Envoy-Administration-interface

管理接口admin

  • Envoy内建了一个管理接口,它支持查询和修改操作,甚至有可能暴露私有数据(例如统计数据、集群名称和证书信息等),因此非常有必要精心编排其访问控制机制以避免非授权访问;
1
2
3
4
5
6
7
8
admin:
  access_log_path: ...      # 管理接口的访问日志文件路径,无须记录访问日志时使用/dev/null;
  profile_path: ...         # cpu profiler的输出路径,默认为/var/log/envoy/envoy.prof;
    address:                # 监听的套接字;
    socket_address:
      protocol: ...
      address: ...
      port_value: ...
  • 下面是一个简单的配置示例
1
2
3
4
admin:
  access_log_path: /tmp/admin_access.log
  address:
    socket_address: { address: 127.0.0.1, port_value: 9901 }
  • 一个完整的envoy配置示例
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
admin:
  access_log_path: /tmp/admin_access.log
  profile_path: /tmp/envoy.prof
  address:
    socket_address: { address: 127.0.0.1, port_value: 9901 }

static_resources:
  listeners:
  - name: listener_0
    address:
      socket_address: { address: 127.0.0.1, port_value: 80 }
    filter_chains:
    - filters:
      - name: envoy.http_connection_manager
        config:
          stat_prefix: egress_http
          codec_type: AUTO
          route_config:
            name: test_route
            virtual_hosts:
            - name: web_service_1
              domains: ["*.ik8s.io", "ik8s.io"]
              routes:
              - match: { prefix: "/" }
                route: { cluster: web_cluster_1 }
            - name: web_service_2
              domains: ["*.k8scast.cn","k8scast.cn"]
              routes:
              - match: { prefix: "/" }
                route: { cluster: web_cluster_2 } 
          http_filters:
          - name: envoy.router

  clusters:
  - name: web_cluster_1
    connect_timeout: 0.25s
    type: STRICT_DNS
    lb_policy: ROUND_ROBIN
    load_assignment:
      cluster_name: web_cluster_1 
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: myservice
                port_value: 8081

  - name: web_cluster_2
    connect_timeout: 0.25s
    type: STRICT_DNS
    lb_policy: ROUND_ROBIN
    load_assignment:
      cluster_name: web_cluster_2
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: webserver1 
                port_value: 8081
  • 管理接口admin
    • admin接口内置了多个/path,不同的path可能会分别接受不同的GET或POST请求
    • GET /help:打印所有可用选项;
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
admin commands are:
/: Admin home page                                                       # GET
/certs: print certs on machine                                           # GET,列出已加载的所有TLS证书及相关的信息;
/clusters: upstream cluster status                                       # GET,额外支持使用“GET /clusters?format=json”
/config_dump: dump current Envoy configs (experimental)                  # GET,打印Envoy加载的各类配置信息;
/contention: dump current Envoy mutex contention stats (if enabled)      # GET,互斥跟踪
/cpuprofiler: enable/disable the CPU profiler                            # POST,启用或禁用cpuprofiler
/healthcheck/fail: cause the server to fail health checks                # POST,强制设定HTTP健康状态检查为失败;
/healthcheck/ok: cause the server to pass health checks                  # POST,强制设定HTTP健康状态检查为成功;
/heapprofiler: enable/disable the heap profiler                          # POST,启用或禁用heapprofiler;
/help: print out list of admin commands
/hot_restart_version: print the hot restart compatibility version        # GET,打印热重启相关的信息;
/listeners: print listener addresses                                     # GET,列出所有侦听器,支持使用“GET /listeners?format=json”
/logging: query/change logging levels                                    # POST,启用或禁用不同子组件上的不同日志记录级别
/memory: print current allocation/heap usage                             # POST,打印当前内在分配信息,以字节为单位;
/quitquitquit: exit the server                                           # POST,干净退出服务器;
/reset_counters: reset all counters to zero                              # POST,重围所有计数器;
/runtime: print runtime values                                           # GET,以json格式输出所有运行时相关值;
/runtime_modify: modify runtime values                                   # POST /runtime_modify?key1=value1&key2=value2,添加或修改在查询参数中传递的运行时值
/server_info: print server version/status information                    # GET,打印当前Envoy Server的相关信息;
/stats: print server stats                                               # 按需输出统计数据,例如GET /stats?filter=regex,另外还支持json和prometheus两种输出格式;
/stats/prometheus: print server stats in prometheus format:             # 输出prometheus格式的统计信息;

管理接口几个示例输出

  • GET /clusters:列出所有已配置的集群,包括每个集群中发现的所有上游主机以及每个主机的统计信息;支持输出为json格式;
    • 集群管理器信息:“version_info string”,无CDS时,则显示为“version_info::static”
    • 集群相关的信息:断路器、异常点检测和用于表示是否通过CDS添加的集群标识“add_via_api”
    • 每个主机的统计信息:包括总连接数、活动连接数、总请求数和主机的健康状态等;不健康的原因通常有以下三种
      • failed_active_hc:未通过主动健康状态检测;
      • failed_eds_health:被EDS标记为不健康;
      • failed_outlier_check:未通过异常检测机制的检查;
  • GET /listeners:列出所有已配置的侦听器,包括侦听器的名称以及监听的地址;支持输出为json格式;
  • POST /reset_counters:将所有计数器重置为0;不过,它只会影响Server本地的输出,对于已经发送到外部存储系统的统计数据无效;
  • GET /config_dump:以json格式打印当前从Envoy的各种组件加载的配置信息;
  • GET /ready:获取Server就绪与否的状态,LIVE状态为200,否则为503;

统计集群中每个主机的状态信息说明

Name Type Description
cx_total Counter Total connections
cx_active Gauge Total active connections
cx_connect_fail Counter Total connection failures
rq_total Counter Total requests
rq_timeout Counter Total timed out requests
rq_success Counter Total requests with non-5xx responses
rq_error Counter Total requests with 5xx responses
rq_active Gauge Total active requests
healthy String The health status of the host. See below
weight Integer Load balancing weight (1-100)
zone String Service zone
canary Boolean Whether the host is a canary
success_rate Double Request success rate (0-100). -1 if there was not enough request volume in the interval to calculate it
Envoy-Administration-interface
https://system51.github.io/2019/11/26/Envoy-Administration-interface/
作者
Mr.Ye
发布于
2019年11月26日
许可协议