Detailed explanation of each component port and function in Istio

In my first two blogs:

I gave you a detailed introduction to the traffic in the Istio data plane, but the data plane does not exist in isolation. This article will show you the ports and functions of each component of the control plane and data plane in Istio to help you understand these traffic. relationship and troubleshooting.

Schematic diagram of components and ports in Istio

As is customary, we first show a global schematic. The following diagram shows the composition of the sidecar in the Istio data plane, and the objects that interact with it.

Istio sidecar composition diagram

We can use the nsenter command to enter the network space of the productpage Pod of the productpage example to view the port information it is listening on.

Port information listening in the Istio sidecar

From the figure, we can see that in addition to port 9080, which is monitored by the productpage application itself, the Sidecar container also listens to a large number of other ports, such as 15000 , 15001 , 15004 , 15006 , 15021 , 15090 , etc. You can learn about Istio on the Istio documentation port used.

We then enter the productpage Pod and use the lsof -i command to view the ports it opens, as shown in the following figure.

Ports open in Productpage Pod

We can see that pilot-agent has established a TCP connection with istiod , the listening port mentioned above, and the TCP connection established inside the Pod. These connections correspond to the schematic diagram at the beginning of the article.

The root process of the sidecar container ( istio-proxy ) is pilot-agent , and the startup command is shown in the following figure:

Processes in Sidecar

We can see from the figure that the PID of its pilot-agent process is 1, and it pulled up the envoy process.

View the ports it opens in istiod ‘s Pod, as shown in the image below.

Ports in Istiod

We can see the listening ports, inter-process and remote communication connections.

Functional overview of each port in Istio

These ports can play a pivotal role in your troubleshooting. The following will be described according to the components and functions where the ports are located.

Ports in Istiod

Ports in Istiod are relatively few and single-purpose:

  • 9876: ControlZ UI, exposing istiod process information
  • 8080: istiod debug port, through which the configuration and status information of the grid can be queried
  • 15010: Expose xDS API and issue plain text certificates
  • 15012: Same function as port 15010, but use TLS communication
  • 15014: Expose control plane metrics to Prometheus
  • 15017: Sidecar injection and configuration verification port

Ports in Sidecar

From the above, we see that there are many ports in the sidecar:

  • 15000: Envoy management interface , you can use it to query and modify the configuration of the Envoy proxy, please refer to the Envoy documentation for details.
  • 15001: Used to handle outbound traffic.
  • 15004: Debug port, explained below.
  • 15006: Used to handle inbound traffic.
  • 15020: Aggregate statistics, perform health checks on Envoy and DNS proxy, debug pilot-agent process, explained in detail below.
  • 15021: Used for sidecar health checks to determine if injected pods are ready to receive traffic. We set up a readiness probe on the /healthz/ready path of this port, and Istio handed over the readiness detection of the sidecar to kubelet , maximizing the use of the Kubernetes platform’s own capabilities. The envoy process routes the health check to port 15020 of the pilot-agent process, where the actual health check will take place.
  • 15053: The local DNS proxy is used to resolve the internal domain name of the cluster that cannot be resolved by Kubernetes DNS.
  • 15090: Envoy Prometheus query port through which pilot-agent will collect statistics.

The above ports can be divided into the following categories:

  • Responsible for inter-process communication, such as 15001, 15006, 15053
  • Responsible for health check and information statistics, such as 150021, 15090
  • Debug: 15000, 15004

A few key ports will be explained in detail below.

15000 ports

15000 is Envoy’s Admin interface, which allows us to modify Envoy and get a view and query metrics and configuration.

The management interface consists of a REST API with multiple endpoints and a simple user interface. You can use the following command to open the Envoy management interface view in the productpage Pod.

 kubectl -n default port-forward deploy/productpage-v1 15000

Visit http://localhost:15000 in your browser and you will see the Envoy Admin interface as shown below.

Envoy Admin interface

15004 port

Through the debug endpoint on port 8080 of pilot-agent proxy istiod , you can enter the data plane Pod to access port 15004 of localhost to query grid information, and the effect is equivalent to port 8080 below.

port 8080

You can also forward istiod port 8080 locally, run the command below.

 kubectl -n istio-system port-forward deploy/istiod 8080

Visit http://localhost:8080/debug in your browser and you will see the debug endpoint as shown in the image below.

Pilot debug console

Of course, this is just a way to get grid information and debug the grid, you can also use the istioctl command or Kiali to debug, which will be more efficient and intuitive.

15020 port

The 15020 port has three functions:

  1. Aggregate statistics: Query port 15090 to obtain envoy metrics, and you can also configure query application metrics to aggregate envoy , application, and own metrics for Prometheus to collect. The corresponding debug endpoint is /stats/prometheus .
  2. Health checks for Envoy and DNS proxy: The corresponding debug endpoints are /healthz/ready and /app-health .
  3. Debug pilot-agent process: The corresponding debug endpoints are /quitquitquit , debug/ndsz and /debug/pprof .

The following figure shows the debugging information seen by opening http://localhost:15020/debug/pprof in the browser after using local port forwarding.

pprof endpoint

The information in the figure shows the stack information of pilot-agent .


Through the understanding of each component port in Istio, you should have a better understanding of the relationship of each component in Istio and its internal flow, familiar with the function of these ports, which will help you troubleshoot the mesh.

This article is reprinted from
This site is for inclusion only, and the copyright belongs to the original author.

Leave a Comment

Your email address will not be published.