Tong's Work Notes: May 2022

Thursday, May 19, 2022

How to run Istiod in debug mode outside of k8s

Debugging a kubernetes controller is a bit hard by keeping adding fmt.Println statement in your code. Using VS code to run the controller main.go in debug mode outside of the kubernetes cluster seems to be a doable solution.

This article will talk about how to do this using istiod as an example.

1. Load your Istio project into VS code.

2. Setup a debug profile (configuration) as follows:

        {
            "name": "Controller",
            "type": "go",
            "request": "launch",
            "mode": "debug",
            "env": {
              "REVISION": "default",
              "JWT_POLICY": "third-party-jwt",
              "PILOT_CERT_PROVIDER": "istiod",
              "POD_NAME": "tongli",
              "POD_NAMESPACE": "istio-system",
              "SERVICE_ACCOUNT": "",
              "KUBECONFIG": "/home/ubuntu/.kube/config",
              "ENABLE_LEGACY_FSGROUP_INJECTION": "false",
              "ROOT_CA_DIR": "/tmp/work",
              "PILOT_TRACE_SAMPLING": "1",
              "PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND": "true",
              "PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND": "true",
              "ISTIOD_ADDR": "istiod.istio-system.svc:15012",
              "PILOT_ENABLE_ANALYSIS": "false",
              "CLUSTER_ID": "tongli"
            },
            "args": [
                "discovery",
                "--monitoringAddr=:15014",
                "--log_output_level=default:info",
                "--domain=cluster.local",
                "--keepaliveMaxServerConnectionAge=30m"
            ],
            "program": "${workspaceFolder}/pilot/cmd/pilot-discovery/main.go"
        },

3. Now create a kubernetes cluster and make sure that kube config file is in the right place, corresponding to some of the environment variables.

4. For Istiod to work, you will also need to setup variable like ROOT_CA_DIR to a directory which VS Code has access to.

5. Now create a namespace in the kubernetes cluster called istio-system, which Istiod will need to start up.

6. Set up few break points in your code that your controller will run. Then start debug by choose the Controller profile in VScode. If now you send some requests against your controller, then it should break at one of the break point.

There should be ca certs created before hand in multi cluster deployment case so that istiod wont create its own secrets. The best way probably is to create the istio-ca-secret in istio-system namespace (or whatever the namespace it runs in) before start up the debugging process.

Tuesday, May 17, 2022

Istio virtual service and destination rules

The Istio Gateway service is a load balancer that will enable HTTP(S) traffic to your cluster. It will sit at the entry of the service mesh and listen to the external connection which will allow the external traffic into the mesh.

It will have details like

i) Hostnames that will route to services.

ii) Serve certificates for those hostnames.

iii) Port details.

The call from Gateway load balancer will be intercepted by the Istio object “Gateway” pod which is an envoy proxy (yes you are reading it correctly; Envoy acts as a sidecar and as well as Gateway pod). The call from Gateway will be redirected to the destination service based on the “VirtualService” routing configuration.

VirtualServices configure how traffic flows to a service by defining a set of traffic rules for routing Envoy traffic inside service mesh. The traffic rules define what criteria to match before applying the rules on the call. That is, an Istio virtual service might match up with multiple kubernetes services based on various criteria.

DestinationRules will come in to play when routing is done to your application service subsets v1 and v2. That is, destination rules starts its work after the request already reaches your services. Say if you are introducing a new version of service or patch fixes to production, it is often desirable to move a controlled percentage of user traffic to a newer version of service in the process of phasing out the older version (Canary deployment). Basically it covers the basic configuration for load balancing, connection pool, circuit breaker, etc.

ServiceEntry: If you want to call external services outside your service mesh, We have to create a service entry configuration for externally running business components/ down streams.

Istio proxy runs as init container vs sidecar

Istio

Istio proxy parameters for running proxy as sidecar:

      - proxy
      - sidecar
      - --domain
      - $(POD_NAMESPACE).svc.cluster.local
      - --proxyLogLevel=warning
      - --proxyComponentLogLevel=misc:error
      - --log_output_level=default:info
      - --concurrency
      - "2"

Other differences:

allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1337
runAsNonRoot: true
runAsUser: 1337

Istio proxy parameters for running proxy as init container:

      - istio-iptables
      - -p
      - "15001"
      - -z
      - "15006"
      - -u
      - "1337"
      - -m
      - REDIRECT
      - -i
      - '*'
      - -x
      - ""
      - -b
      - '*'
      - -d
      - 15090,15021,15020

Other differences:

    allowPrivilegeEscalation: false
    capabilities:
      add:
      - NET_ADMIN
      - NET_RAW
      drop:
      - ALL
    privileged: false
    readOnlyRootFilesystem: false
    runAsGroup: 0
    runAsNonRoot: false
    runAsUser: 0