Istio版本:
Version: 1.0.2
GitRevision: d639408fded355fb906ef2a1f9e8ffddc24c3d64
User: root@66ce69d4a51e
Hub: gcr.io/istio-release
GolangVersion: go1.10.1
BuildStatus: Clean
K8s版本
Client Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.10", GitCommit:"098570796b32895c38a9a1c9286425fb1ececa18", GitTreeState:"clean", BuildDate:"2018-08-02T17:19:54Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}
使用Helm安装Istio
helm template install/kubernetes/helm/istio --name istio --namespace istio-system --set tracing.enabled=true --set global.proxy.includeIPRanges="10.254.0.0/16" -x templates/sidecar-injector-configmap.yaml >$HOME/istio.yaml
当我在centos图像的窗格中访问https://stackoverflow.com时:
curl https://stackoverflow.com -I
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 258289
Content-Type: text/html; charset=utf-8
X-Frame-Options: SAMEORIGIN
X-Request-Guid: 93bac713-6385-41c8-b1ba-93f22758de5f
Strict-Transport-Security: max-age=15552000
Content-Security-Policy: upgrade-insecure-requests
Accept-Ranges: bytes
Date: Fri, 28 Sep 2018 02:08:28 GMT
Via: 1.1 varnish
Connection: keep-alive
X-Served-By: cache-tyo19933-TYO
X-Cache: MISS
X-Cache-Hits: 0
X-Timer: S1538100508.235966,VS0,VE165
Vary: Fastly-SSL
X-DNS-Prefetch-Control: off
Set-Cookie: prov=94ae786f-49c4-44fc-a2dc-c6d45e06be7b; domain=.stackoverflow.com; expires=Fri, 01-Jan-2055 00:00:00 GMT; path=/; HttpOnly
当我在https://stackoverflow.com中进入高山图片窗格时
curl https://stackoverflow.com -I
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to stackoverflow.com:443
如果不是https:
curl http://stackoverflow.com -I
HTTP/1.1 404 Not Found
date: Fri, 28 Sep 2018 02:11:16 GMT
server: envoy
transfer-encoding: chunked
为什么global.proxy.includeIPRanges在高山地区不起作用?
istio-proxy登录高山:
[2018-09-28T02:11:16.651Z] "HEAD / HTTP/1.1" 404 NR 0 0 0 - "-" "curl/7.59.0" "2c0c21aa-7bac-9011-a757-99e73d31c839" "stackoverflow.com" "-"
istio-proxy登录centos:
该日志为空,因为global.proxy.includeIPRanges,所以Istio辅助工具将仅拦截和管理集群中的内部请求。