文章详情

短信预约-IT技能 免费直播动态提醒

请输入下面的图形验证码

提交验证

短信预约提醒成功

一篇学会 Metadata 巧妙使用动态元数据

2024-12-02 10:53

关注

2metadata有什么作用

tracing customtag值得来源,路由元数据匹配,负载均衡子集决策,ratelimit 动作配置,基于元数据的权限控制,本地响应映射元数据过滤,等。

3metadata数据来源

3.1 envoy.filters.http.ext_authz

当使用grpc授权服务器时,当CheckResponse包含dynamic_metadata字段时,会产生动态元数据信息。

当使用http授权服务器时,当来自授权服务器的响应头匹配 dynamic_metadata_from_headers 的配置值会产生元数据信息。动态元数据的key是匹配的头,动态元数据的值是匹配头的值。

3.2 envoy.filters.network.ext_authz

当使用grpc授权服务器时,当CheckResponse包含dynamic_metadata字段时,会产生动态元数据信息。

3.3 envoy.filters.http.header_to_metadata

配置一些规则,每条规则有header或cookie,当配置的值存在或不存在时就会触发规则,用来设置动态元数据。

比如:

  1. http_filters: 
  2.   - name: envoy.filters.http.header_to_metadata 
  3.     typed_config: 
  4.       "@type": type.googleapis.com/envoy.extensions.filters.http.header_to_metadata.v3.Config 
  5.       request_rules: 
  6.         - header: x-version 
  7.           on_header_present: 
  8.             metadata_namespace: envoy.lb 
  9.             key: version 
  10.             type: STRING 
  11.           on_header_missing: 
  12.             metadata_namespace: envoy.lb 
  13.             keydefault 
  14.             value: 'true' 
  15.             type: STRING 
  16.           remove: false 

上面规则显示,当x-version头存在时设置envoy.lb名称空间的key为version元数据为x-version的值,当x-version不存在时,设置envoy.lb的名称空间的key为default的元数据的值为true。

3.4 envoy.filters.http.jwt_authn

可以配置 **payload_in_**metadata ,成功验证jwt payload会写到metadata中,名称空间是envoy.filters.http.jwt_authn,例子:

  1. envoy.filters.http.jwt_authn: 
  2.   my_payload: 
  3.     iss: https://example.com 
  4.     sub: test@example.com 
  5.     aud: https://example.com 
  6.     exp: 1501281058 

可以配置 **header_in_**metadata ,成功验证的头会写到metadata中,名称空间是envoy.filters.http.jwt_authn,例子:

  1. envoy.filters.http.jwt_authn: 
  2.   my_header: 
  3.     alg: JWT 
  4.     kid: EF71iSaosbC5C4tC6Syq1Gm647M 
  5.     alg: PS256 

3.5 envoy.filters.network.mongo_proxy

当 emit_dynamic_metadata 为true时会产生metadata,格式如下

Name Type Description
key string The resource name in db.collection format.
value array A list of strings representing the operations executed on the resource (insert/update/query/delete).

3.6envoy.filters.network.mysql_proxy

当发送到服务端的sql被解析后,会产生动态元数据信息,格式如下:

Name Type Description
string The resource name in table.db format. The resource name defaults to the table being accessed if the database cannot be inferred.
[] list A list of strings representing the operations executed on the resource. Operations can be one of insert/update/select/drop/delete/create/alter/show.

3.7envoy.filters.network.postgres_proxy

语句被解析后,会产生动态元数据,格式如下:

Name Type Description
string The resource name in table.db format.
[] list A list of strings representing the operations executed on the resource. Operations can be one of insert/update/select/drop/delete/create/alter/show.

3.8 envoy.filters.http.rbac

会产生如下元数据:

shadow_effective_policy_id string The effective shadow policy ID matching the action (if any).
shadow_engine_result string The engine result for the shadow rules (i.e. either allowed or denied).
access_log_hint boolean Whether the request should be logged. This metadata is shared and set under the key namespace ‘envoy.common’ (See Shared Dynamic Metadata).

3.9 envoy.filters.network.rbac

会产生如下元数据:

Name Type Description
shadow_effective_policy_id string The effective shadow policy ID matching the action (if any).
shadow_engine_result string The engine result for the shadow rules (i.e. either allowed or denied).
access_log_hint boolean Whether the request should be logged. This metadata is shared and set under the key namespace ‘envoy.common’ (See Shared Dynamic Metadata).

3.10envoy.filters.network.zookeeper_proxy

当每个消息被解析后,会产生如下元数据:

Name Type Description
  string The path associated with the request, response or event
  string The opname for the request, response or event
string The string representation of the flags applied to the znode
  string The size of the request message in bytes
  string True if a watch is being set, false otherwise
  string The version parameter, if any, given with the request
  string The timeout parameter in a connect response
string The protocol version in a connect response
  string The readonly flag in a connect response
  string The zxid field in a response header
  string The error field in a response header
string The state field in a watch event
string The event type in a a watch event

3.11 envoy.filters.http.ratelimit

当ratelimit服务返回 RateLimitResponse 带有dynamic_metadata时,会产生元数据信息。

4metadata怎么使用

4.1type.tracing.v3.CustomTag

  1.   "tag""..."
  2.   "literal""{...}"
  3.   "environment""{...}"
  4.   "request_header""{...}"
  5.   "metadata""{...}" 

metadata:自定义tag,值从metadata中获取

案例:

  1. apiVersion: networking.istio.io/v1alpha3 
  2. kind: EnvoyFilter 
  3. metadata: 
  4.   name: httpconnectionmanager 
  5. spec: 
  6.   workloadSelector: 
  7.     labels: 
  8.       istio: ingressgateway 
  9.   configPatches: 
  10.   - applyTo: NETWORK_FILTER 
  11.     match: 
  12.       context: GATEWAY 
  13.       listener: 
  14.         portNumber: 8080 
  15.         filterChain: 
  16.           filter: 
  17.             name"envoy.filters.network.http_connection_manager" 
  18.     patch: 
  19.       operation: MERGE 
  20.       value: 
  21.               name: envoy.filters.network.http_connection_manager 
  22.               typedConfig: 
  23.                 '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager 
  24.                 route_config: 
  25.                   name: test 
  26.                   virtual_hosts: 
  27.                   - name: test 
  28.                     domains: 
  29.                     - "*" 
  30.                     routes: 
  31.                     - name: testroute 
  32.                       match:  
  33.                         prefix: / 
  34.                       direct_response: 
  35.                         status: 200 
  36.                         body:  
  37.                           inline_string: "prefix" 
  38.                       tracing: 
  39.                           customTags: 
  40.                           - metadata: 
  41.                               kind: 
  42.                                 request: {} 
  43.                               metadataKey: 
  44.                                 key: envoy.filters.http.rbac 
  45.                                 path: 
  46.                                 - key: istio_dry_run_allow_shadow_effective_policy_id 
  47.                             tag: istio.authorization.dry_run.allow_policy.name 
  48.                           - metadata: 
  49.                               kind: 
  50.                                 request: {} 
  51.                               metadataKey: 
  52.                                 key: envoy.filters.http.rbac 
  53.                                 path: 
  54.                                 - key: istio_dry_run_allow_shadow_engine_result 
  55.                             tag: istio.authorization.dry_run.allow_policy.result 
  56.                           - metadata: 
  57.                               kind: 
  58.                                 request: {} 
  59.                               metadataKey: 
  60.                                 key: envoy.filters.http.rbac 
  61.                                 path: 
  62.                                 - key: istio_dry_run_deny_shadow_effective_policy_id 
  63.                             tag: istio.authorization.dry_run.deny_policy.name 
  64.                           - metadata: 
  65.                               kind: 
  66.                                 request: {} 
  67.                               metadataKey: 
  68.                                 key: envoy.filters.http.rbac 
  69.                                 path: 
  70.                                 - key: istio_dry_run_deny_shadow_engine_result 
  71.                             tag: istio.authorization.dry_run.deny_policy.result 
  72.                           - literal: 
  73.                               value: latest 
  74.                             tag: istio.canonical_revision 
  75.                           - literal: 
  76.                               value: istio-ingressgateway 
  77.                             tag: istio.canonical_service 
  78.                           - literal: 
  79.                               value: mesh1 
  80.                             tag: istio.mesh_id 
  81.                           - literal: 
  82.                               value: istio-system 
  83.                             tag: istio.namespace 
  84.                           overallSampling: 
  85.                             numerator: 100 
  86.                             denominator: HUNDRED 
  87.                           randomSampling: 
  88.                             numerator: 1 
  89.                             denominator: HUNDRED 
  90.                           clientSampling: 
  91.                             numerator: 100 
  92.                             denominator: HUNDRED 

4.2路由设置metadata

  1. apiVersion: networking.istio.io/v1alpha3 
  2. kind: EnvoyFilter 
  3. metadata: 
  4.   name: httpconnectionmanager 
  5. spec: 
  6.   workloadSelector: 
  7.     labels: 
  8.       istio: ingressgateway 
  9.   configPatches: 
  10.   - applyTo: NETWORK_FILTER 
  11.     match: 
  12.       context: GATEWAY 
  13.       listener: 
  14.         portNumber: 8080 
  15.         filterChain: 
  16.           filter: 
  17.             name"envoy.filters.network.http_connection_manager" 
  18.     patch: 
  19.       operation: MERGE 
  20.       value: 
  21.               name: envoy.filters.network.http_connection_manager 
  22.               typedConfig: 
  23.                 '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager 
  24.                 route_config: 
  25.                   name: test 
  26.                   virtual_hosts: 
  27.                   - name: test 
  28.                     domains: 
  29.                     - "*" 
  30.                     routes: 
  31.                     - name: testroute 
  32.                       match:  
  33.                         prefix: / 
  34.                       metadata: 
  35.                         filter_metadata: 
  36.                           "envoy.lb":  
  37.                             canary: true 
  38.                       direct_response: 
  39.                         status: 200 
  40.                         body:  
  41.                           inline_string: "prefix" 

4.3local_reply_config

  1.   "mappers": [], 
  2.   "body_format""{...}" 

mappers:

  1.   "filter""{...}"
  2.   "status_code""{...}"
  3.   "body""{...}"
  4.   "body_format_override""{...}"
  5.   "headers_to_add": [] 

filter:

  1.   "status_code_filter""{...}"
  2.   "duration_filter""{...}"
  3.   "not_health_check_filter""{...}"
  4.   "traceable_filter""{...}"
  5.   "runtime_filter""{...}"
  6.   "and_filter""{...}"
  7.   "or_filter""{...}"
  8.   "header_filter""{...}"
  9.   "response_flag_filter""{...}"
  10.   "grpc_status_filter""{...}"
  11.   "extension_filter""{...}"
  12.   "metadata_filter""{...}" 

metadata_filter:

  1.   "matcher""{...}",匹配条件 
  2.   "match_if_key_not_found""{...}"key不存在时是否匹配 

matcher:

  1.   "filter""...",过滤名称 
  2.   "path": [],metadata路径 
  3.   "value""{...}",匹配值 
  4.   "invert""..."反向匹配 

value:

  1.   "null_match""{...}",null匹配 
  2.   "double_match""{...}",double匹配 
  3.   "string_match""{...}",string匹配 
  4.   "bool_match""...",bool匹配 
  5.   "present_match""...",存在性匹配 
  6.   "list_match""{...}"列表匹配 

string_match:

  1.   "exact""..."
  2.   "prefix""..."
  3.   "suffix""..."
  4.   "safe_regex""{...}"
  5.   "contains""..."
  6.   "ignore_case""..." 

body_format:

  1.   "text_format""..."
  2.   "json_format""{...}"
  3.   "text_format_source""{...}"
  4.   "omit_empty_values""..."
  5.   "content_type""..."
  6.   "formatters": [] 

ef-local_reply_config.yaml

kubectl apply -f ef-local_reply_config.yaml -n istio-system

  1. apiVersion: networking.istio.io/v1alpha3 
  2. kind: EnvoyFilter 
  3. metadata: 
  4.   name: httpconnectionmanager 
  5. spec: 
  6.   workloadSelector: 
  7.     labels: 
  8.       istio: ingressgateway 
  9.   configPatches: 
  10.   - applyTo: NETWORK_FILTER 
  11.     match: 
  12.       context: GATEWAY 
  13.       listener: 
  14.         portNumber: 8080 
  15.         filterChain: 
  16.           filter: 
  17.             name"envoy.filters.network.http_connection_manager" 
  18.     patch: 
  19.       operation: MERGE 
  20.       value: 
  21.               name: envoy.filters.network.http_connection_manager 
  22.               typedConfig: 
  23.                 '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager 
  24.                 route_config: 
  25.                   name: test 
  26.                   virtual_hosts: 
  27.                   - name: test 
  28.                     domains: 
  29.                     - "*" 
  30.                     routes: 
  31.                     - name: testroute 
  32.                       match:  
  33.                         prefix: /product 
  34.                       route: 
  35.                         weighted_clusters: 
  36.                           clusters: 
  37.                           - name: outbound|9080||productpage.istio.svc.cluster.local 
  38.                             weight: 100 
  39.                           total_weight: 100 
  40.                           runtime_key_prefix: test 
  41.                 local_reply_config: 
  42.                   mappers: 
  43.                   - status_code: 200 
  44.                     filter: 
  45.                       metadata_filter: 
  46.                         matcher: 
  47.                           filter: envoy.lb 
  48.                           path:  
  49.                           - key: canary 
  50.                           value: 
  51.                             string_match: 
  52.                               exact: "true" 
  53.                           invert: false 
  54.                         match_if_key_not_found: true 
  55.                     body:  
  56.                       inline_string: "test" 
  57.                     body_format_override: 
  58.                       text_format: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%\n"  
  59.                     headers_to_add: 
  60.                     - header: 
  61.                         key: test 
  62.                         value: test 
  63.                       append: true 
  64.                   body_format: 
  65.                     text_format: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%\n"       

4.4 envoy.filters.http.set_metadata

  1. apiVersion: networking.istio.io/v1alpha3 
  2. kind: EnvoyFilter 
  3. metadata: 
  4.   nameset 
  5. spec: 
  6.   workloadSelector: 
  7.     labels: 
  8.       app: productpage 
  9.   configPatches: 
  10.   - applyTo: HTTP_FILTER 
  11.     match: 
  12.       context: SIDECAR_INBOUND 
  13.       listener: 
  14.         portNumber: 9080 
  15.         filterChain: 
  16.           destinationPort: 9080 
  17.           filter: 
  18.             name"envoy.filters.network.http_connection_manager" 
  19.             subFilter: 
  20.               name"envoy.filters.http.router" 
  21.     patch: 
  22.       operation: INSERT_BEFORE 
  23.       value:          
  24.           name: envoy.filters.http.set_metadata 
  25.           typedConfig: 
  26.             '@type': type.googleapis.com/envoy.extensions.filters.http.set_metadata.v3.Config 
  27.             metadata_namespace: envoy.lb 
  28.             value: 
  29.               canary: "true" 
  30.              

4.5route match

  1. apiVersion: networking.istio.io/v1alpha3 
  2. kind: EnvoyFilter 
  3. metadata: 
  4.   name: httpconnectionmanager 
  5. spec: 
  6.   workloadSelector: 
  7.     labels: 
  8.       istio: ingressgateway 
  9.   configPatches: 
  10.   - applyTo: NETWORK_FILTER 
  11.     match: 
  12.       context: GATEWAY 
  13.       listener: 
  14.         portNumber: 8080 
  15.         filterChain: 
  16.           filter: 
  17.             name"envoy.filters.network.http_connection_manager" 
  18.     patch: 
  19.       operation: MERGE 
  20.       value: 
  21.               name: envoy.filters.network.http_connection_manager 
  22.               typedConfig: 
  23.                 '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager 
  24.                 route_config: 
  25.                   name: test 
  26.                   virtual_hosts: 
  27.                   - name: test 
  28.                     domains: 
  29.                     - "*" 
  30.                     routes: 
  31.                     - name: testroute 
  32.                       match:  
  33.                         path: /tEst 
  34.                         case_sensitive: false 
  35.                         dynamic_metadata: 
  36.                           filter: envoy.lb 
  37.                           path: 
  38.                           - key: canary 
  39.                           value: "true" 
  40.                           invert: false 
  41.                       direct_response: 
  42.                         status: 200 
  43.                         body:  
  44.                           inline_string: "runtime_fraction" 

4.6基于元数据的权限控制

  1. apiVersion: networking.istio.io/v1alpha3 
  2. kind: EnvoyFilter 
  3. metadata: 
  4.   name: apply-to 
  5. spec: 
  6.   workloadSelector: 
  7.     labels: 
  8.       app: mysqldb 
  9.   configPatches: 
  10.   - applyTo: NETWORK_FILTER 
  11.     match: 
  12.       listener: 
  13.         portNumber: 3306 
  14.         filterChain: 
  15.           filter: 
  16.             name"envoy.filters.network.tcp_proxy" 
  17.     patch: 
  18.       operation: INSERT_BEFORE 
  19.       value: 
  20.         name: envoy.filters.network.mysql_proxy 
  21.         typed_config: 
  22.           "@type": type.googleapis.com/envoy.extensions.filters.network.mysql_proxy.v3.MySQLProxy 
  23.           stat_prefix: mysql 
  24.   - applyTo: NETWORK_FILTER 
  25.     match: 
  26.       listener: 
  27.         portNumber: 3306 
  28.         filterChain: 
  29.           filter: 
  30.             name"envoy.filters.network.tcp_proxy" 
  31.     patch: 
  32.       operation: INSERT_BEFORE 
  33.       value: 
  34.         name: envoy.filters.network.rbac 
  35.         typed_config: 
  36.           "@type": type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC 
  37.           stat_prefix: rbac 
  38.           rules: 
  39.              action: DENY 
  40.              policies: 
  41.                "product-viewer"
  42.                  permissions: 
  43.                  - metadata: 
  44.                      filter: envoy.filters.network.mysql_proxy 
  45.                      path: 
  46.                      - key: t1.test 
  47.                      value: 
  48.                        list_match: 
  49.                          one_of: 
  50.                            string_match: 
  51.                              prefix: update 
  52.                  principals: 
  53.                  - anytrue 
  54.           enforcement_type: CONTINUOUS  

4.7负载均衡决策

略,等讲cluster再看

4.8header-To-Metadata Filter

  1.   "request_rules": [], 
  2.   "response_rules": [] 

request_rules:

  1.   "header""..."
  2.   "cookie""..."
  3.   "on_header_present""{...}"
  4.   "on_header_missing""{...}"
  5.   "remove""..." 

response_rules:

  1.   "header""..."
  2.   "cookie""..."
  3.   "on_header_present""{...}"
  4.   "on_header_missing""{...}"
  5.   "remove""..." 

on_header_present,on_header_missing:

  1.   "metadata_namespace""..."
  2.   "key""..."
  3.   "value""..."
  4.   "regex_value_rewrite""{...}"
  5.   "type""..."
  6.   "encode""..." 
  1. apiVersion: networking.istio.io/v1alpha3 
  2. kind: EnvoyFilter 
  3. metadata: 
  4.   nameset 
  5. spec: 
  6.   workloadSelector: 
  7.     labels: 
  8.       app: productpage 
  9.   configPatches: 
  10.   - applyTo: HTTP_FILTER 
  11.     match: 
  12.       context: SIDECAR_INBOUND 
  13.       listener: 
  14.         portNumber: 9080 
  15.         filterChain: 
  16.           destinationPort: 9080 
  17.           filter: 
  18.             name"envoy.filters.network.http_connection_manager" 
  19.             subFilter: 
  20.               name"envoy.filters.http.router" 
  21.     patch: 
  22.       operation: INSERT_BEFORE 
  23.       value:          
  24.           name: envoy.filters.http.header_to_metadata 
  25.           typedConfig: 
  26.             '@type': type.googleapis.com/envoy.extensions.filters.http.header_to_metadata.v3.Config 
  27.             request_rules: 
  28.             - header: x-version 
  29.               on_header_present: 
  30.                 metadata_namespace: envoy.lb 
  31.                 key: version 
  32.                 type: STRING 
  33.               on_header_missing: 
  34.                 metadata_namespace: envoy.lb 
  35.                 keydefault 
  36.                 value: 'true' 
  37.                 type: STRING 
  38.               remove: false 
  39.             response_rules: 
  40.             - header: x-version 
  41.               on_header_present: 
  42.                 metadata_namespace: envoy.lb 
  43.                 key: version 
  44.                 type: STRING 
  45.               on_header_missing: 
  46.                 metadata_namespace: envoy.lb 
  47.                 keydefault 
  48.                 value: 'true' 
  49.                 type: STRING 
  50.               remove: false             
  51.              

4.9ratelimit actions

  1. apiVersion: networking.istio.io/v1alpha3 
  2. kind: EnvoyFilter 
  3. metadata: 
  4.   name: httpconnectionmanager 
  5. spec: 
  6.   workloadSelector: 
  7.     labels: 
  8.       istio: ingressgateway 
  9.   configPatches: 
  10.   - applyTo: NETWORK_FILTER 
  11.     match: 
  12.       context: GATEWAY 
  13.       listener: 
  14.         portNumber: 8080 
  15.         filterChain: 
  16.           filter: 
  17.             name"envoy.filters.network.http_connection_manager" 
  18.     patch: 
  19.       operation: MERGE 
  20.       value: 
  21.               name: envoy.filters.network.http_connection_manager 
  22.               typedConfig: 
  23.                 '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager 
  24.                 route_config: 
  25.                   name: test 
  26.                   virtual_hosts: 
  27.                   - name: test 
  28.                     domains: 
  29.                     - "*" 
  30.                     routes: 
  31.                     - name: testroute 
  32.                       match:  
  33.                         prefix: /product 
  34.                       route: 
  35.                         rate_limits: 
  36.                         - stage: 0 
  37.                           disable_key: test 
  38.                           actions: 
  39.                           - metadata:  
  40.                               descriptor_key: test 
  41.                               default_value: test 
  42.                               metadata_key: 
  43.                                 key: envoy.lb 
  44.                                 path: 
  45.                                 - key: canary 
  46.                               source: DYNAMIC 
  47.                           limit: 
  48.                             dynamic_metadata: 
  49.                               metadata_key: 
  50.                                 key: envoy.lb 
  51.                                 path: 
  52.                                 - key: canary 
  53.                         weighted_clusters: 
  54.                           clusters: 
  55.                           - name: outbound|9080||productpage.istio.svc.cluster.local 
  56.                             weight: 100 
  57.                           total_weight: 100 
  58.                           runtime_key_prefix: test 
  59.                         

本文转载自微信公众号「k8s实战」,可以通过以下二维码关注。转载本文请联系k8s实战公众号。

 

 

来源:k8s实战内容投诉

免责声明:

① 本站未注明“稿件来源”的信息均来自网络整理。其文字、图片和音视频稿件的所属权归原作者所有。本站收集整理出于非商业性的教育和科研之目的,并不意味着本站赞同其观点或证实其内容的真实性。仅作为临时的测试数据,供内部测试之用。本站并未授权任何人以任何方式主动获取本站任何信息。

② 本站未注明“稿件来源”的临时测试数据将在测试完成后最终做删除处理。有问题或投稿请发送至: 邮箱/279061341@qq.com QQ/279061341

软考中级精品资料免费领

  • 历年真题答案解析
  • 备考技巧名师总结
  • 高频考点精准押题
  • 2024年上半年信息系统项目管理师第二批次真题及答案解析(完整版)

    难度     813人已做
    查看
  • 【考后总结】2024年5月26日信息系统项目管理师第2批次考情分析

    难度     354人已做
    查看
  • 【考后总结】2024年5月25日信息系统项目管理师第1批次考情分析

    难度     318人已做
    查看
  • 2024年上半年软考高项第一、二批次真题考点汇总(完整版)

    难度     435人已做
    查看
  • 2024年上半年系统架构设计师考试综合知识真题

    难度     224人已做
    查看

相关文章

发现更多好内容

猜你喜欢

AI推送时光机
位置:首页-资讯-后端开发
咦!没有更多了?去看看其它编程学习网 内容吧
首页课程
资料下载
问答资讯