Blog

docker desktop

查看 istio 版本

istioctl version --remote
client version: 1.5.1
control plane version: 1.4.0
data plane version: 1.4.0 (114 proxies)

bin/istioctl manifest versions
Operator version is 1.4.5.

The following installation package versions are recommended for use with this version of the operator:
  1.4.3

The following installation package versions are supported for upgrade by this version of the operator:
  >=1.3.3
   <1.6

proxy 状态

istioctl proxy-status

查看 istio-proxy 的配置

kubectl -n istio-system exec istio-ingressgateway-7f648d44cf-dkdkp -c istio-proxy -- curl -s 127.0.0.1:15000/help
admin commands are:
  /: Admin home page
  /certs: print certs on machine
  /clusters: upstream cluster status
  /config_dump: dump current Envoy configs (experimental)
  /contention: dump current Envoy mutex contention stats (if enabled)
  /cpuprofiler: enable/disable the CPU profiler
  /drain_listeners: drain listeners
  /healthcheck/fail: cause the server to fail health checks
  /healthcheck/ok: cause the server to pass health checks
  /heapprofiler: enable/disable the heap profiler
  /help: print out list of admin commands
  /hot_restart_version: print the hot restart compatibility version
  /listeners: print listener info
  /logging: query/change logging levels
  /memory: print current allocation/heap usage
  /quitquitquit: exit the server
  /ready: print server state, return 200 if LIVE, otherwise return 503
  /reset_counters: reset all counters to zero
  /runtime: print runtime values
  /runtime_modify: modify runtime values
  /server_info: print server version/status information
  /stats: print server stats
  /stats/prometheus: print server stats in prometheus format
  /stats/recentlookups: Show recent stat-name lookups
  /stats/recentlookups/clear: clear list of stat-name lookups and counter
  /stats/recentlookups/disable: disable recording of reset stat-name lookup names
  /stats/recentlookups/enable: enable recording of reset stat-name lookup names

查看 dashboard

istioctl dashboard --help
Access to Istio web UIs

Usage:
  istioctl dashboard [flags]
  istioctl dashboard [command]

Aliases:
  dashboard, dash, d

Available Commands:
  controlz    Open ControlZ web UI
  envoy       Open Envoy admin web UI
  grafana     Open Grafana web UI
  jaeger      Open Jaeger web UI
  kiali       Open Kiali web UI
  prometheus  Open Prometheus web UI
  zipkin      Open Zipkin web UI

Flags:
  -h, --help   help for dashboard

Global Flags:
      --context string            The name of the kubeconfig context to use
  -i, --istioNamespace string     Istio system namespace (default "istio-system")
  -c, --kubeconfig string         Kubernetes configuration file
      --log_output_level string   Comma-separated minimum per-scope logging level of messages to output, in the form of :,:,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default "default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn")
  -n, --namespace string          Config namespace

Use "istioctl dashboard [command] --help" for more information about a command.

查看 proxy config, 缩写 pc, 查看指定 pod 的istio-proxy的保存的某服务的endpoint

istioctl proxy-config endpoint servicefoo.app | grep servicebar

查看 authn

istioctl authn tls-check istio-ingressgateway-7f837d44cf-f6vdm.istio-system

更改日志级别为 debug

 curl -X POST http://localhost:15000/logging?level=debug

curl http://localhost:15000/server_info
{
 "version": "07581234567ae48193a43ff6d86572968ae00e7/1.12.0/Clean/RELEASE/BoringSSL",
 "state": "LIVE",
 "hot_restart_version": "11.104",
 "command_line_options": {
  "base_id": "0",
  "concurrency": 8,
  "config_path": "/etc/istio/proxy/envoy-rev1.json",
  "config_yaml": "",
  "allow_unknown_static_fields": false,
  "reject_unknown_dynamic_fields": false,
  "admin_address_path": "",
  "local_address_ip_version": "v4",
  "log_level": "warning",
  "component_log_level": "misc:error",
  "log_format": "[Envoy (Epoch 1)] [%Y-%m-%d %T.%e][%t][%l][%n] %v",
  "log_path": "",
  "service_cluster": "istio-ingressgateway",
  "service_node": "router~10.74.24.9~istio-ingressgateway-7f123456cf-9qrvk.istio-system~istio-system.svc.cluster.local",
  "service_zone": "",
  "mode": "Serve",
  "max_stats": "0",
  "max_obj_name_len": "0",
  "disable_hot_restart": false,
  "enable_mutex_tracing": false,
  "restart_epoch": 1,
  "cpuset_threads": false,
  "file_flush_interval": "10s",
  "drain_time": "45s",
  "parent_shutdown_time": "60s"
 },
 "uptime_current_epoch": "275710s",
 "uptime_all_epochs": "815942s"
}

PodDisruptionBudget 策略

kubectl get PodDisruptionBudget -n istio-system                                                                                                    [git:master] ✖  
NAME                           MIN AVAILABLE   MAX UNAVAILABLE   ALLOWED DISRUPTIONS   AGE
ingressgateway                 1               N/A               1                     208d
istio-citadel                  1               N/A               0                     208d
istio-egressgateway            1               N/A               1                     208d
istio-galley                   1               N/A               0                     208d
istio-ingressgateway           1               N/A               1                     208d
istio-metrics-ingressgateway   1               N/A               1                     208d
istio-pilot                    1               N/A               1                     208d
istio-policy                   1               N/A               1                     208d
istio-sidecar-injector         1               N/A               0                     208d
istio-telemetry                1               N/A               1                     208d

istio 证书过期时间

root-cert.pem 十年
ca-cert.pem 两年