:
thresholds:
- maxConnections: 1
maxPendingRequests: 1
maxRequests: 4294967295
maxRetries: 4294967295
trackRemaining: true
commonLbConfig:
healthyPanicThreshold: {}
connectTimeout: 0.030s
edsClusterConfig:
edsConfig:
ads: {}
initialFetchTimeout: 0s
resourceApiVersion: V3
serviceName: outbound|9080||productpage.istio.svc.cluster.local
filters:
- name: istio.metadata_exchange
typedConfig:
'@type': type.googleapis.com/udpa.type.v1.TypedStruct
typeUrl: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange
value:
protocol: istio-peer-exchange
maxRequestsPerConnection: 1
metadata:
filterMetadata:
istio:
config: /apis/networking.istio.io/v1alpha3/namespaces/istio/destination-rule/productpage
default_original_port: 9080
services:
- host: productpage.istio.svc.cluster.local
name: productpage
namespace: istio
name: outbound|9080||productpage.istio.svc.cluster.local
outlierDetection:
baseEjectionTime: 5s
consecutive5xx: 1
enforcingConsecutive5xx: 100
enforcingSuccessRate: 0
interval: 5s
maxEjectionPercent: 100
transportSocketMatches:
- match:
tlsMode: istio
name: tlsMode-istio
transportSocket:
name: envoy.transport_sockets.tls
typedConfig:
'@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
commonTlsContext:
alpnProtocols:
- istio-peer-exchange
- istio
combinedValidationContext:
defaultValidationContext:
matchSubjectAltNames:
- exact: spiffe://cluster.local/ns/istio/sa/bookinfo-productpage
validationContextSdsSecretConfig:
name: ROOTCA
sdsConfig:
apiConfigSource:
apiType: GRPC
grpcServices:
- envoyGrpc:
clusterName: sds-grpc
setNodeOnFirstMessageOnly: true
transportApiVersion: V3
initialFetchTimeout: 0s
resourceApiVersion: V3
tlsCertificateSdsSecretConfigs:
- name: default
sdsConfig:
apiConfigSource:
apiType: GRPC
grpcServices:
- envoyGrpc:
clusterName: sds-grpc
setNodeOnFirstMessageOnly: true
transportApiVersion: V3
initialFetchTimeout: 0s
resourceApiVersion: V3
sni: outbound_.9080_._.productpage.istio.svc.cluster.local
- match: {}
name: tlsMode-disabled
transportSocket:
name: envoy.transport_sockets.raw_buffer
type: EDS
EOF
kubectl apply -f ef-outlierDetection.yaml -n istio --context context-cluster1
WEB架构
安全监控体系
集群架构
