$ kubectl -n istio-system get cm istio -o jsonpath="{@.data.mesh}" | grep disablePolicyChecks
disablePolicyChecks: false
$ istioctl manifest apply --set values.global.disablePolicyChecks=false
- Applying manifest for component Base...
✔ Finished applying manifest for component Base.
- Applying manifest for component Citadel...
- Applying manifest for component Prometheus...
- Applying manifest for component IngressGateway...
- Applying manifest for component Galley...
- Applying manifest for component Policy...
- Applying manifest for component Pilot...
- Applying manifest for component Telemetry...
- Applying manifest for component Injector...
- Pruning objects for disabled component Grafana...
- Pruning objects for disabled component Kiali...
- Pruning objects for disabled component Tracing...
- Pruning objects for disabled component EgressGateway...
✔ Finished pruning objects for disabled component Kiali.
✔ Finished pruning objects for disabled component EgressGateway.
✔ Finished pruning objects for disabled component Grafana.
✔ Finished applying manifest for component Prometheus.
✔ Finished applying manifest for component Citadel.
✔ Finished applying manifest for component IngressGateway.
✔ Finished pruning objects for disabled component Tracing.
✔ Finished applying manifest for component Galley.
✔ Finished applying manifest for component Policy.
✔ Finished applying manifest for component Injector.
✔ Finished applying manifest for component Pilot.
✔ Finished applying manifest for component Telemetry.
apiVersion: config.istio.io/v1alpha2
kind: listchecker
metadata:
name: staticversion
namespace: default
spec:
overrides: ["v1", "v2"] # 重写提供静态列表
blacklist: false
apiVersion: "config.istio.io/v1alpha2"
kind: metric
metadata:
name: requestduration
namespace: default
spec:
value: response.duration | "0ms"
dimensions:
destination_version: destination.labels["version"] | "unknown"
destination_service: destination.service | "unknown"
destination_service_name: destination.service.name | "unknown"
response_code: response.code | 200
monitored_resource_type: '"UNSPECIFIED"'
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
name: promhttp
namespace: default
spec:
match: destination.service == "service1.ns.svc.cluster.local"
actions:
- handler: handler.prometheus
instances:
- requestduration.metric.default
当Envoy调用Mixer时
kubectl apply -f samples/bookinfo/policy/mixer-rule-productpage-ratelimit.yaml
apiVersion: config.istio.io/v1alpha2
kind: handler
metadata:
name: quotahandler
namespace: default
spec:
compiledAdapter: memquota
params:
quotas:
- name: requestcountquota.instance.default
maxAmount: 500
validDuration: 1s
overrides:
- dimensions:
destination: reviews
maxAmount: 1
validDuration: 5s
- dimensions:
destination: productpage
maxAmount: 2
validDuration: 5s
apiVersion: config.istio.io/v1alpha2
kind: instance
metadata:
name: requestcountquota
namespace: default
spec:
compiledTemplate: quota
params:
dimensions:
source: request.headers["x-forwarded-for"] | "unknown"
destination: destination.labels["app"] | destination.service.name | "unknown"
destinationVersion: destination.labels["version"] | "unknown"
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
name: quota
namespace: default
spec:
actions:
- handler: quotahandler
instances:
- requestcountquota
apiVersion: config.istio.io/v1alpha2
kind: QuotaSpec
metadata:
name: request-count
namespace: default
spec:
rules:
- quotas:
- charge: 1
quota: requestcountquota
apiVersion: config.istio.io/v1alpha2
kind: QuotaSpecBinding
metadata:
name: request-count
namespace: default
spec:
quotaSpecs:
- name: request-count
namespace: default
services:
- name: productpage
namespace: default
在浏览器中请求Bookinfo应用来进行测试。前面对productpage的设置是每5s允许 2个请求。如果不断地快速刷新页面,就会看到页面出现429的错误信息“RESOURCE_EXHAUSTED:Quota is exhausted for: requestcountquota”,这说明限流生效了
/usr/local/bin/kubectl -n default edit rules quota -f - <<EOF
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
name: quota
namespace: default
spec:
match: match(request.headers["cookie"], "user=*") == false
actions:
- handler: quotahandler
instances:
- requestcountquota
EOF
kubectl delete -f samples/bookinfo/policy/mixer-rule-productpage-ratelimit.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: reviews
spec:
hosts:
- reviews
http:
- match:
- headers:
end-user:
exact: jason
route:
- destination:
host: reviews
subset: v2
- route:
- destination:
host: reviews
subset: v3
$ kubectl apply -f samples/bookinfo/networking/virtual-service-all-v1.yaml
virtualservice.networking.istio.io/productpage created
virtualservice.networking.istio.io/reviews created
virtualservice.networking.istio.io/ratings created
virtualservice.networking.istio.io/details created
$ kubectl apply -f samples/bookinfo/networking/virtual-service-reviews-jason-v2-v3.yaml
virtualservice.networking.istio.io/reviews configured
/usr/local/bin/kubectl apply -f - <<EOF
apiVersion: "config.istio.io/v1alpha2"
kind: handler
metadata:
name: denierhandler
namespace: default
spec:
compiledAdapter: denier
params:
status:
code: 7
message: Not allowed
EOF
/usr/local/bin/kubectl apply -f - <<EOF
apiVersion: "config.istio.io/v1alpha2"
kind: instance
metadata:
name: denyrequest
namespace: default
spec:
compiledTemplate: checknothing
EOF
/usr/local/bin/kubectl apply -f - <<EOF
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: denyreviewsv3
namespace: default
spec:
match: source.labels["app"]=="reviews" && source.labels["version"]=="v3"
actions:
- handler: denierhandler
instances: [ denyrequest ]
EOF
/usr/local/bin/kubectl apply -f - <<EOF
apiVersion: config.istio.io/v1alpha2
kind: handler
metadata:
name: whitelist
spec:
compiledAdapter: listchecker
params:
overrides: ["v1", "v2"] # overrides provide a static list
blacklist: false
EOF
/usr/local/bin/kubectl apply -f - <<EOF
apiVersion: config.istio.io/v1alpha2
kind: instance
metadata:
name: appversion
spec:
compiledTemplate: listentry
params:
value: source.labels["version"]
EOF
/usr/local/bin/kubectl apply -f - <<EOF
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
name: checkversion
spec:
match: destination.labels["app"] == "ratings"
actions:
- handler: whitelist
instances: [ appversion ]
EOF
/usr/local/bin/kubectl apply -f - <<EOF
apiVersion: "config.istio.io/v1alpha2"
kind: instance
metadata:
name: doublerequestcount
namespace: default
spec:
compiledTemplate: metric
params:
value: "2" # count each request twice
dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "client", "server")
source: source.workload.name | "unknown"
destination: destination.workload.name | "unknown"
message: '"twice the fun!"'
monitored_resource_type: '"UNSPECIFIED"'
EOF
/usr/local/bin/kubectl apply -f - <<EOF
apiVersion: "config.istio.io/v1alpha2"
kind: prometheus
metadata:
name: doublehandler
namespace: default
spec:
metrics:
- name: double_request_count # Prometheus metric name
instance_name: doublerequestcount.instance.istio-system # Mixer instance name (fully-qualified)
kind: COUNTER
label_names:
- reporter
- source
- destination
- message
EOF
/usr/local/bin/kubectl apply -f - <<EOF
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: doubleprom
namespace: default
spec:
actions:
- handler: doublehandler.prometheus
instances:
- doublerequestcount
EOF
/usr/local/bin/kubectl apply -f - <<EOF
apiVersion: config.istio.io/v1alpha2
kind: instance
metadata:
name: newlog
namespace: default
spec:
compiledTemplate: logentry
params:
severity: '"warning"'
timestamp: request.time
variables:
source: source.labels["app"] | source.workload.name | "unknown"
user: source.user | "unknown"
destination: destination.labels["app"] | destination.workload.name | "unknown"
responseCode: response.code | 0
responseSize: response.size | 0
latency: response.duration | "0ms"
monitored_resource_type: '"UNSPECIFIED"'
EOF
/usr/local/bin/kubectl apply -f - <<EOF
apiVersion: config.istio.io/v1alpha2
kind: handler
metadata:
name: newloghandler
namespace: default
spec:
compiledAdapter: stdio
params:
severity_levels:
warning: 1 # Params.Level.WARNING
outputAsJson: true
EOF
/usr/local/bin/kubectl apply -f - <<EOF
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
name: newlogstdio
namespace: default
spec:
match: "true" # match for all requests
actions:
- handler: newloghandler
instances:
- newlog
EOF
/usr/local/bin/kubectl -n istio-system port-forward $(/usr/local/bin/kubectl -n istio-system get pod -l app=prometheus -o jsonpath='{.items[0].metadata.name}') 9090:9090
kubectl logs -l istio-mixer-type-telemetry -c mixer | grep newlog.logentry.default