红帽全球峰会4.8. 配置 Kourier
Kourier 是 Knative Serving 的轻量级 Kubernetes 原生 Ingress。Kourier 作为 Knative 的网关,将 HTTP 流量路由到 Knative 服务。
4.8.1. 访问当前的 Envoy bootstrap 配置
Kourier 中的 Envoy 代理组件处理 Knative 服务的入站和出站 HTTP 流量。默认情况下,Kourier 在 knative-serving-ingress 命名空间中的 kourier-bootstrap 配置映射中包含 Envoy bootstrap 配置。
流程
要获取当前的 Envoy bootstrap 配置,请运行以下命令:
示例命令
$ oc get cm kourier-bootstrap -n knative-serving-ingress -o yaml例如,在默认配置中,example 命令会生成包含以下摘录的输出:
输出示例
Name: kourier-bootstrap Namespace: knative-serving-ingress Labels: app.kubernetes.io/component=net-kourier app.kubernetes.io/name=knative-serving app.kubernetes.io/version=release-v1.10 networking.knative.dev/ingress-provider=kourier serving.knative.openshift.io/ownerName=knative-serving serving.knative.openshift.io/ownerNamespace=knative-serving Annotations: manifestival: new数据输出示例dynamic_resources: ads_config: transport_api_version: V3 api_type: GRPC rate_limit_settings: {} grpc_services: - envoy_grpc: {cluster_name: xds_cluster} cds_config: resource_api_version: V3 ads: {} lds_config: resource_api_version: V3 ads: {} node: cluster: kourier-knative id: 3scale-kourier-gateway static_resources: listeners: - name: stats_listener address: socket_address: address: 0.0.0.0 port_value: 9000 filter_chains: - filters: - name: envoy.filters.network.http_connection_manager typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: stats_server http_filters: - name: envoy.filters.http.router typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router route_config: virtual_hosts: - name: admin_interface domains: - "*" routes: - match: safe_regex: regex: '/(certs|stats(/prometheus)?|server_info|clusters|listeners|ready)?' headers: - name: ':method' string_match: exact: GET route: cluster: service_stats clusters: - name: service_stats connect_timeout: 0.250s type: static load_assignment: cluster_name: service_stats endpoints: lb_endpoints: endpoint: address: pipe: path: /tmp/envoy.admin - name: xds_cluster # This keepalive is recommended by envoy docs. # https://www.envoyproxy.io/docs/envoy/latest/api-docs/xds_protocol typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicit_http_config: http2_protocol_options: connection_keepalive: interval: 30s timeout: 5s connect_timeout: 1s load_assignment: cluster_name: xds_cluster endpoints: lb_endpoints: endpoint: address: socket_address: address: "net-kourier-controller.knative-serving-ingress.svc.cluster.local." port_value: 18000 type: STRICT_DNS admin: access_log: - name: envoy.access_loggers.stdout typed_config: "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog address: pipe: path: /tmp/envoy.admin layered_runtime: layers: - name: static-layer static_layer: envoy.reloadable_features.override_request_timeout_by_gateway_timeout: falseBinaryData输出示例Events: <none>
4.8.2. 为 Kourier getaways 自定义 kourier-bootstrap
Kourier 中的 Envoy 代理组件处理 Knative 服务的入站和出站 HTTP 流量。默认情况下,Kourier 在 knative-serving-ingress 命名空间中的 kourier-bootstrap 配置映射中包含 Envoy bootstrap 配置。您可以将此配置映射更改为自定义映射。
先决条件
- 安装了 OpenShift Serverless Operator 和 Knative Serving。
- 在 OpenShift Container Platform 上具有集群管理员权限,或者具有 Red Hat OpenShift Service on AWS 或 OpenShift Dedicated 的集群或专用管理员权限。
流程
通过更改
KnativeServing自定义资源(CR)中的spec.ingress.kourier.bootstrap-configmap字段来指定自定义 bootstrap 配置映射:KnativeServing CR 示例
apiVersion: operator.knative.dev/v1beta1 kind: KnativeServing metadata: name: knative-serving namespace: knative-serving spec: config: network: ingress-class: kourier.ingress.networking.knative.dev ingress: kourier: bootstrap-configmap: my-configmap enabled: true # ...
4.8.3. 启用管理员接口访问权限
您可以更改 envoy bootstrap 配置来启用对管理界面的访问。
此流程假设足够了解 Knative,因为更改 envoy bootstrap 配置可能会导致 Knative 失败。红帽不支持在产品中没有测试或附带的自定义配置。
先决条件
- 安装了 OpenShift Serverless Operator 和 Knative Serving。
- 在 OpenShift Container Platform 上具有集群管理员权限,或者具有 Red Hat OpenShift Service on AWS 或 OpenShift Dedicated 的集群或专用管理员权限。
流程
要启用管理员接口访问权限,请在 bootstrap 配置映射中找到此配置:
pipe: path: /tmp/envoy.admin使用以下配置替换它:
socket_address:1 address: 127.0.0.1 port_value: 9901- 1
- 此配置支持访问 loopback 地址(127.0.0.1)和端口 9901 上的 Envoy admin 接口。
在
service_stats集群配置和admin配置中应用socket_address配置:第一个位于
service_stats集群配置中:clusters: - name: service_stats connect_timeout: 0.250s type: static load_assignment: cluster_name: service_stats endpoints: lb_endpoints: endpoint: address: socket_address: address: 127.0.0.1 port_value: 9901第二个位于
admin配置中:admin: access_log: - name: envoy.access_loggers.stdout typed_config: "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog address: socket_address: address: 127.0.0.1 port_value: 9901
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}