In my first two blogs:
- Detailed explanation of sidecar injection, transparent traffic hijacking and traffic routing in Istio
- Detailed explanation of traffic types and iptables rules in sidecar
I gave you a detailed introduction to the traffic in the Istio data plane, but the data plane does not exist in isolation. This article will show you the ports and functions of each component of the control plane and data plane in Istio to help you understand these traffic. relationship and troubleshooting.
Schematic diagram of components and ports in Istio
As is customary, we first show a global schematic. The following diagram shows the composition of the sidecar in the Istio data plane, and the objects that interact with it.
We can use the nsenter
command to enter the network space of the productpage Pod of the productpage
example to view the port information it is listening on.
From the figure, we can see that in addition to port 9080, which is monitored by the productpage
application itself, the Sidecar container also listens to a large number of other ports, such as 15000
, 15001
, 15004
, 15006
, 15021
, 15090
, etc. You can learn about Istio on the Istio documentation port used.
We then enter the productpage
Pod and use the lsof -i
command to view the ports it opens, as shown in the following figure.
We can see that pilot-agent
has established a TCP connection with istiod
, the listening port mentioned above, and the TCP connection established inside the Pod. These connections correspond to the schematic diagram at the beginning of the article.
The root process of the sidecar container ( istio-proxy
) is pilot-agent
, and the startup command is shown in the following figure:
We can see from the figure that the PID of its pilot-agent
process is 1, and it pulled up the envoy
process.
View the ports it opens in istiod
‘s Pod, as shown in the image below.
We can see the listening ports, inter-process and remote communication connections.
Functional overview of each port in Istio
These ports can play a pivotal role in your troubleshooting. The following will be described according to the components and functions where the ports are located.
Ports in Istiod
Ports in Istiod are relatively few and single-purpose:
- 9876: ControlZ UI, exposing
istiod
process information - 8080:
istiod
debug port, through which the configuration and status information of the grid can be queried - 15010: Expose xDS API and issue plain text certificates
- 15012: Same function as port 15010, but use TLS communication
- 15014: Expose control plane metrics to Prometheus
- 15017: Sidecar injection and configuration verification port
Ports in Sidecar
From the above, we see that there are many ports in the sidecar:
- 15000: Envoy management interface , you can use it to query and modify the configuration of the Envoy proxy, please refer to the Envoy documentation for details.
- 15001: Used to handle outbound traffic.
- 15004: Debug port, explained below.
- 15006: Used to handle inbound traffic.
- 15020: Aggregate statistics, perform health checks on Envoy and DNS proxy, debug
pilot-agent
process, explained in detail below. - 15021: Used for sidecar health checks to determine if injected pods are ready to receive traffic. We set up a readiness probe on the
/healthz/ready
path of this port, and Istio handed over the readiness detection of the sidecar tokubelet
, maximizing the use of the Kubernetes platform’s own capabilities. Theenvoy
process routes the health check to port 15020 of thepilot-agent
process, where the actual health check will take place. - 15053: The local DNS proxy is used to resolve the internal domain name of the cluster that cannot be resolved by Kubernetes DNS.
- 15090: Envoy Prometheus query port through which
pilot-agent
will collect statistics.
The above ports can be divided into the following categories:
- Responsible for inter-process communication, such as 15001, 15006, 15053
- Responsible for health check and information statistics, such as 150021, 15090
- Debug: 15000, 15004
A few key ports will be explained in detail below.
15000 ports
15000 is Envoy’s Admin interface, which allows us to modify Envoy and get a view and query metrics and configuration.
The management interface consists of a REST API with multiple endpoints and a simple user interface. You can use the following command to open the Envoy management interface view in the productpage
Pod.
kubectl -n default port-forward deploy/productpage-v1 15000
Visit http://localhost:15000
in your browser and you will see the Envoy Admin interface as shown below.
15004 port
Through the debug endpoint on port 8080 of pilot-agent
proxy istiod
, you can enter the data plane Pod to access port 15004 of localhost to query grid information, and the effect is equivalent to port 8080 below.
port 8080
You can also forward istiod
port 8080 locally, run the command below.
kubectl -n istio-system port-forward deploy/istiod 8080
Visit http://localhost:8080/debug
in your browser and you will see the debug endpoint as shown in the image below.
Of course, this is just a way to get grid information and debug the grid, you can also use the istioctl
command or Kiali to debug, which will be more efficient and intuitive.
15020 port
The 15020 port has three functions:
- Aggregate statistics: Query port 15090 to obtain
envoy
metrics, and you can also configure query application metrics to aggregateenvoy
, application, and own metrics for Prometheus to collect. The corresponding debug endpoint is/stats/prometheus
. - Health checks for Envoy and DNS proxy: The corresponding debug endpoints are
/healthz/ready
and/app-health
. - Debug
pilot-agent
process: The corresponding debug endpoints are/quitquitquit
,debug/ndsz
and/debug/pprof
.
The following figure shows the debugging information seen by opening http://localhost:15020/debug/pprof
in the browser after using local port forwarding.
The information in the figure shows the stack information of pilot-agent
.
Summarize
Through the understanding of each component port in Istio, you should have a better understanding of the relationship of each component in Istio and its internal flow, familiar with the function of these ports, which will help you troubleshoot the mesh.
This article is reprinted from https://jimmysong.io/blog/istio-components-and-ports/
This site is for inclusion only, and the copyright belongs to the original author.