关于【什么是dns】，什么是dns,它有什么作用，今天向乾小编给您分享一下，如果对您有所帮助别忘了关注本站哦。

1、倍受关注的 Cilium Service Mesh 到底怎么玩？- 上手实践

Cilium 是一个基于 eBPF 技术，用于为容器工作负载间提供安全且具备可观测性的网络连接的开源软件。

如果你对 Cilium 还不太了解，可以参考我之前的两篇文章：

• K8S生态周报| Google 选择 Cilium 作为 GKE 下一代数据面
• Cilium 上手实践

最近 Cilium v1.11.0 正式发布了 ，增加 Open Telemetry 的支持以及其他一些增强特性。同时，也宣布了 Cilium Service Mesh 的计划。当前 Cilium Service Mesh 正处于测试阶段，预期在 2022 年会合并到 Cilium v1.12 版本中。

Cilium Service Mesh 也带来了一个全新的模式。

Cilium 直接通过 eBPF 技术实现的 Service Mesh 相比我们常规的 Istio/Linkerd 等方案，最显著的特点就是将 Sidecar proxy 模型替换成了 Kernel 模型， 如下图：

不再需要每个应用程序旁边都放置一个 Sidecar 了，直接在每台 Node 上提供支持。

我在几个月前就已经知道了这个消息并且进行了一些讨论，最近随着 isovalent 的一篇文章 How eBPF will solve Service Mesh - Goodbye Sidecars ，Cilium Service Mesh 也成为了大家关注的焦点。

本篇我带你实际体验下 Cilium Service Mesh。

安装部署

这里我使用 KIND 作为测试环境，我的内核版本是 5.15.8 。

准备 KIND 集群

关于 KIND 命令行工具的安装这里就不再赘述了，感兴趣的小伙伴可以参考我之前的文章 《使用KIND搭建自己的本地 Kubernetes 测试环境》。

以下是我创建集群时使用的配置文件：

apiVersion: kind.x-k8s.io/v1alpha4kind: Clusternodes:- role: control-plane- role: worker- role: worker- role: workernetworking: disableDefaultCNI: true

创建集群：

➜ cilium-mesh kind create cluster --config kind-config.yaml Creating cluster "kind" ... ✓ Ensuring node image (kindest/node:v1.22.4) ✓ Preparing nodes ✓ Writing configuration ✓ Starting control-plane ️ ✓ Installing StorageClass ✓ Joining worker nodes Set kubectl context to "kind-kind"You can now use your cluster with:kubectl cluster-info --context kind-kindNot sure what to do next? Check out https://kind.sigs.k8s.io/docs/user/quick-start/

安装 Cilium CLI

这里我们使用 Cilium CLI 工具进行 Cilium 的部署。

➜ cilium-mesh curl -L --remote-name-all https://github.com/cilium/cilium-cli/releases/latest/download/cilium-linux-amd64.tar.gz\{,.sha256sum\}[1/2]: https://github.com/cilium/cilium-cli/releases/latest/download/cilium-linux-amd64.tar.gz --> cilium-linux-amd64.tar.gz--_curl_--https://github.com/cilium/cilium-cli/releases/latest/download/cilium-linux-amd64.tar.gz % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed100 154 100 154 0 0 243 0 --:--:-- --:--:-- --:--:-- 242100 664 100 664 0 0 579 0 0:00:01 0:00:01 --:--:-- 579100 14.6M 100 14.6M 0 0 2928k 0 0:00:05 0:00:05 --:--:-- 3910k[2/2]: https://github.com/cilium/cilium-cli/releases/latest/download/cilium-linux-amd64.tar.gz.sha256sum --> cilium-linux-amd64.tar.gz.sha256sum--_curl_--https://github.com/cilium/cilium-cli/releases/latest/download/cilium-linux-amd64.tar.gz.sha256sum % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed100 164 100 164 0 0 419 0 --:--:-- --:--:-- --:--:-- 418100 674 100 674 0 0 861 0 --:--:-- --:--:-- --:--:-- 861100 92 100 92 0 0 67 0 0:00:01 0:00:01 --:--:-- 0➜ cilium-mesh lscilium-linux-amd64.tar.gz cilium-linux-amd64.tar.gz.sha256sum kind-config.yaml➜ cilium-mesh tar -zxvf cilium-linux-amd64.tar.gz cilium

加载镜像

在部署 Cilium 的过程中需要一些镜像，我们可以提前下载后加载到 KIND 的 Node 节点中。如果你的网络比较顺畅， 那这一步可以跳过。

➜ cilium-mesh ciliumMeshImage=("quay.io/cilium/cilium-service-mesh:v1.11.0-beta.1" "quay.io/cilium/operator-generic-service-mesh:v1.11.0-beta.1" "quay.io/cilium/hubble-relay-service-mesh:v1.11.0-beta.1")➜ cilium-mesh for i in ${ciliumMeshImage[@]}do docker pull $i kind load docker-image $idone

部署 cilium

接下来我们直接使用 Cilium CLI 完成部署。注意这里的参数。

➜ cilium-mesh cilium install --version -service-mesh:v1.11.0-beta.1 --config enable-envoy-config=true --kube-proxy-replacement=probe --agent-image='quay.io/cilium/cilium-service-mesh:v1.11.0-beta.1' --operator-image='quay.io/cilium/operator-generic-service-mesh:v1.11.0-beta.1' --datapath-mode=vxlan Auto-detected Kubernetes kind: kind:sparkles: Running "kind" validation checks:white_check_mark: Detected kind version "0.12.0":information_source: using Cilium version "-service-mesh:v1.11.0-beta.1" Auto-detected cluster name: kind-kind Auto-detected IPAM mode: kubernetes Custom datapath mode: vxlan Found CA in secret cilium-ca Generating certificates for Hubble... Creating Service accounts... Creating Cluster roles... Creating ConfigMap for Cilium version 1.11.0...:information_source: Manual overwrite in ConfigMap: enable-envoy-config=true Creating Agent DaemonSet... Creating Operator Deployment...:hourglass: Waiting for Cilium to be installed and ready...:white_check_mark: Cilium was successfully installed! Run 'cilium status' to view installation health

查看状态

在安装成功后， 可以通过 cilium status 命令来查看当前 Cilium 的部署情况。

➜ cilium-mesh cilium status /¯¯\ /¯¯\__/¯¯\ Cilium: OK \__/¯¯\__/ Operator: OK /¯¯\__/¯¯\ Hubble: disabled \__/¯¯\__/ ClusterMesh: disabled \__/Deployment cilium-operator Desired: 1, Ready: 1/1, Available: 1/1DaemonSet cilium Desired: 4, Ready: 4/4, Available: 4/4Containers: cilium Running: 4 cilium-operator Running: 1Cluster Pods: 3/3 managed by CiliumImage versions cilium quay.io/cilium/cilium-service-mesh:v1.11.0-beta.1: 4 cilium-operator quay.io/cilium/operator-generic-service-mesh:v1.11.0-beta.1: 1

启用 Hubble

Hubble 主要是用来提供观测能力的。在启用它之前，需要先加载一个镜像，如果网络畅通可以跳过。

docker.io/envoyproxy/envoy:v1.18.2@sha256:e8b37c1d75787dd1e712ff389b0d37337dc8a174a63bed9c34ba73359dc67da7

然后使用 Cilium CLI 开启 Hubble ：

➜ cilium-mesh cilium hubble enable --relay-image='quay.io/cilium/hubble-relay-service-mesh:v1.11.0-beta.1' --ui Found CA in secret cilium-ca :sparkles: Patching ConfigMap cilium-config to enable Hubble... :recycle: Restarted Cilium pods :hourglass: Waiting for Cilium to become ready before deploying other Hubble component(s)... Generating certificates for Relay... :sparkles: Deploying Relay from quay.io/cilium/hubble-relay-service-mesh:v1.11.0-beta.1...:sparkles: Deploying Hubble UI from quay.io/cilium/hubble-ui:v0.8.3 and Hubble UI Backend from quay.io/cilium/hubble-ui-backend:v0.8.3...:hourglass: Waiting for Hubble to be installed... /¯¯\ /¯¯\__/¯¯\ Cilium: OK \__/¯¯\__/ Operator: OK /¯¯\__/¯¯\ Hubble: OK \__/¯¯\__/ ClusterMesh: disabled \__/ DaemonSet cilium Desired: 4, Ready: 4/4, Available: 4/4Deployment cilium-operator Desired: 1, Ready: 1/1, Available: 1/1Deployment hubble-relay Desired: 1, Ready: 1/1, Available: 1/1Deployment hubble-ui Desired: 1, Unavailable: 1/1Containers: cilium Running: 4 cilium-operator Running: 1 hubble-relay Running: 1 hubble-ui Running: 1Cluster Pods: 5/5 managed by CiliumImage versions cilium quay.io/cilium/cilium-service-mesh:v1.11.0-beta.1: 4 cilium-operator quay.io/cilium/operator-generic-service-mesh:v1.11.0-beta.1: 1 hubble-relay quay.io/cilium/hubble-relay-service-mesh:v1.11.0-beta.1: 1 hubble-ui quay.io/cilium/hubble-ui:v0.8.3: 1 hubble-ui quay.io/cilium/hubble-ui-backend:v0.8.3: 1 hubble-ui docker.io/envoyproxy/envoy:v1.18.2@sha256:e8b37c1d75787dd1e712ff389b0d37337dc8a174a63bed9c34ba73359dc67da7: 1

测试 7 层 Ingress 流量管理

安装LB

这里我们可以给 KIND 集群中安装 MetaLB ，以便于我们可以使用 LoadBalancer 类型的 svc 资源（Cilium 会默认创建一个 LoadBalancer 类型的 svc）。如果不安装 MetaLB ，那也可以使用 NodePort 的方式来进行替代。

具体过程就不一一介绍了，直接按下述操作步骤执行即可。

➜ cilium-mesh kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/master/manifests/namespace.yaml namespace/metallb-system created➜ cilium-mesh kubectl create secret generic -n metallb-system memberlist --from-literal=secretkey="$(openssl rand -base64 128)" secret/memberlist created➜ cilium-mesh kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/master/manifests/metallb.yamlWarning: policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+podsecuritypolicy.policy/controller createdpodsecuritypolicy.policy/speaker createdserviceaccount/controller createdserviceaccount/speaker createdclusterrole.rbac.authorization.k8s.io/metallb-system:controller createdclusterrole.rbac.authorization.k8s.io/metallb-system:speaker createdrole.rbac.authorization.k8s.io/config-watcher createdrole.rbac.authorization.k8s.io/pod-lister createdrole.rbac.authorization.k8s.io/controller createdclusterrolebinding.rbac.authorization.k8s.io/metallb-system:controller createdclusterrolebinding.rbac.authorization.k8s.io/metallb-system:speaker createdrolebinding.rbac.authorization.k8s.io/config-watcher createdrolebinding.rbac.authorization.k8s.io/pod-lister createdrolebinding.rbac.authorization.k8s.io/controller createddaemonset.apps/speaker createddeployment.apps/controller created➜ cilium-mesh docker network inspect -f '{{.IPAM.Config}}' kind[{172.18.0.0/16 172.18.0.1 map[]} {fc00:f853:ccd:e793::/64 fc00:f853:ccd:e793::1 map[]}]➜ cilium-mesh vim kind-lb-cm.yaml➜ cilium-mesh cat kind-lb-cm.yaml apiVersion: v1kind: ConfigMapmetadata: namespace: metallb-system name: configdata: config: | address-pools: - name: default protocol: layer2 addresses: - 172.18.255.200-172.18.255.250➜ cilium-mesh kubectl apply -f kind-lb-cm.yamlconfigmap/config created

加载镜像

这里我们使用hashicorp/http-echo:0.2.3作为示例程序，它们可以按照启动参数的不同响应不同的内容。

➜ cilium-mesh docker pull hashicorp/http-echo:0.2.30.2.3: Pulling from hashicorp/http-echo86399148984b: Pull complete Digest: sha256:ba27d460cd1f22a1a4331bdf74f4fccbc025552357e8a3249c40ae216275de96Status: Downloaded newer image for hashicorp/http-echo:0.2.3docker.io/hashicorp/http-echo:0.2.3➜ cilium-mesh kind load docker-image hashicorp/http-echo:0.2.3 Image: "hashicorp/http-echo:0.2.3" with ID "sha256:a6838e9a6ff6ab3624720a7bd36152dda540ce3987714398003e14780e61478a" not yet present on node "kind-worker", loading...Image: "hashicorp/http-echo:0.2.3" with ID "sha256:a6838e9a6ff6ab3624720a7bd36152dda540ce3987714398003e14780e61478a" not yet present on node "kind-worker2", loading...Image: "hashicorp/http-echo:0.2.3" with ID "sha256:a6838e9a6ff6ab3624720a7bd36152dda540ce3987714398003e14780e61478a" not yet present on node "kind-control-plane", loading...Image: "hashicorp/http-echo:0.2.3" with ID "sha256:a6838e9a6ff6ab3624720a7bd36152dda540ce3987714398003e14780e61478a" not yet present on node "kind-worker3", loading...

部署测试服务

本文件中的所有配置文件均可在 https://github.com/tao12345666333/practical-kubernetes/tree/main/cilium-mesh 代码从仓库中获取。

我们使用如下配置进行测试服务的部署：

apiVersion: v1kind: Podmetadata: labels: run: foo-app name: foo-appspec: containers: - image: hashicorp/http-echo:0.2.3 args: - "-text=foo" name: foo-app ports: - containerPort: 5678 resources: {} dnsPolicy: ClusterFirst restartPolicy: Alwaysstatus: {}---apiVersion: v1kind: Servicemetadata: labels: run: foo-app name: foo-appspec: ports: - port: 5678 protocol: TCP targetPort: 5678 selector: run: foo-app---apiVersion: v1kind: Podmetadata: labels: run: bar-app name: bar-appspec: containers: - image: hashicorp/http-echo:0.2.3 args: - "-text=bar" name: bar-app ports: - containerPort: 5678 resources: {} dnsPolicy: ClusterFirst restartPolicy: Always---apiVersion: v1kind: Servicemetadata: labels: run: bar-app name: bar-appspec: ports: - port: 5678 protocol: TCP targetPort: 5678 selector: run: bar-app

新建如下的 Ingress 资源文件：

apiVersion: networking.k8s.io/v1kind: Ingressmetadata: name: cilium-ingress namespace: defaultspec: ingressClassName: cilium rules: - http: paths: - backend: service: name: foo-app port: number: 5678 path: /foo pathType: Prefix - backend: service: name: bar-app port: number: 5678 path: /bar pathType: Prefix

创建 Ingress 资源，然后可以看到产生了一个新的 LoadBalancer 类型的 svc 。

➜ cilium-mesh kubectl apply -f cilium-ingress.yamlingress.networking.k8s.io/cilium-ingress created➜ cilium-mesh kubectl get svcNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGEbar-app ClusterIP 10.96.229.141 <none> 5678/TCP 106scilium-ingress-cilium-ingress LoadBalancer 10.96.161.128 172.18.255.200 80:31643/TCP 4sfoo-app ClusterIP 10.96.166.212 <none> 5678/TCP 106skubernetes ClusterIP 10.96.0.1 <none> 443/TCP 81m➜ cilium-mesh kubectl get ingNAME CLASS HOSTS ADDRESS PORTS AGEcilium-ingress cilium * 172.18.255.200 80 1m

测试

使用 curl 命令进行测试访问，发现可以按照 Ingress 资源中的配置得到正确的响应。查看响应头，我们会发现这里的代理实际上还是使用的 Envoy 来完成的。

➜ cilium-mesh curl 172.18.255.200➜ cilium-mesh curl 172.18.255.200/foofoo➜ cilium-mesh curl 172.18.255.200/barbar➜ cilium-mesh curl -I 172.18.255.200/barHTTP/1.1 200 OKContent-Length: 4Connection: keep-aliveContent-Type: text/plain; charset=utf-8Date: Sat, 18 Dec 2021 06:02:56 GMTKeep-Alive: timeout=4Proxy-Connection: keep-aliveServer: envoyX-App-Name: http-echoX-App-Version: 0.2.3X-Envoy-Upstream-Service-Time: 0➜ cilium-mesh curl -I 172.18.255.200/fooHTTP/1.1 200 OKContent-Length: 4Connection: keep-aliveContent-Type: text/plain; charset=utf-8Date: Sat, 18 Dec 2021 06:03:01 GMTKeep-Alive: timeout=4Proxy-Connection: keep-aliveServer: envoyX-App-Name: http-echoX-App-Version: 0.2.3X-Envoy-Upstream-Service-Time: 0

测试 CiliumEnvoyConfig

在使用上述方式部署 CIlium 后， 它其实还安装了一些 CRD 资源。其中有一个是 CiliumEnvoyConfig用于配置服务之间代理的。

➜ cilium-mesh kubectl api-resources |grep cilium.iociliumclusterwidenetworkpolicies ccnp cilium.io/v2 false CiliumClusterwideNetworkPolicyciliumendpoints cep,ciliumep cilium.io/v2 true CiliumEndpointciliumenvoyconfigs cec cilium.io/v2alpha1 false CiliumEnvoyConfigciliumexternalworkloads cew cilium.io/v2 false CiliumExternalWorkloadciliumidentities ciliumid cilium.io/v2 false CiliumIdentityciliumnetworkpolicies cnp,ciliumnp cilium.io/v2 true CiliumNetworkPolicyciliumnodes cn,ciliumn cilium.io/v2 false CiliumNode

部署测试服务

可以先进行 Hubble 的 port-forward

➜ cilium-mesh cilium hubble port-forward

默认会监听到 4245 端口上，如果不提前执行此操作就会出现下述内容

Enabling Hubble telescope...:warning: Unable to contact Hubble Relay, disabling Hubble telescope and flow validation: rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing dial tcp [::1]:4245: connect: connection refused"

如果已经开启 Hubble 的 port-forward ，正常情况下会得到如下输出：

➜ cilium-mesh cilium connectivity test --test egress-l7:information_source: Monitor aggregation detected, will skip some flow validation steps:hourglass: [kind-kind] Waiting for deployments [client client2 echo-same-node] to become ready...:hourglass: [kind-kind] Waiting for deployments [echo-other-node] to become ready...:hourglass: [kind-kind] Waiting for CiliumEndpoint for pod cilium-test/client-6488dcf5d4-pk6w9 to appear...:hourglass: [kind-kind] Waiting for CiliumEndpoint for pod cilium-test/client2-5998d566b4-hrhrb to appear...:hourglass: [kind-kind] Waiting for CiliumEndpoint for pod cilium-test/echo-other-node-f4d46f75b-bqpcb to appear...:hourglass: [kind-kind] Waiting for CiliumEndpoint for pod cilium-test/echo-same-node-745bd5c77-zpzdn to appear...:hourglass: [kind-kind] Waiting for Service cilium-test/echo-other-node to become ready...:hourglass: [kind-kind] Waiting for Service cilium-test/echo-same-node to become ready...:hourglass: [kind-kind] Waiting for NodePort 172.18.0.5:32751 (cilium-test/echo-other-node) to become ready...:hourglass: [kind-kind] Waiting for NodePort 172.18.0.5:32133 (cilium-test/echo-same-node) to become ready...:hourglass: [kind-kind] Waiting for NodePort 172.18.0.3:32133 (cilium-test/echo-same-node) to become ready...:hourglass: [kind-kind] Waiting for NodePort 172.18.0.3:32751 (cilium-test/echo-other-node) to become ready...:hourglass: [kind-kind] Waiting for NodePort 172.18.0.2:32751 (cilium-test/echo-other-node) to become ready...:hourglass: [kind-kind] Waiting for NodePort 172.18.0.2:32133 (cilium-test/echo-same-node) to become ready...:hourglass: [kind-kind] Waiting for NodePort 172.18.0.4:32751 (cilium-test/echo-other-node) to become ready...:hourglass: [kind-kind] Waiting for NodePort 172.18.0.4:32133 (cilium-test/echo-same-node) to become ready...:information_source: Skipping IPCache check:hourglass: [kind-kind] Waiting for pod cilium-test/client-6488dcf5d4-pk6w9 to reach default/kubernetes service...:hourglass: [kind-kind] Waiting for pod cilium-test/client2-5998d566b4-hrhrb to reach default/kubernetes service... Enabling Hubble telescope...:information_source: Hubble is OK, flows: 16380/16380 Running tests...[=] Skipping Test [no-policies][=] Skipping Test [allow-all][=] Skipping Test [client-ingress][=] Skipping Test [echo-ingress][=] Skipping Test [client-egress][=] Skipping Test [to-entities-world][=] Skipping Test [to-cidr-1111][=] Skipping Test [echo-ingress-l7][=] Test [client-egress-l7]..........[=] Skipping Test [dns-only][=] Skipping Test [to-fqdns]:white_check_mark: All 1 tests (10 actions) successful, 10 tests skipped, 0 scenarios skipped.

我们也可以同时打开UI看看：

➜ cilium-mesh cilium hubble ui :information_source: Opening "http://localhost:12000" in your browser...

效果图如下：

这个操作实际上会进行如下部署：

➜ cilium-mesh kubectl -n cilium-test get allNAME READY STATUS RESTARTS AGEpod/client-6488dcf5d4-pk6w9 1/1 Running 0 66mpod/client2-5998d566b4-hrhrb 1/1 Running 0 66mpod/echo-other-node-f4d46f75b-bqpcb 1/1 Running 0 66mpod/echo-same-node-745bd5c77-zpzdn 1/1 Running 0 66mNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGEservice/echo-other-node NodePort 10.96.124.211 <none> 8080:32751/TCP 66mservice/echo-same-node NodePort 10.96.136.252 <none> 8080:32133/TCP 66mNAME READY UP-TO-DATE AVAILABLE AGEdeployment.apps/client 1/1 1 1 66mdeployment.apps/client2 1/1 1 1 66mdeployment.apps/echo-other-node 1/1 1 1 66mdeployment.apps/echo-same-node 1/1 1 1 66mNAME DESIRED CURRENT READY AGEreplicaset.apps/client-6488dcf5d4 1 1 1 66mreplicaset.apps/client2-5998d566b4 1 1 1 66mreplicaset.apps/echo-other-node-f4d46f75b 1 1 1 66mreplicaset.apps/echo-same-node-745bd5c77 1 1 1 66m

我们也可以看看它的 label：

➜ cilium-mesh kubectl get pods -n cilium-test --show-labels -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES LABELSclient-6488dcf5d4-pk6w9 1/1 Running 0 67m 10.244.3.7 kind-worker3 <none> <none> kind=client,name=client,pod-template-hash=6488dcf5d4client2-5998d566b4-hrhrb 1/1 Running 0 67m 10.244.3.18 kind-worker3 <none> <none> kind=client,name=client2,other=client,pod-template-hash=5998d566b4echo-other-node-f4d46f75b-bqpcb 1/1 Running 0 67m 10.244.1.146 kind-worker2 <none> <none> kind=echo,name=echo-other-node,pod-template-hash=f4d46f75becho-same-node-745bd5c77-zpzdn 1/1 Running 0 67m 10.244.3.164 kind-worker3 <none> <none> kind=echo,name=echo-same-node,other=echo,pod-template-hash=745bd5c77

测试

这里我们在主机上进行操作下， 先拿到 client2 的 Pod 名称，然后通过 Hubble 命令观察所有访问此 Pod 的流量。

➜ cilium-mesh export CLIENT2=client2-5998d566b4-hrhrb➜ cilium-mesh hubble observe --from-pod cilium-test/$CLIENT2 -fDec 18 14:07:37.200: cilium-test/client2-5998d566b4-hrhrb:44805 <> kube-system/coredns-78fcd69978-7lbwh:53 to-overlay FORWARDED (UDP)Dec 18 14:07:37.200: cilium-test/client2-5998d566b4-hrhrb:44805 -> kube-system/coredns-78fcd69978-7lbwh:53 to-endpoint FORWARDED (UDP)Dec 18 14:07:37.200: cilium-test/client2-5998d566b4-hrhrb:44805 <> kube-system/coredns-78fcd69978-7lbwh:53 to-overlay FORWARDED (UDP)Dec 18 14:07:37.200: cilium-test/client2-5998d566b4-hrhrb:44805 -> kube-system/coredns-78fcd69978-7lbwh:53 to-endpoint FORWARDED (UDP)Dec 18 14:07:37.200: cilium-test/client2-5998d566b4-hrhrb:42260 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-endpoint FORWARDED (TCP Flags: SYN)Dec 18 14:07:37.201: cilium-test/client2-5998d566b4-hrhrb:42260 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-endpoint FORWARDED (TCP Flags: ACK)Dec 18 14:07:37.201: cilium-test/client2-5998d566b4-hrhrb:42260 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-endpoint FORWARDED (TCP Flags: ACK, PSH)Dec 18 14:07:37.202: cilium-test/client2-5998d566b4-hrhrb:42260 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-endpoint FORWARDED (TCP Flags: ACK, FIN)Dec 18 14:07:37.203: cilium-test/client2-5998d566b4-hrhrb:42260 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-endpoint FORWARDED (TCP Flags: ACK)Dec 18 14:07:50.769: cilium-test/client2-5998d566b4-hrhrb:36768 <> kube-system/coredns-78fcd69978-7lbwh:53 to-overlay FORWARDED (UDP)Dec 18 14:07:50.769: cilium-test/client2-5998d566b4-hrhrb:36768 <> kube-system/coredns-78fcd69978-7lbwh:53 to-overlay FORWARDED (UDP)Dec 18 14:07:50.769: cilium-test/client2-5998d566b4-hrhrb:36768 -> kube-system/coredns-78fcd69978-7lbwh:53 to-endpoint FORWARDED (UDP)Dec 18 14:07:50.769: cilium-test/client2-5998d566b4-hrhrb:36768 -> kube-system/coredns-78fcd69978-7lbwh:53 to-endpoint FORWARDED (UDP)Dec 18 14:07:50.770: cilium-test/client2-5998d566b4-hrhrb:42068 <> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-overlay FORWARDED (TCP Flags: SYN)Dec 18 14:07:50.770: cilium-test/client2-5998d566b4-hrhrb:42068 -> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-endpoint FORWARDED (TCP Flags: SYN)Dec 18 14:07:50.770: cilium-test/client2-5998d566b4-hrhrb:42068 <> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-overlay FORWARDED (TCP Flags: ACK)Dec 18 14:07:50.770: cilium-test/client2-5998d566b4-hrhrb:42068 -> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-endpoint FORWARDED (TCP Flags: ACK)Dec 18 14:07:50.770: cilium-test/client2-5998d566b4-hrhrb:42068 <> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-overlay FORWARDED (TCP Flags: ACK, PSH)Dec 18 14:07:50.770: cilium-test/client2-5998d566b4-hrhrb:42068 -> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-endpoint FORWARDED (TCP Flags: ACK, PSH)Dec 18 14:07:50.771: cilium-test/client2-5998d566b4-hrhrb:42068 <> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-overlay FORWARDED (TCP Flags: ACK, FIN)Dec 18 14:07:50.771: cilium-test/client2-5998d566b4-hrhrb:42068 -> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-endpoint FORWARDED (TCP Flags: ACK, FIN)Dec 18 14:07:50.772: cilium-test/client2-5998d566b4-hrhrb:42068 <> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-overlay FORWARDED (TCP Flags: ACK)Dec 18 14:07:50.772: cilium-test/client2-5998d566b4-hrhrb:42068 -> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-endpoint FORWARDED (TCP Flags: ACK)

以上输出是由于我们执行了下面的操作：

kubectl exec -it -n cilium-test $CLIENT2 -- curl -v echo-same-node:8080/kubectl exec -it -n cilium-test $CLIENT2 -- curl -v echo-other-node:8080/

日志中基本上都是to-endpoint或者to-overlay的。

测试使用 proxy

需要先安装 networkpolicy ， 我们可以直接从 Cilium CLI 的仓库中拿到。

kubectl apply -f https://raw.githubusercontent.com/cilium/cilium-cli/master/connectivity/manifests/client-egress-l7-http.yamlkubectl apply -f https://raw.githubusercontent.com/cilium/cilium-cli/master/connectivity/manifests/client-egress-only-dns.yaml

然后重复上面的请求：

Dec 18 14:33:40.570: cilium-test/client2-5998d566b4-hrhrb:44344 -> kube-system/coredns-78fcd69978-2ww28:53 L3-L4 REDIRECTED (UDP)Dec 18 14:33:40.570: cilium-test/client2-5998d566b4-hrhrb:44344 -> kube-system/coredns-78fcd69978-2ww28:53 to-proxy FORWARDED (UDP)Dec 18 14:33:40.570: cilium-test/client2-5998d566b4-hrhrb:44344 -> kube-system/coredns-78fcd69978-2ww28:53 to-proxy FORWARDED (UDP)Dec 18 14:33:40.570: cilium-test/client2-5998d566b4-hrhrb:44344 -> kube-system/coredns-78fcd69978-2ww28:53 dns-request FORWARDED (DNS Query echo-other-node.cilium-test.svc.cluster.local. A)Dec 18 14:33:40.570: cilium-test/client2-5998d566b4-hrhrb:44344 -> kube-system/coredns-78fcd69978-2ww28:53 dns-request FORWARDED (DNS Query echo-other-node.cilium-test.svc.cluster.local. AAAA)Dec 18 14:33:40.571: cilium-test/client2-5998d566b4-hrhrb:42074 -> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 L3-L4 REDIRECTED (TCP Flags: SYN)Dec 18 14:33:40.571: cilium-test/client2-5998d566b4-hrhrb:42074 -> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-proxy FORWARDED (TCP Flags: SYN)Dec 18 14:33:40.571: cilium-test/client2-5998d566b4-hrhrb:42074 -> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-proxy FORWARDED (TCP Flags: ACK)Dec 18 14:33:40.571: cilium-test/client2-5998d566b4-hrhrb:42074 -> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-proxy FORWARDED (TCP Flags: ACK, PSH)Dec 18 14:33:40.572: cilium-test/client2-5998d566b4-hrhrb:42074 -> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 http-request FORWARDED (HTTP/1.1 GET http://echo-other-node:8080/)Dec 18 14:33:40.573: cilium-test/client2-5998d566b4-hrhrb:42074 -> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-proxy FORWARDED (TCP Flags: ACK, FIN)Dec 18 14:33:40.573: cilium-test/client2-5998d566b4-hrhrb:42074 -> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-proxy FORWARDED (TCP Flags: ACK)

执行另一个请求：

➜ cilium-mesh kubectl exec -it -n cilium-test $CLIENT2 -- curl -v echo-same-node:8080/

也可以看到如下输出，其中有to-proxy的字样。

Dec 18 14:45:18.857: cilium-test/client2-5998d566b4-hrhrb:58895 -> kube-system/coredns-78fcd69978-2ww28:53 L3-L4 REDIRECTED (UDP)Dec 18 14:45:18.857: cilium-test/client2-5998d566b4-hrhrb:58895 -> kube-system/coredns-78fcd69978-2ww28:53 to-proxy FORWARDED (UDP)Dec 18 14:45:18.857: cilium-test/client2-5998d566b4-hrhrb:58895 -> kube-system/coredns-78fcd69978-2ww28:53 to-proxy FORWARDED (UDP)Dec 18 14:45:18.857: cilium-test/client2-5998d566b4-hrhrb:58895 -> kube-system/coredns-78fcd69978-2ww28:53 dns-request FORWARDED (DNS Query echo-same-node.cilium-test.svc.cluster.local. AAAA)Dec 18 14:45:18.857: cilium-test/client2-5998d566b4-hrhrb:58895 -> kube-system/coredns-78fcd69978-2ww28:53 dns-request FORWARDED (DNS Query echo-same-node.cilium-test.svc.cluster.local. A)Dec 18 14:45:18.858: cilium-test/client2-5998d566b4-hrhrb:42266 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 L3-L4 REDIRECTED (TCP Flags: SYN)Dec 18 14:45:18.858: cilium-test/client2-5998d566b4-hrhrb:42266 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-proxy FORWARDED (TCP Flags: SYN)Dec 18 14:45:18.858: cilium-test/client2-5998d566b4-hrhrb:42266 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-proxy FORWARDED (TCP Flags: ACK)Dec 18 14:45:18.858: cilium-test/client2-5998d566b4-hrhrb:42266 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-proxy FORWARDED (TCP Flags: ACK, PSH)Dec 18 14:45:18.858: cilium-test/client2-5998d566b4-hrhrb:42266 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 http-request FORWARDED (HTTP/1.1 GET http://echo-same-node:8080/)Dec 18 14:45:18.859: cilium-test/client2-5998d566b4-hrhrb:42266 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-proxy FORWARDED (TCP Flags: ACK, FIN)Dec 18 14:45:18.859: cilium-test/client2-5998d566b4-hrhrb:42266 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-proxy FORWARDED (TCP Flags: ACK)

其实看请求头更加方便：

➜ cilium-mesh kubectl exec -it -n cilium-test $CLIENT2 -- curl -I echo-same-node:8080/HTTP/1.1 403 Forbiddencontent-length: 15content-type: text/plaindate: Sat, 18 Dec 2021 14:47:39 GMTserver: envoy

之前都是如下：

# 没有 proxy➜ cilium-mesh kubectl exec -it -n cilium-test $CLIENT2 -- curl -v echo-same-node:8080/ * Trying 10.96.136.252:8080... * Connected to echo-same-node (10.96.136.252) port 8080 (#0) > GET / HTTP/1.1 > Host: echo-same-node:8080 > User-Agent: curl/7.78.0 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < X-Powered-By: Express < Vary: Origin, Accept-Encoding < Access-Control-Allow-Credentials: true < Accept-Ranges: bytes < Cache-Control: public, max-age=0 < Last-Modified: Sat, 26 Oct 1985 08:15:00 GMT < ETag: W/"809-7438674ba0" < Content-Type: text/html; charset=UTF-8 < Content-Length: 2057 < Date: Sat, 18 Dec 2021 14:07:37 GMT < Connection: keep-alive < Keep-Alive: timeout=5

请求一个不存在的地址：

以前请求响应是 404 ，现在是 403 ,并得到如下内容

➜ cilium-mesh kubectl exec -it -n cilium-test $CLIENT2 -- curl -v echo-same-node:8080/foo* Trying 10.96.136.252:8080...* Connected to echo-same-node (10.96.136.252) port 8080 (#0)> GET /foo HTTP/1.1> Host: echo-same-node:8080> User-Agent: curl/7.78.0> Accept: */*> * Mark bundle as not supporting multiuse< HTTP/1.1 403 Forbidden< content-length: 15< content-type: text/plain< date: Sat, 18 Dec 2021 14:50:38 GMT< server: envoy< Access denied* Connection #0 to host echo-same-node left intact

日志中也都是to-proxy的字样。

Dec 18 14:50:39.185: cilium-test/client2-5998d566b4-hrhrb:37683 -> kube-system/coredns-78fcd69978-7lbwh:53 L3-L4 REDIRECTED (UDP)Dec 18 14:50:39.185: cilium-test/client2-5998d566b4-hrhrb:37683 -> kube-system/coredns-78fcd69978-7lbwh:53 to-proxy FORWARDED (UDP)Dec 18 14:50:39.185: cilium-test/client2-5998d566b4-hrhrb:37683 -> kube-system/coredns-78fcd69978-7lbwh:53 to-proxy FORWARDED (UDP)Dec 18 14:50:39.185: cilium-test/client2-5998d566b4-hrhrb:37683 -> kube-system/coredns-78fcd69978-7lbwh:53 dns-request FORWARDED (DNS Query echo-same-node.cilium-test.svc.cluster.local. AAAA)Dec 18 14:50:39.185: cilium-test/client2-5998d566b4-hrhrb:37683 -> kube-system/coredns-78fcd69978-7lbwh:53 dns-request FORWARDED (DNS Query echo-same-node.cilium-test.svc.cluster.local. A)Dec 18 14:50:39.186: cilium-test/client2-5998d566b4-hrhrb:42274 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 L3-L4 REDIRECTED (TCP Flags: SYN)Dec 18 14:50:39.186: cilium-test/client2-5998d566b4-hrhrb:42274 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-proxy FORWARDED (TCP Flags: SYN)Dec 18 14:50:39.186: cilium-test/client2-5998d566b4-hrhrb:42274 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-proxy FORWARDED (TCP Flags: ACK)Dec 18 14:50:39.186: cilium-test/client2-5998d566b4-hrhrb:42274 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-proxy FORWARDED (TCP Flags: ACK, PSH)Dec 18 14:50:39.186: cilium-test/client2-5998d566b4-hrhrb:42274 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 http-request DROPPED (HTTP/1.1 GET http://echo-same-node:8080/foo)Dec 18 14:50:39.186: cilium-test/client2-5998d566b4-hrhrb:42274 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-proxy FORWARDED (TCP Flags: ACK, FIN)Dec 18 14:50:39.187: cilium-test/client2-5998d566b4-hrhrb:42274 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-proxy FORWARDED (TCP Flags: ACK)

我们使用如下内容作为 Envoy 的配置文件，其中包含 rewrite 策略。

apiVersion: cilium.io/v2alpha1kind: CiliumEnvoyConfigmetadata: name: envoy-lb-listenerspec: services: - name: echo-other-node namespace: cilium-test - name: echo-same-node namespace: cilium-test resources: - "@type": type.googleapis.com/envoy.config.listener.v3.Listener name: envoy-lb-listener filter_chains: - filters: - name: envoy.filters.network.http_connection_manager typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: envoy-lb-listener rds: route_config_name: lb_route http_filters: - name: envoy.filters.http.router - "@type": type.googleapis.com/envoy.config.route.v3.RouteConfiguration name: lb_route virtual_hosts: - name: "lb_route" domains: ["*"] routes: - match: prefix: "/" route: weighted_clusters: clusters: - name: "cilium-test/echo-same-node" weight: 50 - name: "cilium-test/echo-other-node" weight: 50 retry_policy: retry_on: 5xx num_retries: 3 per_try_timeout: 1s regex_rewrite: pattern: google_re2: {} regex: "^/foo.*$" substitution: "/" - "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster name: "cilium-test/echo-same-node" connect_timeout: 5s lb_policy: ROUND_ROBIN type: EDS outlier_detection: split_external_local_origin_errors: true consecutive_local_origin_failure: 2 - "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster name: "cilium-test/echo-other-node" connect_timeout: 3s lb_policy: ROUND_ROBIN type: EDS outlier_detection: split_external_local_origin_errors: true consecutive_local_origin_failure: 2

测试请求时，发现可以正确的得到响应了。

➜ cilium-mesh kubectl exec -it -n cilium-test $CLIENT2 -- curl -X GET -I echo-same-node:8080/ HTTP/1.1 200 OKx-powered-by: Expressvary: Origin, Accept-Encodingaccess-control-allow-credentials: trueaccept-ranges: bytescache-control: public, max-age=0last-modified: Sat, 26 Oct 1985 08:15:00 GMTetag: W/"809-7438674ba0"content-type: text/html; charset=UTF-8content-length: 2057date: Sat, 18 Dec 2021 15:00:01 GMTx-envoy-upstream-service-time: 1server: envoy

并且请求/foo地址时，也可以正确的得到响应了。

➜ cilium-mesh kubectl exec -it -n cilium-test $CLIENT2 -- curl -X GET -I echo-same-node:8080/fooHTTP/1.1 200 OKx-powered-by: Expressvary: Origin, Accept-Encodingaccess-control-allow-credentials: trueaccept-ranges: bytescache-control: public, max-age=0last-modified: Sat, 26 Oct 1985 08:15:00 GMTetag: W/"809-7438674ba0"content-type: text/html; charset=UTF-8content-length: 2057date: Sat, 18 Dec 2021 15:01:40 GMTx-envoy-upstream-service-time: 2server: envoy

同时：请求/foo 的时候，流量如下: 直接转换成功了对/的访问

Dec 18 15:02:22.541: cilium-test/client2-5998d566b4-hrhrb:38860 -> kube-system/coredns-78fcd69978-2ww28:53 L3-L4 REDIRECTED (UDP)Dec 18 15:02:22.541: cilium-test/client2-5998d566b4-hrhrb:38860 -> kube-system/coredns-78fcd69978-2ww28:53 to-proxy FORWARDED (UDP)Dec 18 15:02:22.541: cilium-test/client2-5998d566b4-hrhrb:38860 -> kube-system/coredns-78fcd69978-2ww28:53 to-proxy FORWARDED (UDP)Dec 18 15:02:22.541: cilium-test/client2-5998d566b4-hrhrb:38860 -> kube-system/coredns-78fcd69978-2ww28:53 dns-request FORWARDED (DNS Query echo-same-node.cilium-test.svc.cluster.local. AAAA)Dec 18 15:02:22.541: cilium-test/client2-5998d566b4-hrhrb:38860 -> kube-system/coredns-78fcd69978-2ww28:53 dns-request FORWARDED (DNS Query echo-same-node.cilium-test.svc.cluster.local. A)Dec 18 15:02:22.542: cilium-test/client2-5998d566b4-hrhrb:53062 -> cilium-test/echo-same-node:8080 none REDIRECTED (TCP Flags: SYN)Dec 18 15:02:22.542: cilium-test/client2-5998d566b4-hrhrb:53062 -> cilium-test/echo-same-node:8080 to-proxy FORWARDED (TCP Flags: SYN)Dec 18 15:02:22.542: cilium-test/client2-5998d566b4-hrhrb:53062 -> cilium-test/echo-same-node:8080 to-proxy FORWARDED (TCP Flags: ACK)Dec 18 15:02:22.542: cilium-test/client2-5998d566b4-hrhrb:53062 -> cilium-test/echo-same-node:8080 to-proxy FORWARDED (TCP Flags: ACK, PSH)Dec 18 15:02:22.542: cilium-test/client2-5998d566b4-hrhrb:53048 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-proxy FORWARDED (TCP Flags: ACK, PSH)Dec 18 15:02:22.542: cilium-test/client2-5998d566b4-hrhrb:53048 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 http-request FORWARDED (HTTP/1.1 GET http://echo-same-node:8080/)Dec 18 15:02:22.543: cilium-test/client2-5998d566b4-hrhrb:53062 -> cilium-test/echo-same-node:8080 to-proxy FORWARDED (TCP Flags: ACK, FIN)Dec 18 15:02:22.544: cilium-test/client2-5998d566b4-hrhrb:53062 -> cilium-test/echo-same-node:8080 to-proxy FORWARDED (TCP Flags: ACK)

多次请求看日志：

Dec 18 15:07:20.883: cilium-test/client2-5998d566b4-hrhrb:49656 -> kube-system/coredns-78fcd69978-2ww28:53 L3-L4 REDIRECTED (UDP)Dec 18 15:07:20.883: cilium-test/client2-5998d566b4-hrhrb:49656 -> kube-system/coredns-78fcd69978-2ww28:53 to-proxy FORWARDED (UDP)Dec 18 15:07:20.883: cilium-test/client2-5998d566b4-hrhrb:49656 -> kube-system/coredns-78fcd69978-2ww28:53 to-proxy FORWARDED (UDP)Dec 18 15:07:20.883: cilium-test/client2-5998d566b4-hrhrb:49656 -> kube-system/coredns-78fcd69978-2ww28:53 dns-request FORWARDED (DNS Query echo-same-node.cilium-test.svc.cluster.local. A)Dec 18 15:07:20.884: cilium-test/client2-5998d566b4-hrhrb:49656 -> kube-system/coredns-78fcd69978-2ww28:53 dns-request FORWARDED (DNS Query echo-same-node.cilium-test.svc.cluster.local. AAAA)Dec 18 15:07:20.885: cilium-test/client2-5998d566b4-hrhrb:53070 -> cilium-test/echo-same-node:8080 none REDIRECTED (TCP Flags: SYN)Dec 18 15:07:20.885: cilium-test/client2-5998d566b4-hrhrb:53070 -> cilium-test/echo-same-node:8080 to-proxy FORWARDED (TCP Flags: SYN)Dec 18 15:07:20.885: cilium-test/client2-5998d566b4-hrhrb:53070 -> cilium-test/echo-same-node:8080 to-proxy FORWARDED (TCP Flags: ACK)Dec 18 15:07:20.885: cilium-test/client2-5998d566b4-hrhrb:53070 -> cilium-test/echo-same-node:8080 to-proxy FORWARDED (TCP Flags: ACK, PSH)Dec 18 15:07:20.885: cilium-test/client2-5998d566b4-hrhrb:53064 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-proxy FORWARDED (TCP Flags: ACK, PSH)Dec 18 15:07:20.885: cilium-test/client2-5998d566b4-hrhrb:53064 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 http-request FORWARDED (HTTP/1.1 GET http://echo-same-node:8080/)Dec 18 15:07:20.886: cilium-test/client2-5998d566b4-hrhrb:53070 -> cilium-test/echo-same-node:8080 to-proxy FORWARDED (TCP Flags: ACK, FIN)Dec 18 15:07:20.886: cilium-test/client2-5998d566b4-hrhrb:53070 -> cilium-test/echo-same-node:8080 to-proxy FORWARDED (TCP Flags: ACK)Dec 18 15:07:26.086: cilium-test/client2-5998d566b4-hrhrb:53048 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-proxy FORWARDED (TCP Flags: ACK)Dec 18 15:07:44.739: cilium-test/client2-5998d566b4-hrhrb:39057 -> kube-system/coredns-78fcd69978-7lbwh:53 L3-L4 REDIRECTED (UDP)Dec 18 15:07:44.739: cilium-test/client2-5998d566b4-hrhrb:39057 -> kube-system/coredns-78fcd69978-7lbwh:53 to-proxy FORWARDED (UDP)Dec 18 15:07:44.740: cilium-test/client2-5998d566b4-hrhrb:39057 -> kube-system/coredns-78fcd69978-7lbwh:53 to-proxy FORWARDED (UDP)Dec 18 15:07:44.740: cilium-test/client2-5998d566b4-hrhrb:39057 -> kube-system/coredns-78fcd69978-7lbwh:53 dns-request FORWARDED (DNS Query echo-same-node.cilium-test.svc.cluster.local. AAAA)Dec 18 15:07:44.740: cilium-test/client2-5998d566b4-hrhrb:39057 -> kube-system/coredns-78fcd69978-7lbwh:53 dns-request FORWARDED (DNS Query echo-same-node.cilium-test.svc.cluster.local. A)Dec 18 15:07:44.741: cilium-test/client2-5998d566b4-hrhrb:53072 -> cilium-test/echo-same-node:8080 none REDIRECTED (TCP Flags: SYN)Dec 18 15:07:44.741: cilium-test/client2-5998d566b4-hrhrb:53072 -> cilium-test/echo-same-node:8080 to-proxy FORWARDED (TCP Flags: SYN)Dec 18 15:07:44.741: cilium-test/client2-5998d566b4-hrhrb:53072 -> cilium-test/echo-same-node:8080 to-proxy FORWARDED (TCP Flags: ACK)Dec 18 15:07:44.741: cilium-test/client2-5998d566b4-hrhrb:53072 -> cilium-test/echo-same-node:8080 to-proxy FORWARDED (TCP Flags: ACK, PSH)Dec 18 15:07:44.742: cilium-test/client2-5998d566b4-hrhrb:53068 -> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-proxy FORWARDED (TCP Flags: ACK, PSH)Dec 18 15:07:44.742: cilium-test/client2-5998d566b4-hrhrb:53068 -> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 http-request FORWARDED (HTTP/1.1 GET http://echo-same-node:8080/)Dec 18 15:07:44.744: cilium-test/client2-5998d566b4-hrhrb:53072 -> cilium-test/echo-same-node:8080 to-proxy FORWARDED (TCP Flags: ACK, FIN)Dec 18 15:07:44.744: cilium-test/client2-5998d566b4-hrhrb:53072 -> cilium-test/echo-same-node:8080 to-proxy FORWARDED (TCP Flags: ACK)

可以看到它真的成功的进行了负载均衡。

总结

本文我带你部署了 Cilium Service Mesh，并通过两个示例，带你体验了 Cilium Service Mesh 的工作情况。

整体而言， 这种方式能带来一定的便利性，但它的服务间流量配置主要依靠于 CiliumEnvoyConfig ，不算太方便。

原文 https://zhuanlan.zhihu.com/p/447950573

2、什么是dns

简要回答

DNS（Domain Name Server，域名服务器）是进行域名(domain name)和与之相对应的IP地址 (IP address)转换的服务器。DNS中保存了一张域名(domain name)和与之相对应的IP地址 (IP address)的表，以解析消息的域名。

相信做网站的朋友对dns这个词是非常熟悉的，但是对一些不涉及这块知识的朋友来说就是一头雾水，那么下面小编来跟大家说一说什么是dns。

详细内容

域名是Internet上某一台计算机或计算机组的名称，用于在数据传输时标识计算机的电子方位（有时也指地理位置）。域名是由一串用点分隔的名字组成的，通常包含组织名，而且始终包括两到三个字母的后缀，以指明组织的类型或该域所在的国家或地区。

把域名翻译成IP地址的软件称为域名系统，即DNS。它是一种管理名字的方法。这种方法是：分不同的组来负责各子系统的名字。系统中的每一层叫做一个域，每个域用一个点分开。所谓域名服务器（即Domain Name Server，简称Name Server）实际上就是装有域名系统的主机。它是一种能够实现名字解析（name resolution）的分层结构数据库。

在域名注册并购买了主机服务后，你需要将域名解析到所购买的主机上，才能看到网站内容。在绝大部分情况下，DNS域名服务器解析好域名后，并不能马上看到网站内容，而是要过几个小时，甚至一两天才能打开你的网站。

域名类型
一是国际域名（international top-level domain-names，简称iTDs），也叫国际顶级域名。这也是使用最早也最广泛的域名。例如表示工商企业的 .com .top，表示网络提供商的.net，表示非盈利组织的.org等。
二是国内域名，又称为国内顶级域名（national top-level domainnames，简称nTLDs），即按照国家的不同分配不同后缀，这些域名即为该国的国内顶级域名。200多个国家和地区都按照ISO3166国家代码分配了顶级域名，例如中国是cn，美国是us，日本是jp等。

之所以域名解析不需要很长时间，是因为上网接入商，比如北京电信，河南电信等，为了要加速用户打开网页的速度，通常在他们的DNS服务器中缓存了很多域名的DNS记录。这样这个接入商的用户要打开某个网页时，接入商的服务器不需要去查询域名数据库，而是把自己缓存中的DNS记录直接使用，从而加快用户访问网站的速度。这是优点。

本文关键词：什么是dns设置，什么是DnS，什么是dns异常，什么是dns地址，什么是DNS服务器未响应。这就是关于《什么是dns，什么是dns,它有什么作用（Service）》的所有内容，希望对您能有所帮助！更多的知识请继续关注《犇涌向乾》百科知识网站：http://www.029ztxx.com！