kubernetes - 为什么我的服务间流量显示在 Kiali 的直通集群中

Question

我有两个 Istio 集群，它们使用复制的控制平面并运行 Kiali。在每个集群中，我有两个交互的应用程序，但我在 Kiali 仪表板中看不到它们之间的流量。相反，流量显示为通过直通集群。

应用程序使用 kubernetes 服务名称进行交互，并且它们交互正确，只是没有在 Kiali 中正确显示。

关于可能是什么问题的任何想法？或者这是预期的行为(我对 Istio 还是新手)。

Answer 1

据我所知，这是使用直通选项时的预期行为。检查下面的 istiobyexample 链接，它确切地显示了它是如何工作的。

---

When ALLOW_ANY is enabled, Istio uses an Envoy cluster called PassthroughCluster, enforced by sidecar proxy, to monitor the egress traffic.

---

看看 kiali documentation关于那个

为什么我会看到 PassthroughCluster 的流量？

Requests going to PassthroughCluster (or BlackHoleCluster) are requests that did not get routed to a defined service or service entry, and instead end up at one of these built-in Istio request handlers. See Monitoring Blocked and Passthrough External Service Traffic for more information.

Unexpected routing to these nodes does not indicate a Kiali problem, you’re seeing the actual routing being performed by Istio. In general it is due to a misconfiguration and/or missing Istio sidecar. Less often but possible is an actual issue with the mesh, like a sync issue or evicted pod.

Use Kiali’s Workloads list view to ensure sidecars are not missing. Use Kiali’s Istio Config list view to look for any config validation errors.

---

还有一个 example在 istiobyexample.dev .

选项 1 - 直通

To start, let's use an Istio installation with the default ALLOW_ANY option for egress. This means that idgen's requests to httpbin are allowed with no additional configuration. When ALLOW_ANY is enabled, Istio uses an Envoy cluster called PassthroughCluster, enforced by idgen's sidecar proxy, to monitor the egress traffic.

An Envoy cluster is a backend (or “upstream”) set of endpoints, representing an external service. The Istio sidecar Envoy proxy applies filters to intercepted requests from an application container. Based on these filters, Envoy sends traffic to a specific route. And a route specifies a cluster to send traffic to.

The Istio Passthrough cluster is set up so that the backend is the original request destination. So when ALLOW_ANY is enabled for egress traffic, Envoy will simply “pass through” idgen's request to httpbin.

With this configuration, if we send recipe ID requests through the IngressGateway, idgen can successfully call httpbin. This traffic appears as PassthroughCluster traffic in the Kiali service graph - we'll need to add a ServiceEntry in order for httpbin to get its own service-level telemetry. (We'll do this in a moment.)

But if we drill down in Prometheus, and find the istio_total_requests metric, we can see that PassthroughCluster traffic is going to a destinationservice called httpbin.org.

---

希望你觉得这很有用。