Hello everyone, I’m Zhang Jintao.
Cilium is open source software based on eBPF technology for providing secure and observable network connectivity between container workloads.
If you don’t know much about Cilium, you can refer to my two previous posts:
- K8S ecological weekly | Cilium is chosen as the Google GKE next generation data
- Cilium gets hands-on
Cilium V1.11.0 was recently released, adding Open Telemetry support and other enhancements. Plans for Cilium Service Mesh were also announced. Cilium Service Mesh is currently in beta and is expected to be incorporated into Cilium V1.12 in 2022.
Cilium Service Mesh also brings a new mode.
Compared with our conventional Istio/Linkerd solutions, the most significant feature of Cilium’s Service Mesh directly implemented by eBPF technology is that it replaces the Sidecar proxy model with the Kernel model, as shown in the following figure:
Instead of placing a Sidecar next to each application, support is provided directly on each Node.
I’ve been aware of this for a few months now and have had some discussions about it. Recently, with an article on Isovalent How eBPF will Solve Service Mesh – Goodbye Sidecars, Cilium Service Mesh is also in the spotlight.
In this article, I will take you to experience the Cilium Service Mesh.
Install the deployment
Here I use KIND as my test environment and my kernel version is 5.15.8.
Preparing the KIND Cluster
The installation of the KIND command line tool will not be described here, but you can refer to my previous article “Build your own Local Kubernetes test environment with KIND”.
Here is the configuration file I used to create the cluster:
apiVersion: kind.x-k8s.io/v1alpha4
kind: Cluster
nodes:
- role: control-plane
- role: worker
- role: worker
- role: worker
networking:
disableDefaultCNI: true
Copy the codeCreating a cluster:
â cilium-mesh kind create cluster --config kind-config.yaml
Creating cluster "kind". â Ensuring node image (Kindest /node:v1.22.4) đŧ Preparing nodes đĻ đĻ đĻ đĻ â Writing configuration mare - Starting Control-plane đšī¸ â Installing StorageClass đž â Joining worker nodes đ Set kubectl context to"kind-kind"
You can now use your cluster with:
kubectl cluster-info --context kind-kind
Not sure what to do next? đ
Check out https://kind.sigs.k8s.io/docs/user/quick-start/
Copy the codeInstall the Cilium CLI
Here we use the Cilium CLI tool to deploy Cilium.
â cilium-mesh curl -L --remote-name-all https://github.com/cilium/cilium-cli/releases/latest/download/cilium-linux-amd64.tar.gz\{,.sha256sum\} [1/2]: https://github.com/cilium/cilium-cli/releases/latest/download/cilium-linux-amd64.tar.gz --> cilium-linux-amd64.tar.gz --_curl_--https://github.com/cilium/cilium-cli/releases/latest/download/cilium-linux-amd64.tar.gz % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 154 100 154 0 0 243 0 --:--:-- --:--:-- --:-- 242 100 664 100 664 00 579 0 0:00:01 0 00:01 --:--:-- 579 100 14.6m 100 14.6m 00 2928K 0 0:00:05 0:00:05 --:--:-- 3910k [2/2]: https://github.com/cilium/cilium-cli/releases/latest/download/cilium-linux-amd64.tar.gz.sha256sum --> cilium-linux-amd64.tar.gz.sha256sum --_curl_--https://github.com/cilium/cilium-cli/releases/latest/download/cilium-linux-amd64.tar.gz.sha256sum % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 164 100 164 0 0 419 0 - : -- : -- - : -- : -- -- -- : 418 100 674 100 674-0 0 0-861: - : - : -- : -- -- - : - 861 100 92 100 92 67 0 0 0 0:00:01 0:00:01 --:--:-- 0 â cilium-mesh ls cilium-linux-amd64.tar.gz cilium-linux-amd64.tar.gz.sha256sum kind-config.yaml â cilium-mesh tar -zxvf cilium-linux-amd64.tar.gz ciliumCopy the codeLoad the image
The Cilium deployment process requires some images, which can be downloaded and loaded into the KIND Node. If you have a smooth Internet connection, skip this step.
â cilium - mesh ciliumMeshImage = ("Quay. IO/cilium/cilium - service - mesh: v1.11.0 - beta. 1" "Quay. IO/cilium/operator - generic - service - mesh: v1.11.0 - beta. 1" "Quay. IO/cilium/Hubble image - relay - service - mesh: v1.11.0 - beta. 1") â cilium - meshfor i in ${ciliumMeshImage[@]}
do
docker pull $i
kind load docker-image $i
done
Copy the codeThe deployment of cilium
Next we will use the Cilium CLI directly to complete the deployment. Notice the parameters here.
â cilium-mesh cilium install -- version-service-mesh :v1.11.0-beta.1 --config enable-enlist-config =true --kube-proxy-replacement=probe --agent-image='quay. IO/cilium/cilium - service - mesh: v1.11.0 - beta. 1' --operator-image='quay. IO/cilium/operator - generic - service - mesh: v1.11.0 - beta. 1'-- Datapath-mode =vxlan đŽ auto-detected Kubernetes kind: Kind ⨠Running"kind"Validation checks â
Detected kind version"0.12.0"âš ī¸ using Cilium version"- service - mesh: v1.11.0 - beta. 1"
đŽ Auto-detected cluster name: kind-kind
đŽ Auto-detected IPAM mode: kubernetes
đŽ Custom datapath mode: vxlan
đ Found CA inSecret Cilium -ca đ Generating Certificatesfor Hubble...
đ Creating Service accounts...
đ Creating Cluster roles...
đ Creating ConfigMap forCilium version 1.11.0... âš ī¸ Manual overwritein ConfigMap: enable-envoy-config=true
đ Creating Agent DaemonSet...
đ Creating Operator Deployment...
â Waiting for Cilium to be installed and ready...
â
Cilium was successfully installed! Run 'cilium status' to view installation health
Copy the codeCheck the status
After the installation is successful, you can run the cilium status command to view the current cilium deployment status.
â cilium - mesh cilium status / ¯ ¯ \ / ¯ ¯ \ __ / ¯ ¯ \ cilium: OK \ __ / ¯ ¯ \ __ / Operator: OK / ¯ ¯ \ __ / ¯ ¯ \ Hubble image: Disabled \__/¯ \__/ ClusterMesh: disabled \__/ Deployment cilium-operator Desired: 1, Ready: 1/1, Available: 1/1 DaemonSet cilium Desired: 4, Ready: 4/4, Available: 4/4 Containers: cilium Running: 4 cilium-operator Running: IO/Cilium/Cilium-service-mesh: V1.11.0-beta.1 Cluster Pods: 3/3 Managed by Cilium Image versions Cilium quay. IO/Cilium/Cilium-service-mesh: V1.11.0-beta. 4 cilium - operator quay. IO/cilium/operator - generic - service - mesh: v1.11.0 - beta. 1:1Copy the codeâ
To enable the Hubble
Hubble is mainly used to provide observable capabilities. Before enabling it, you need to load an image, which can be skipped if the network is clear.
Docker. IO/envoyproxy envoy: v1.18.2 @ sha256: e8b37c1d75787dd1e712ff389b0d37337dc8a174a63bed9c34ba73359dc67da7Copy the codeThen use Cilium CLI to open Hubble:
â cilium - mesh cilium Hubble imageenable --relay-image='quay. IO/cilium/Hubble image - relay - service - mesh: v1.11.0 - beta. 1'- the UI đ Found CAinSecret cilium-ca ⨠Patching ConfigMap cilium-config toenableHubble... âģī¸ luteo Cilium pods â Waitingfor Cilium to become ready before deploying other Hubble component(s)...
đ Generating certificates forRelay... ⨠debug Relay from quay. IO /cilium/ print-relay service-mesh: v1.11.0-bet.1... ⨠debug UI from quay. IO /cilium/ print-UI: V0.8.3 and Hubble UI Backend from Quay. IO/cilium/Hubble image - UI - backend: v0.8.3... â WaitingforHubble to be installed... / ¯ ¯ \ / ¯ ¯ \ __ / ¯ ¯ \ Cilium: OK \ __ / ¯ ¯ \ __ / Operator: OK / ¯ ¯ \ __ / ¯ ¯ \ Hubble image: OK \ __ / ¯ ¯ \ __ / ClusterMesh: disabled \__/ DaemonSet cilium Desired: 4, Ready: 4/4, Available: 4/4 Deployment cilium-operator Desired: 1, Ready: 1/1, Available: 1/1 Deployment hubble-relay Desired: 1, Ready: 1/1, Available: 1/1 Deployment hubble-ui Desired: 1, Unavailable: 1/1 Containers: cilium Running: 4 cilium-operator Running: 1 hubble-relay Running: 1 hubble-ui Running: IO/Cilium/Cilium-service-mesh: V1.11.0-beta.1 Cluster Pods: 5/5 Managed by Cilium Image versions Cilium quay. IO/Cilium/Cilium-service-mesh: V1.11.0-beta. 4 cilium - operator quay. IO/cilium/operator - generic - service - mesh: v1.11.0 - beta. 1: 1 Hubb-relay quay. IO/Cilium/hubb-relay service-mesh:v1.11.0-beta. 1:1 Hubb-ui Quay. IO/Cilium/hubb-UI :v0.8.3: 1 the Hubble - UI quay. IO/cilium/Hubble image - UI - backend: v0.8.3: 1 the Hubble - UI docker. IO/envoyproxy/envoy: v1.18.2 @ sha256: e8b37c1d75787dd1e712ff389b0d37337dc8a174a63bed9c34ba73359dc67da7: 1Copy the codeTest layer 7 Ingress traffic management
Install the LB
Here we can install MetaLB in the KIND cluster so that we can use SVC resources of type LoadBalancer (Cilium creates a LoadBalancer SVC by default). If MetaLB is not installed, NodePort can be used instead.
The specific process is not introduced one by one, directly according to the following operation steps.
â cilium - mesh kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/master/manifests/namespace.yaml Namespace /metallb-system created â cilium-mesh kubectl create secret generic -n metallb-system memberlist --from-literal=secretkey="$(openssl rand -base64 128)"Secret /memberlist created â cilium-mesh kubectl apply-f https://raw.githubusercontent.com/metallb/metallb/master/manifests/metallb.yaml Warning: policy/v1beta1 PodSecurityPolicy is deprecatedinV1.21 +, unavailableinV1.25 + podsecuritypolicy. The policy/controller created podsecuritypolicy. The policy/speaker created serviceaccount/controller created serviceaccount/speaker created clusterrole.rbac.authorization.k8s.io/metallb-system:controller created clusterrole.rbac.authorization.k8s.io/metallb-system:speaker created role.rbac.authorization.k8s.io/config-watcher created role.rbac.authorization.k8s.io/pod-lister created role.rbac.authorization.k8s.io/controller created clusterrolebinding.rbac.authorization.k8s.io/metallb-system:controller created clusterrolebinding.rbac.authorization.k8s.io/metallb-system:speaker created rolebinding.rbac.authorization.k8s.io/config-watcher created rolebinding.rbac.authorization.k8s.io/pod-lister created rolebinding.rbac.authorization.k8s.io/controller created daemonset.apps/speaker created deployment.apps/controller Created â Cilium-mesh Docker Network inspect-f'{{.IPAM.Config}}'Kind [{172.18.0.0/16 172.18.0.1 map[]} {fc00: F853: CCD: E793 ::/64 fc00: F853: CCD: E793 ::1 map[]}] â cilium-mesh vim Kind-lb-cm. yaml â cilium-mesh cat kind-lb-cm.yaml apiVersion: v1 kind: ConfigMap metadata: Namespace: metallb-system name: config data: config: | address-pools: - name: default protocol: layer2 addresses: -172.18.255.200 -172.18.255.250 â cilium-mesh kubectl apply -f kind-lb-cm.yaml configmap/config createdCopy the codeLoad the image
Here we use hashicorp/ HTTP-echo :0.2.3 as an example program, which can respond differently depending on the startup parameters.
â Cilium-mesh docker pull hashicorp/ HTTP-echo :0.2.3 0.2.3: Pulling from hashicorp/ HTTP-echo 86399148984b: Pull complete Digest: sha256:ba27d460cd1f22a1a4331bdf74f4fccbc025552357e8a3249c40ae216275de96 Status: Downloaded newer imageforIO /hashicorp/ HTTP-echo :0.2.3 docker. IO /hashicorp/http-echo:0.2.3 â cilium-mesh Kind load docker-image Hashicorp/HTTP - echo: 0.2.3 Image:"Hashicorp/HTTP - echo: 0.2.3" with ID "sha256:a6838e9a6ff6ab3624720a7bd36152dda540ce3987714398003e14780e61478a" not yet present on node "kind-worker", loading...
Image: "Hashicorp/HTTP - echo: 0.2.3" with ID "sha256:a6838e9a6ff6ab3624720a7bd36152dda540ce3987714398003e14780e61478a" not yet present on node "kind-worker2", loading...
Image: "Hashicorp/HTTP - echo: 0.2.3" with ID "sha256:a6838e9a6ff6ab3624720a7bd36152dda540ce3987714398003e14780e61478a" not yet present on node "kind-control-plane", loading...
Image: "Hashicorp/HTTP - echo: 0.2.3" with ID "sha256:a6838e9a6ff6ab3624720a7bd36152dda540ce3987714398003e14780e61478a" not yet present on node "kind-worker3", loading...
Copy the codeDeploy test service
All configuration files in this article are available in theGithub.com/tao12345666…From the code repository.
We deployed the test service using the following configuration:
apiVersion: v1
kind: Pod
metadata:
labels:
run: foo-app
name: foo-app
spec:
containers:
- image: Hashicorp/HTTP - echo: 0.2.3
args:
- "-text=foo"
name: foo-app
ports:
- containerPort: 5678
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
---
apiVersion: v1
kind: Service
metadata:
labels:
run: foo-app
name: foo-app
spec:
ports:
- port: 5678
protocol: TCP
targetPort: 5678
selector:
run: foo-app
---
apiVersion: v1
kind: Pod
metadata:
labels:
run: bar-app
name: bar-app
spec:
containers:
- image: Hashicorp/HTTP - echo: 0.2.3
args:
- "-text=bar"
name: bar-app
ports:
- containerPort: 5678
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
---
apiVersion: v1
kind: Service
metadata:
labels:
run: bar-app
name: bar-app
spec:
ports:
- port: 5678
protocol: TCP
targetPort: 5678
selector:
run: bar-app
Copy the codeCreate the following Ingress resource file:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: cilium-ingress
namespace: default
spec:
ingressClassName: cilium
rules:
- http:
paths:
- backend:
service:
name: foo-app
port:
number: 5678
path: /foo
pathType: Prefix
- backend:
service:
name: bar-app
port:
number: 5678
path: /bar
pathType: Prefix
Copy the codeCreate the Ingress resource, and you can see that a new SVC of type LoadBalancer is generated.
â cilium - mesh kubectl apply -f cilium - ingress. Yaml ingress.net working. K8s. IO/cilium - ingress created â cilium - mesh Kubectl get SVC NAME TYPE cluster-ip external-ip PORT(S) AGE bar-app ClusterIP 10.96.229.141 < None > 5678/TCP 106s Cilium-ingress-cilium-ingress LoadBalancer 10.96.161.128 172.18.255.200 80:31643/TCP 4s foo-app ClusterIP 10.96.166.212 < None > 5678/TCP 106s kubernetes ClusterIP 10.96.0.1 < None > 443/TCP 81m â cilium-mesh kubectl get ing NAME CLASS HOSTS ADDRESS PORTS AGE cilium-ingress cilium * 172.18.255.200 80 1MCopy the codetest
Using the curl command, you can obtain the correct response from the Ingress resource. Looking at the response header, we see that the proxy here is actually done using the Envoy.
â Cilium-mesh curl 172.18.255.200 â Cilium-mesh curl 172.18.255.200/foo foo â Cilium-mesh curl 172.18.255.200/bar bar â Cilium -mesh curl -i 172.18.255.200/bar HTTP/1.1 200 OK Content-Length: 4 Connection: keep-alive content-type: text/plain; charset=utf-8 Date: Sat, 18 Dec 2021 06:02:56 GMT Keep-Alive: timeout=4 Proxy-Connection: keep-alive Server: Envoy x-app-name: http-echo x-app-version: 0.2.3 x-enbith-upside-service-time: enbith-app-name: http-echo x-app-version: 0.2.3 x-enbith-upside-service-time: 0 â cilium-mesh curl -i 172.18.255.200/foo HTTP/1.1 200 OK Content-Length: 4 Connection: keep-alive content-type: text/plain; charset=utf-8 Date: Sat, 18 Dec 2021 06:03:01 GMT Keep-Alive: timeout=4 Proxy-Connection: keep-alive Server: Envoy x-app-name: http-echo x-app-version: 0.2.3 X- enbith-upser-service-time: 0Copy the codeTest CiliumEnvoyConfig
After deploying CIlium in this manner, it actually installs some CRD resources. One of these is CiliumEnvoyConfig for configuring the proxy between services.
â cilium - mesh kubectl API - resources | grep cilium. IO ciliumclusterwidenetworkpolicies CCNP cilium. IO/v2false CiliumClusterwideNetworkPolicy
ciliumendpoints cep,ciliumep cilium.io/v2 true CiliumEndpoint
ciliumenvoyconfigs cec cilium.io/v2alpha1 false CiliumEnvoyConfig
ciliumexternalworkloads cew cilium.io/v2 false CiliumExternalWorkload
ciliumidentities ciliumid cilium.io/v2 false CiliumIdentity
ciliumnetworkpolicies cnp,ciliumnp cilium.io/v2 true CiliumNetworkPolicy
ciliumnodes cn,ciliumn cilium.io/v2 false CiliumNode
Copy the codeDeploy test service
The Hubble port-forward can be performed first
â cilium-mesh cilium hubble port-forward
Copy the codeBy default, port 4245 is listened on. If you do not perform this operation in advance, the following information will appear
đ Enabling the Hubble telescope... â ī¸ Unable to contact Hubble Relay, disable Hubble Telescope and Flow Validation: RPC Error: code = Unavailable desc = connection error: desc ="transport: Error while dialing dial tcp [::1]:4245: connect: connection refused"
Copy the codeIf the Hubble port-Forward is enabled, the following output is normally obtained:
â cilium - mesh cilium connectivitytest --testEgress - L7 âšī¸ Monitor aggregation detected, will skip some flow validation steps â [kind-kind] Waitingfor deployments [client client2 echo-same-node] to become ready...
â [kind-kind] Waiting for deployments [echo-other-node] to become ready...
â [kind-kind] Waiting for CiliumEndpoint for pod cilium-test/client-6488dcf5d4-pk6w9 to appear...
â [kind-kind] Waiting for CiliumEndpoint for pod cilium-test/client2-5998d566b4-hrhrb to appear...
â [kind-kind] Waiting for CiliumEndpoint for pod cilium-test/echo-other-node-f4d46f75b-bqpcb to appear...
â [kind-kind] Waiting for CiliumEndpoint for pod cilium-test/echo-same-node-745bd5c77-zpzdn to appear...
â [kind-kind] Waiting for Service cilium-test/echo-other-node to become ready...
â [kind-kind] Waiting for Service cilium-test/echo-same-node to become ready...
â [kind-kind] Waiting for NodePort 172.18.0.5:32751 (cilium-test/echo-other-node) to become ready...
â [kind-kind] Waiting for NodePort 172.18.0.5:32133 (cilium-test/echo-same-node) to become ready...
â [kind-kind] Waiting for NodePort 172.18.0.3:32133 (cilium-test/echo-same-node) to become ready...
â [kind-kind] Waiting for NodePort 172.18.0.3:32751 (cilium-test/echo-other-node) to become ready...
â [kind-kind] Waiting for NodePort 172.18.0.2:32751 (cilium-test/echo-other-node) to become ready...
â [kind-kind] Waiting for NodePort 172.18.0.2:32133 (cilium-test/echo-same-node) to become ready...
â [kind-kind] Waiting for NodePort 172.18.0.4:32751 (cilium-test/echo-other-node) to become ready...
â [kind-kind] Waiting for NodePort 172.18.0.4:32133 (cilium-test/echo-same-node) to become ready...
âšī¸ Skipping IPCache check
â [kind-kind] Waiting for pod cilium-test/client-6488dcf5d4-pk6w9 to reach default/kubernetes service...
â [kind-kind] Waiting forpod cilium-test/client2-5998d566b4-hrhrb to reach default/kubernetes service... đ Enabling the Hubble telescope... âšī¸ Hubble is OK, Flows: 16380/16380 đ Running tests... [=] Skipping Test [no-policies] [=] Skipping Test [allow-all] [=] Skipping Test [client-ingress] [=] Skipping Test [echo-ingress] [=] Skipping Test [client-egress] [=] Skipping Test [to-entities-world] [=] Skipping Test [to-cidr-1111] [=] Skipping Test [echo-ingress-l7] [=] Test [client-egress-l7] .......... Skip Test [=] Skipping Test [dns-only] [=] Skipping Test [to-fqdns] â
All tests (10 actions) successful, 10 tests skipped, 0 scenarios skipped.Copy the codeWe can also open the UI and see:
â Cilium - Mesh Cilium Hubble UI âšī¸ Opening"http://localhost:12000" in your browser...
Copy the codeThe renderings are as follows:
This operation is actually deployed as follows:
â cilium-mesh kubectl -n cilium-test get all NAME READY STATUS RESTARTS AGE pod/ client-6488dCF5d4-PK6w9 1/1 Running 0 66m pod/client2-5998d566b4-hrhrb 1/1 Running 0 66m pod/echo-other-node-f4d46f75b-bqpcb 1/1 Running 0 66m pod/echo-same-node-745bd5c77-zpzdn 1/1 Running 0 66m NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE Service /echo-other-node NodePort 10.96.124.211 < None > 8080:32751/TCP 66m service/echo-same-node NodePort 10.96.136.252 <none> 8080:32133/TCP 66m NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/client 1/1 1 1 66m deployment.apps/client2 1/1 1 1 66m deployment.apps/echo-other-node 1/1 1 1 66m deployment.apps/echo-same-node 1/1 1 1 66m NAME DESIRED CURRENT READY AGE replicaset.apps/client-6488dcf5d4 1 1 1 66m replicaset.apps/client2-5998d566b4 1 1 1 66m replicaset.apps/echo-other-node-f4d46f75b 1 1 1 66m replicaset.apps/echo-same-node-745bd5c77 1 1 1 66mCopy the codeWe can also look at its label:
â Cilium-mesh kubectl get Pods-n Cilium-test -- show-allagers-o wide NAME READY STATUS RESTARTS AGE IP NODE convention NODE READINESS GATES LABELS Client-6488dCF5d4-PK6w9 1/1 Running 0 67m 10.244.3.7 Kind-worker3 < None > < None > Kind =client,name=client,pod-template-hash=6488dcf5d4 client2-5998d566b4- HRHRB 1/1 Running 0 67m 10.244.3.18 KINd-worker3 <none> <none> kind=client,name=client2,other=client,pod-template-hash=5998d566b4 echo-other-node-f4d46f75b-bqpcb 1/1 Running 0 67m 10.244.1.146 kind-worker2 < None > < None > kind=echo,name=echo-other-node,pod-template-hash=f4d46f75b
echo-same-node-745bd5c77-zpzdn 1/1 Running 0 67m 10.244.3.164 kind-worker3 <none> <none> kind=echo,name=echo-same-node,other=echo,pod-template-hash=745bd5c77
Copy the codetest
Here we operate on the host, first get the Pod name of Client2, and then observe all traffic accessing this Pod through Hubble command.
â cilium - meshexportCLIENT2= Client2-5998D566b4-hrhrb â Cilium-mesh Observe -- FROm-pod Cilium-test /$CLIENT2- Dec 18 f 14:07:37. 200: cilium-test/client2-5998d566b4-hrhrb:44805 <> kube-system/coredns-78fcd69978-7lbwh:53 to-overlay FORWARDED (UDP) Dec 18 14:07:37. 200: cilium-test/client2-5998d566b4-hrhrb:44805 -> kube-system/coredns-78fcd69978-7lbwh:53 to-endpoint FORWARDED (UDP) Dec 18 14:07:37. 200: cilium-test/client2-5998d566b4-hrhrb:44805 <> kube-system/coredns-78fcd69978-7lbwh:53 to-overlay FORWARDED (UDP) Dec 18 14:07:37. 200: cilium-test/client2-5998d566b4-hrhrb:44805 -> kube-system/coredns-78fcd69978-7lbwh:53 to-endpoint FORWARDED (UDP) Dec 18 14:07:37. 200: cilium-test/client2-5998d566b4-hrhrb:42260 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-endpoint FORWARDED (TCP Flags: SYN) Dec 18 14:07:37.201: cilium-test/client2-5998d566b4-hrhrb:42260 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-endpoint FORWARDED (TCP Flags: ACK) Dec 18 14:07:37.201: cilium-test/client2-5998d566b4-hrhrb:42260 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-endpoint FORWARDED (TCP Flags: ACK, PSH) Dec 18 14:07:37.202: cilium-test/client2-5998d566b4-hrhrb:42260 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-endpoint FORWARDED (TCP Flags: ACK, FIN) Dec 18 14:07:37.203: cilium-test/client2-5998d566b4-hrhrb:42260 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-endpoint FORWARDED (TCP Flags: ACK) Dec 18 14:07:50.769: cilium-test/client2-5998d566b4-hrhrb:36768 <> kube-system/coredns-78fcd69978-7lbwh:53 to-overlay FORWARDED (UDP) Dec 18 14:07:50. 769: cilium-test/client2-5998d566b4-hrhrb:36768 <> kube-system/coredns-78fcd69978-7lbwh:53 to-overlay FORWARDED (UDP) Dec 18 14:07:50. 769: cilium-test/client2-5998d566b4-hrhrb:36768 -> kube-system/coredns-78fcd69978-7lbwh:53 to-endpoint FORWARDED (UDP) Dec 18 14:07:50. 769: cilium-test/client2-5998d566b4-hrhrb:36768 -> kube-system/coredns-78fcd69978-7lbwh:53 to-endpoint FORWARDED (UDP) Dec 18 14:07:50. 770: cilium-test/client2-5998d566b4-hrhrb:42068 <> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-overlay FORWARDED (TCP Flags: SYN) Dec 18 14:07:50.770: cilium-test/client2-5998d566b4-hrhrb:42068 -> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-endpoint FORWARDED Dec 18 14:07:50.770: cilium-test/client2-5998d566b4-hrhrb:42068 <> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-overlay FORWARDED (TCP Flags: ACK) Dec 18 14:07:50.770: cilium-test/client2-5998d566b4-hrhrb:42068 -> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-endpoint FORWARDED (TCP Flags: ACK) Dec 18 14:07:50.770: cilium-test/client2-5998d566b4-hrhrb:42068 <> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-overlay FORWARDED (TCP Flags: ACK, PSH) Dec 18 14:07:50.770: cilium-test/client2-5998d566b4-hrhrb:42068 -> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-endpoint FORWARDED (TCP Flags: ACK, PSH) Dec 18 14:07:50.71: cilium-test/client2-5998d566b4-hrhrb:42068 <> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-overlay FORWARDED (TCP Flags: ACK, FIN) Dec 18 14:07:50.771: cilium-test/client2-5998d566b4-hrhrb:42068 -> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-endpoint FORWARDED (TCP Flags: ACK, FIN) Dec 18 14:07:50.772: cilium-test/client2-5998d566b4-hrhrb:42068 <> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-overlay FORWARDED (TCP Flags: ACK) Dec 18 14:07:50.772: cilium-test/client2-5998d566b4-hrhrb:42068 -> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-endpoint FORWARDED (TCP Flags: ACK)Copy the codeThe above output is due to the following operations:
kubectl exec -it -n cilium-test $CLIENT2 -- curl -v echo-same-node:8080/
kubectl exec -it -n cilium-test $CLIENT2 -- curl -v echo-other-node:8080/
Copy the codeBasically all logs are either to-endpoint or to-overlay.
Test using a proxy
You need to install NetworkPolicy first, which we can get directly from the Cilium CLI warehouse.
kubectl apply -f https://raw.githubusercontent.com/cilium/cilium-cli/master/connectivity/manifests/client-egress-l7-http.yaml
kubectl apply -f https://raw.githubusercontent.com/cilium/cilium-cli/master/connectivity/manifests/client-egress-only-dns.yaml
Copy the codeThen repeat the request above:
Dec 18 14:33:40. 570: cilium-test/client2-5998d566b4-hrhrb:44344 -> kube-system/coredns-78fcd69978-2ww28:53 L3-L4 REDIRECTED (UDP) Dec 18 14:33:40. 570: cilium-test/client2-5998d566b4-hrhrb:44344 -> kube-system/coredns-78fcd69978-2ww28:53 to-proxy FORWARDED (UDP) Dec 18 14:33:40. 570: cilium-test/client2-5998d566b4-hrhrb:44344 -> kube-system/coredns-78fcd69978-2ww28:53 to-proxy FORWARDED (UDP) Dec 18 14:33:40. 570: cilium-test/client2-5998d566b4-hrhrb:44344 -> kube-system/coredns-78fcd69978-2ww28:53 dns-request FORWARDED (DNS Query Echo -other-node.cilium-test.svc.cluster.local. A) Dec 18 14:33:40.570: cilium-test/client2-5998d566b4-hrhrb:44344 -> kube-system/coredns-78fcd69978-2ww28:53 dns-request FORWARDED (DNS Query Echo-other-node.cilium-test.svc.cluster.local.aaaa) Dec 18 14:33:40.571: cilium-test/client2-5998d566b4-hrhrb:42074 -> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 L3-L4 REDIRECTED (TCP Flags: SYN) Dec 18 14:33:40.571: cilium-test/client2-5998d566b4-hrhrb:42074 -> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-proxy FORWARDED (TCP Flags: SYN) Dec 18 14:33:40.571: cilium-test/client2-5998d566b4-hrhrb:42074 -> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-proxy FORWARDED (TCP Flags: ACK) Dec 18 14:33:40.571: cilium-test/client2-5998d566b4-hrhrb:42074 -> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-proxy FORWARDED (TCP Flags: ACK, PSH) Dec 18 14:33:40.572: cilium-test/client2-5998d566b4-hrhrb:42074 -> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 http-request FORWARDED (HTTP/1.1 GET http://echo-other-node:8080/) Dec 18 14:33:40.573: cilium-test/client2-5998d566b4-hrhrb:42074 -> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-proxy FORWARDED (TCP Flags: ACK, FIN) Dec 18 14:33:40.573: cilium-test/client2-5998d566b4-hrhrb:42074 -> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-proxy FORWARDED (TCP Flags: ACK)Copy the codePerform another request:
â cilium - mesh kubectlexec -it -n cilium-test $CLIENT2 -- curl -v echo-same-node:8080/
Copy the codeYou can also see the following output with the word to-proxy.
Dec 18 14:45:18. 857: cilium-test/client2-5998d566b4-hrhrb:58895 -> kube-system/coredns-78fcd69978-2ww28:53 L3-L4 REDIRECTED (UDP) Dec 18 14:45:18. 857: cilium-test/client2-5998d566b4-hrhrb:58895 -> kube-system/coredns-78fcd69978-2ww28:53 to-proxy FORWARDED (UDP) Dec 18 14:45:18. 857: cilium-test/client2-5998d566b4-hrhrb:58895 -> kube-system/coredns-78fcd69978-2ww28:53 to-proxy FORWARDED (UDP) Dec 18 14:45:18. 857: cilium-test/client2-5998d566b4-hrhrb:58895 -> kube-system/coredns-78fcd69978-2ww28:53 dns-request FORWARDED (DNS Query Echo-same-node.cilium-test.svc.cluster.local.aaaa) Dec 18 14:45:18.857: cilium-test/client2-5998d566b4-hrhrb:58895 -> kube-system/coredns-78fcd69978-2ww28:53 dns-request FORWARDED (DNS Query Echo-same-node.cilium-test.svc.cluster.local. A) Dec 18 14:45:18.858: cilium-test/client2-5998d566b4-hrhrb:42266 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 L3-L4 REDIRECTED (TCP Flags: SYN) Dec 18 14:45:18.858: cilium-test/client2-5998d566b4-hrhrb:42266 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-proxy FORWARDED (TCP Flags: SYN) Dec 18 14:45:18.858: cilium-test/client2-5998d566b4-hrhrb:42266 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-proxy FORWARDED (TCP Flags: ACK) Dec 18 14:45:18.858: cilium-test/client2-5998d566b4-hrhrb:42266 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-proxy FORWARDED (TCP Flags: ACK, PSH) Dec 18 14:45:18.858: cilium-test/client2-5998d566b4-hrhrb:42266 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 http-request FORWARDED (HTTP/1.1 GET http://echo-same-node:8080/) Dec 18 14:45:18.859: cilium-test/client2-5998d566b4-hrhrb:42266 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-proxy FORWARDED (TCP Flags: ACK, FIN) Dec 18 14:45:18.859: cilium-test/client2-5998d566b4-hrhrb:42266 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-proxy FORWARDED (TCP Flags: ACK)Copy the codeIt’s more convenient to look at the request header:
â cilium - mesh kubectlexec -it -n cilium-test $CLIENT2 -- curl -I echo-same-node:8080/
HTTP/1.1 403 Forbidden
content-length: 15
content-type: text/plain
date: Sat, 18 Dec 2021 14:47:39 GMT
server: envoy
Copy the codeIt used to be like this:
# # no proxyâ cilium - mesh kubectlexec -it -n cilium-test $CLIENT2 -- curl -v echo-same-node:8080/
* Trying 10.96.136.252:8080...
* Connected to echo-same-node (10.96.136.252) port 8080 (# 0)> GET/HTTP/1.1 > Host: echo-same-node:8080 > user-agent: curl/7.78.0 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < X-powered-by: Express < Vary: Origin, Accept-Encoding < Access-Control-Allow-Credentials:true
< Accept-Ranges: bytes
< Cache-Control: public, max-age=0
< Last-Modified: Sat, 26 Oct 1985 08:15:00 GMT
< ETag: W/"809-7438674ba0"
< Content-Type: text/html; charset=UTF-8
< Content-Length: 2057
< Date: Sat, 18 Dec 2021 14:07:37 GMT
< Connection: keep-alive
< Keep-Alive: timeout=5
Copy the codeRequest an address that does not exist:
The request response used to be 404, now it’s 403, and you get the following
â cilium - mesh kubectlexec -it -n cilium-test $CLIENT2 -- curl -v echo-same-node:8080/foo
* Trying 10.96.136.252:8080...
* Connected to echo-same-node (10.96.136.252) port 8080 (# 0)
> GET /foo HTTP/1.1
> Host: echo-same-node:8080
> User-Agent: curl/7.78.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< content-length: 15
< content-type: text/plain
< date: Sat, 18 Dec 2021 14:50:38 GMT
< server: envoy
<
Access denied
* Connection #0 to host echo-same-node left intact
Copy the codeThe logs also contain the word to-proxy.
Dec 18 14:50:39. 185: cilium-test/client2-5998d566b4-hrhrb:37683 -> kube-system/coredns-78fcd69978-7lbwh:53 L3-L4 REDIRECTED (UDP) Dec 18 14:50:39. 185: cilium-test/client2-5998d566b4-hrhrb:37683 -> kube-system/coredns-78fcd69978-7lbwh:53 to-proxy FORWARDED (UDP) Dec 18 14:50:39. 185: cilium-test/client2-5998d566b4-hrhrb:37683 -> kube-system/coredns-78fcd69978-7lbwh:53 to-proxy FORWARDED (UDP) Dec 18 14:50:39. 185: cilium-test/client2-5998d566b4-hrhrb:37683 -> kube-system/coredns-78fcd69978-7lbwh:53 dns-request FORWARDED (DNS Query Echo-same-node.cilium-test.svc.cluster.local.aaaa) Dec 18 14:50:39.185: cilium-test/client2-5998d566b4-hrhrb:37683 -> kube-system/coredns-78fcd69978-7lbwh:53 dns-request FORWARDED (DNS Query Echo-same-node.cilium-test.svc.cluster.local. A) Dec 18 14:50:39.186: cilium-test/client2-5998d566b4-hrhrb:42274 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 L3-L4 REDIRECTED (TCP Flags: SYN) Dec 18 14:50:39.186: cilium-test/client2-5998d566b4-hrhrb:42274 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-proxy FORWARDED (TCP Flags: SYN) Dec 18 14:50:39.186: cilium-test/client2-5998d566b4-hrhrb:42274 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-proxy FORWARDED (TCP Flags: ACK) Dec 18 14:50:39.186: cilium-test/client2-5998d566b4-hrhrb:42274 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-proxy FORWARDED (TCP Flags: ACK, PSH) Dec 18 14:50:39.186: cilium-test/client2-5998d566b4-hrhrb:42274 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 http-request DROPPED (HTTP/1.1 GET http://echo-same-node:8080/foo) Dec 18 14:50:39.186: cilium-test/client2-5998d566b4-hrhrb:42274 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-proxy FORWARDED (TCP Flags: ACK, FIN) Dec 18 14:50:39.187: cilium-test/client2-5998d566b4-hrhrb:42274 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-proxy FORWARDED (TCP Flags: ACK)Copy the codeWe used the following as an Envoy configuration file containing the rewrite policy.
apiVersion: cilium.io/v2alpha1
kind: CiliumEnvoyConfig
metadata:
name: envoy-lb-listener
spec:
services:
- name: echo-other-node
namespace: cilium-test
- name: echo-same-node
namespace: cilium-test
resources:
- "@type": type.googleapis.com/envoy.config.listener.v3.Listener
name: envoy-lb-listener
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: envoy-lb-listener
rds:
route_config_name: lb_route
http_filters:
- name: envoy.filters.http.router
- "@type": type.googleapis.com/envoy.config.route.v3.RouteConfiguration
name: lb_route
virtual_hosts:
- name: "lb_route"
domains: ["*"]
routes:
- match:
prefix: "/"
route:
weighted_clusters:
clusters:
- name: "cilium-test/echo-same-node"
weight: 50
- name: "cilium-test/echo-other-node"
weight: 50
retry_policy:
retry_on: 5xx
num_retries: 3
per_try_timeout: 1s
regex_rewrite:
pattern:
google_re2: {}
regex: "^/foo.*$"
substitution: "/"
- "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster
name: "cilium-test/echo-same-node"
connect_timeout: 5s
lb_policy: ROUND_ROBIN
type: EDS
outlier_detection:
split_external_local_origin_errors: true
consecutive_local_origin_failure: 2
- "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster
name: "cilium-test/echo-other-node"
connect_timeout: 3s
lb_policy: ROUND_ROBIN
type: EDS
outlier_detection:
split_external_local_origin_errors: true
consecutive_local_origin_failure: 2
Copy the codeWhen I tested the request, I found that the correct response was received.
â cilium - mesh kubectlexec -it -n cilium-test $CLIENT2-- curl-x get-i echo-same-node:8080/ HTTP/1.1 200 OK X-powered-by: Express vary: Origin, Accept-Encoding access-control-allow-credentials:true
accept-ranges: bytes
cache-control: public, max-age=0
last-modified: Sat, 26 Oct 1985 08:15:00 GMT
etag: W/"809-7438674ba0"
content-type: text/html; charset=UTF-8
content-length: 2057
date: Sat, 18 Dec 2021 15:00:01 GMT
x-envoy-upstream-service-time: 1
server: envoy
Copy the codeAnd requests for /foo will now get the correct response.
â cilium - mesh kubectlexec -it -n cilium-test $CLIENT2-- curl -x get-i echo-same-node:8080/foo HTTP/1.1 200 OK X-powered-by: Express vary: Origin, Accept-Encoding access-control-allow-credentials:true
accept-ranges: bytes
cache-control: public, max-age=0
last-modified: Sat, 26 Oct 1985 08:15:00 GMT
etag: W/"809-7438674ba0"
content-type: text/html; charset=UTF-8
content-length: 2057
date: Sat, 18 Dec 2021 15:01:40 GMT
x-envoy-upstream-service-time: 2
server: envoy
Copy the codeAlso: when requesting /foo, the traffic is as follows: the direct conversion succeeds in accessing /
Dec 18 15:02:22. 541: cilium-test/client2-5998d566b4-hrhrb:38860 -> kube-system/coredns-78fcd69978-2ww28:53 L3-L4 REDIRECTED (UDP) Dec 18 15:02:22. 541: cilium-test/client2-5998d566b4-hrhrb:38860 -> kube-system/coredns-78fcd69978-2ww28:53 to-proxy FORWARDED (UDP) Dec 18 15:02:22. 541: cilium-test/client2-5998d566b4-hrhrb:38860 -> kube-system/coredns-78fcd69978-2ww28:53 to-proxy FORWARDED (UDP) Dec 18 15:02:22. 541: cilium-test/client2-5998d566b4-hrhrb:38860 -> kube-system/coredns-78fcd69978-2ww28:53 dns-request FORWARDED (DNS Query Echo-same-node.cilium-test.svc.cluster.local.aaaa) Dec 18 15:02:22.541: cilium-test/client2-5998d566b4-hrhrb:38860 -> kube-system/coredns-78fcd69978-2ww28:53 dns-request FORWARDED (DNS Query Echo-same-node.cilium-test.svc.cluster.local. A) Dec 18 15:02:22.542: cilium-test/client2-5998d566b4-hrhrb:53062 -> cilium-test/echo-same-node:8080 none REDIRECTED (TCP Flags: The SYN) Dec 18 15:02:22. 542: cilium-test/client2-5998d566b4-hrhrb:53062 -> cilium-test/echo-same-node:8080 to-proxy FORWARDED (TCP Flags: The SYN) Dec 18 15:02:22. 542: cilium-test/client2-5998d566b4-hrhrb:53062 -> cilium-test/echo-same-node:8080 to-proxy FORWARDED (TCP Flags: ACK) Dec 18 15:02:22. 542: cilium-test/client2-5998d566b4-hrhrb:53062 -> cilium-test/echo-same-node:8080 to-proxy FORWARDED (TCP Flags: ACK, PSH) Dec 18 15:02:22.542: cilium-test/client2-5998d566b4-hrhrb:53048 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-proxy FORWARDED (TCP Flags: ACK, PSH) Dec 18 15:02:22.542: cilium-test/client2-5998d566b4-hrhrb:53048 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 http-request FORWARDED (HTTP/1.1 GET http://echo-same-node:8080/) Dec 18 15:02:22.543: cilium-test/client2-5998d566b4-hrhrb:53062 -> cilium-test/echo-same-node:8080 to-proxy FORWARDED (TCP Flags: Dec 18 15:02:22.544: cilium-test/client2-5998d566b4-hrhrb:53062 -> cilium-test/echo-same-node:8080 to-proxy FORWARDED (TCP Flags: ACK)Copy the codeMultiple requests to view logs:
Dec 18 15:07:20. 883: cilium-test/client2-5998d566b4-hrhrb:49656 -> kube-system/coredns-78fcd69978-2ww28:53 L3-L4 REDIRECTED (UDP) Dec 18 15:07:20. 883: cilium-test/client2-5998d566b4-hrhrb:49656 -> kube-system/coredns-78fcd69978-2ww28:53 to-proxy FORWARDED (UDP) Dec 18 15:07:20. 883: cilium-test/client2-5998d566b4-hrhrb:49656 -> kube-system/coredns-78fcd69978-2ww28:53 to-proxy FORWARDED (UDP) Dec 18 15:07:20. 883: cilium-test/client2-5998d566b4-hrhrb:49656 -> kube-system/coredns-78fcd69978-2ww28:53 dns-request FORWARDED (DNS Query Echo-same-node.cilium-test.svc.cluster.local. A) Dec 18 15:07:20.884: cilium-test/client2-5998d566b4-hrhrb:49656 -> kube-system/coredns-78fcd69978-2ww28:53 dns-request FORWARDED (DNS Query Echo-same-node.cilium-test.svc.cluster.local.aaaa) Dec 18 15:07:20.885: cilium-test/client2-5998d566b4-hrhrb:53070 -> cilium-test/echo-same-node:8080 none REDIRECTED (TCP Flags: The SYN) Dec 18 15:07:20. 885: cilium-test/client2-5998d566b4-hrhrb:53070 -> cilium-test/echo-same-node:8080 to-proxy FORWARDED (TCP Flags: The SYN) Dec 18 15:07:20. 885: cilium-test/client2-5998d566b4-hrhrb:53070 -> cilium-test/echo-same-node:8080 to-proxy FORWARDED (TCP Flags: ACK) Dec 18 15:07:20. 885: cilium-test/client2-5998d566b4-hrhrb:53070 -> cilium-test/echo-same-node:8080 to-proxy FORWARDED (TCP Flags: ACK, PSH) Dec 18 15:07:20.885: cilium-test/client2-5998d566b4-hrhrb:53064 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-proxy FORWARDED (TCP Flags: ACK, PSH) Dec 18 15:07:20.885: cilium-test/client2-5998d566b4-hrhrb:53064 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 http-request FORWARDED (HTTP/1.1 GET http://echo-same-node:8080/) Dec 18 15:07:20.886: cilium-test/client2-5998d566b4-hrhrb:53070 -> cilium-test/echo-same-node:8080 to-proxy FORWARDED (TCP Flags: ACK, FIN) Dec 18 15:07:20.886: cilium-test/client2-5998d566b4-hrhrb:53070 -> cilium-test/echo-same-node:8080 to-proxy FORWARDED (TCP Flags: ACK) Dec 18 15:07:26. 086: cilium-test/client2-5998d566b4-hrhrb:53048 -> cilium-test/echo-same-node-745bd5c77-zpzdn:8080 to-proxy FORWARDED (TCP Flags: ACK) Dec 18 15:07:44.739: cilium-test/client2-5998d566b4-hrhrb:39057 -> kube-system/coredns-78fcd69978-7lbwh:53 L3-L4 REDIRECTED (UDP) Dec 18 15:07:44. 739: cilium-test/client2-5998d566b4-hrhrb:39057 -> kube-system/coredns-78fcd69978-7lbwh:53 to-proxy FORWARDED (UDP) Dec 18 15:07:44. 740: cilium-test/client2-5998d566b4-hrhrb:39057 -> kube-system/coredns-78fcd69978-7lbwh:53 to-proxy FORWARDED (UDP) Dec 18 15:07:44. 740: cilium-test/client2-5998d566b4-hrhrb:39057 -> kube-system/coredns-78fcd69978-7lbwh:53 dns-request FORWARDED (DNS Query Echo-same-node.cilium-test.svc.cluster.local.aaaa) Dec 18 15:07:44.740: cilium-test/client2-5998d566b4-hrhrb:39057 -> kube-system/coredns-78fcd69978-7lbwh:53 dns-request FORWARDED (DNS Query Echo-same-node.cilium-test.svc.cluster.local. A) Dec 18 15:07:44.741: cilium-test/client2-5998d566b4-hrhrb:53072 -> cilium-test/echo-same-node:8080 none REDIRECTED (TCP Flags: The SYN) Dec 18 15:07:44. 741: cilium-test/client2-5998d566b4-hrhrb:53072 -> cilium-test/echo-same-node:8080 to-proxy FORWARDED (TCP Flags: The SYN) Dec 18 15:07:44. 741: cilium-test/client2-5998d566b4-hrhrb:53072 -> cilium-test/echo-same-node:8080 to-proxy FORWARDED (TCP Flags: ACK) Dec 18 15:07:44. 741: cilium-test/client2-5998d566b4-hrhrb:53072 -> cilium-test/echo-same-node:8080 to-proxy FORWARDED (TCP Flags: ACK, PSH) Dec 18 15:07:44.742: cilium-test/client2-5998d566b4-hrhrb:53068 -> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 to-proxy FORWARDED (TCP Flags: ACK, PSH) Dec 18 15:07:44.742: cilium-test/client2-5998d566b4-hrhrb:53068 -> cilium-test/echo-other-node-f4d46f75b-bqpcb:8080 http-request FORWARDED (HTTP/1.1 GET http://echo-same-node:8080/) Dec 18 15:07:44.744: cilium-test/client2-5998d566b4-hrhrb:53072 -> cilium-test/echo-same-node:8080 to-proxy FORWARDED (TCP Flags: ACK, FIN) Dec 18 15:07:44.744: cilium-test/client2-5998d566b4-hrhrb:53072 -> cilium-test/echo-same-node:8080 to-proxy FORWARDED (TCP Flags: ACK)Copy the codeYou can see that it does load balancing successfully.
conclusion
In this article, I will take you through the deployment of the Cilium Service Mesh and take you through two examples of how the Cilium Service Mesh works.
Overall, this approach provides some convenience, but it relies on CiliumEnvoyConfig for inter-service traffic configuration, which is not too convenient.
Look forward to its subsequent evolution!
Please feel free to subscribe to my official account [MoeLove]
