Higress 面试题
30 道题- 分类
- Kubernetes
- 子分类
- ingress
- 题目数
- 30 道
已阅读 0 / 30 题
1 Higress 的核心架构由哪些组件构成?
答案:
Higress 是基于 Envoy 的云原生 API 网关,核心组件包括 Higress Controller、Higress Gateway(Envoy)、Higress Wasm Plugin 和 Nacos/MCP。
- Higress Controller:Watch K8s Ingress/Gateway API/McpcBridge 等资源,生成 Envoy xDS 配置,下发到 Higress Gateway
- Higress Gateway:Envoy Proxy,承载实际流量(南北向 + 东西向),通过 xDS 接口从 Controller 获取配置
- Higress Wasm Plugin:基于 WebAssembly 的插件机制,支持 Go/Rust/JS 等语言开发自定义插件
- Nacos/MCP:支持 Nacos、Zookeeper、Eureka 等服务发现系统,实现微服务直接路由
架构优势:
统一入口:南北向(入口流量)+ 东西向(微服务间调用)
多注册中心:K8s + Nacos + Zookeeper + Consul 共存
Wasm 扩展:无需重启网关,热加载 Wasm 插件
流量路径:
外部请求 → Higress Gateway (Envoy) → Wasm Plugin → 后端服务(K8s/Nacos)
2 Higress 如何替代 Spring Cloud Gateway / Nginx Ingress 并统一网关?
答案:
Higress 同时支持 K8s Ingress API 和微服务网关功能,可同时取代 Ingress Controller 和 Spring Cloud Gateway。
| 能力 | Spring Cloud Gateway | Ingress Nginx | Higress |
|---|---|---|---|
| 路由规则 | Gateway DSL | K8s Ingress | Ingress + McpBridge |
| 服务发现 | Nacos/Eureka | K8s Service | K8s + Nacos + Zookeeper |
| 限流 | Sentinel | Lua | Wasm Plugin |
| 可观测性 | Micrometer | Prometheus | Prometheus + OpenTelemetry |
| 配置变更 | 重启网关 | 热加载 | xDS 热更新 |
| 语言扩展 | Java 开发 | Lua 开发 | Wasm(多语言) |
| 性能 | 中(Java 虚拟机) | 高 | 高(Envoy) |
3 Higress 如何通过 McpBridge 实现多注册中心路由?
答案:
McpBridge CRD 定义外部注册中心的服务来源,将微服务直接暴露为后端。
apiVersion: networking.higress.io/v1
kind: McpBridge
metadata:
name: default
namespace: higress-system
spec:
registries:
# Nacos 注册中心
- name: nacos-dev
type: nacos2
domain: 192.168.1.100
port: 8848
nacosNamespaceId: dev
# Zookeeper
- name: zk-prod
type: zookeeper
domain: 192.168.2.100
port: 2181
# 静态 IP
- name: static-services
type: static
domain: static.example.com
port: 443
Ingress 引用外部服务:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: service-comb
spec:
ingressClassName: higress
rules:
- host: api.example.com
http:
paths:
- path: /user
pathType: Prefix
backend:
resource:
apiGroup: networking.higress.io
kind: McpBridge
name: default
- path: /order
pathType: Prefix
backend:
service:
name: order-svc
port:
number: 80
4 Higress 的 Wasm 插件机制是如何工作的?
答案:
Higress 使用 WebAssembly(Wasm)作为插件运行沙箱,支持多语言开发插件。
插件架构:
Higress Gateway (Envoy) → Wasm Runtime (v8/wamr)
→ Wasm Plugin(Go/Rust/JS 编译的 .wasm 文件)
开发示例(Go):
package main
import (
"github.com/higress-group/proxy-wasm-go-sdk/proxywasm"
"github.com/higress-group/proxy-wasm-go-sdk/proxywasm/types"
)
func main() {
proxywasm.SetNewHttpContext(newHttpContext)
}
type myHttpContext struct {
proxywasm.DefaultHttpContext
}
func (ctx *myHttpContext) OnHttpRequestHeaders(numHeaders int, endOfStream bool) types.Action {
// 添加自定义请求头
proxywasm.AddHttpRequestHeader("X-Higress-Custom", "true")
// 读取请求头
value, _ := proxywasm.GetHttpRequestHeader("Authorization")
if value == "" {
proxywasm.SendHttpResponse(401, nil, []byte("Unauthorized"), -1)
return types.ActionContinue
}
return types.ActionContinue
}
部署插件:
apiVersion: extensions.higress.io/v1alpha1
kind: WasmPlugin
metadata:
name: auth-plugin
namespace: higress-system
spec:
defaultConfig:
auth_url: "https://auth.example.com"
url: "https://plugins.example.com/auth.wasm" # 或 oci:// 格式
5 Higress 如何实现全局和路由级别的限流?
答案:
Higress 支持全局 IP 限流、路由级别限流和自定义限流规则的组合。
全局 IP 限流:
apiVersion: extensions.higress.io/v1alpha1
kind: WasmPlugin
metadata:
name: global-ip-limit
namespace: higress-system
spec:
defaultConfig:
_rule:
limit_by_headers: ["x-forwarded-for"]
limit_keys:
- key: "*"
max_count: 10000
time_window: 60
路由级别限流:
apiVersion: extensions.higress.io/v1alpha1
kind: WasmPlugin
metadata:
name: route-limit
namespace: higress-system
spec:
matchRules:
- ingress:
- ingress_name: user-api
namespace: default
config:
limit_keys:
- key: "100.0.0.1"
max_count: 50
time_window: 60
- key: "*"
max_count: 100
time_window: 60
6 Higress 如何处理 HTTPS 证书和 TLS?
答案:
Higress 支持自动 HTTPS(通过 cert-manager)、多证书管理和 TLS 终止。
自动 HTTPS:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: auto-tls-ingress
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
ingressClassName: higress
tls:
- hosts:
- app.example.com
secretName: app-tls
rules:
- host: app.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app-svc
port:
number: 80
7 Higress 如何实现灰度发布?
答案:
Higress 通过 Ingress Annotation 和 Wasm Plugin 实现灰度发布。
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: api-gray
annotations:
higress.io/canary: "true"
higress.io/canary-weight: "10"
spec:
ingressClassName: higress
rules:
- host: api.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: api-gray-svc
port:
number: 8080
8 Higress 的可观测性如何配置?
答案:
Higress 原生支持 Prometheus 指标、OpenTelemetry 链路追踪和访问日志。
Prometheus 指标:
- Higress Gateway 自动暴露 Envoy 标准指标
- Higress Controller 暴露自定义指标
- ServiceMonitor 自动发现
OpenTelemetry 追踪:
apiVersion: extensions.higress.io/v1alpha1
kind: WasmPlugin
metadata:
name: opentelemetry
spec:
defaultConfig:
tracing:
service_name: higress
otel_exporter_otlp_endpoint: "otel-collector:4318"
sampling_ratio: 0.1
关键指标:
| 指标 | 说明 |
|---|---|
| envoy_cluster_upstream_rq | 上游请求总数 |
| envoy_cluster_upstream_rq_time | 请求延迟 |
| envoy_http_downstream_rq_xx | HTTP 状态码分布 |
| envoy_cluster_membership_healthy | 健康后端数 |
9 Higress 的核心优势是什么(与传统网关对比)?
答案:
| 维度 | Higress | APISIX | Kong | ingress-nginx |
|---|---|---|---|---|
| 核心引擎 | Envoy | OpenResty(Nginx+Lua) | OpenResty | Nginx |
| 服务发现 | K8s+Nacos+Zk+Eureka | 插件支持 | 插件支持 | K8s 原生 |
| 插件语言 | Wasm(Go/Rust/JS) | Lua | Lua | Lua |
| 热更新 | xDS 全热更新 | 部分热更新 | 部分 | 热加载 |
| Gateway API | 原生支持 | 支持 | 支持 | 支持 |
| 多注册中心 | 原生 McpBridge | 需插件 | 需插件 | 不支持 |
| 性能(P99) | 高 | 高 | 中高 | 高 |
10 Higress 如何部署和配置?
答案:
Helm 安装:
helm repo add higress https://higress.io/helm-charts
helm upgrade --install higress higress/higress \
--namespace higress-system --create-namespace
关键参数:
# values.yaml
higress:
controller:
replicaCount: 2
resources:
requests:
cpu: 500m
memory: 512Mi
gateway:
replicas: 3
resources:
requests:
cpu: 1
memory: 1Gi
service:
type: LoadBalancer
externalTrafficPolicy: Local
wasm:
enabled: true
11 Higress 的 Gateway API 支持情况如何?
答案:
Higress 原生支持 Kubernetes Gateway API(v1beta1/v1)。
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: higress-gateway
spec:
gatewayClassName: higress
listeners:
- name: http
port: 80
protocol: HTTP
allowedRoutes:
namespaces:
from: All
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: app-route
spec:
parentRefs:
- name: higress-gateway
hostnames:
- app.example.com
rules:
- matches:
- path:
type: PathPrefix
value: /api
backendRefs:
- name: api-svc
port: 8080
12 Higress 实现零停机重启的原理是什么?
答案:
Higress 基于 Envoy 的热重启机制和 xDS 动态配置下发实现零停机。
热重启流程:
1. Envoy 进程启动 → 通过 Unix Domain Socket 连接旧进程
2. 继承旧进程的监听 Socket(FD 继承)
3. 旧进程停止接受新连接
4. 等待现有请求处理完成
5. 旧进程退出 → 新进程完全接管
xDS 配置热更新:
Controller 检测资源配置变更 → 生成新 Envoy xDS 配置
→ 通过 Aggregated Discovery Service (ADS) 下发
→ Envoy 热更新监听器、路由、集群配置
→ 不影响已有连接
13 Higress 如何处理 WebSocket 和 gRPC 流量?
答案:
Higress(Envoy)原生支持 WebSocket、gRPC、HTTP/2 和 TCP 代理。
# WebSocket 不需要额外配置
# gRPC 通过 WASM 协议匹配
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: grpc-ingress
annotations:
higress.io/backend-protocol: "grpc"
spec:
ingressClassName: higress
rules:
- host: grpc.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: grpc-svc
port:
number: 50051
14 Higress 如何集成 Sentinel 实现流量防护?
答案:
Higress 通过 Wasm Plugin 集成 Sentinel 流量防护能力。
apiVersion: extensions.higress.io/v1alpha1
kind: WasmPlugin
metadata:
name: sentinel-plugin
namespace: higress-system
spec:
defaultConfig:
flowRules:
- resource: "/api/order"
grade: 1 # 0=线程数, 1=QPS
count: 100 # 阈值
controlBehavior: 2 # 0=直接拒绝, 1=Warm Up, 2=匀速排队
maxQueueingTimeMs: 500
degradeRules:
- resource: "/api/order"
grade: 0 # 0=RT, 1=异常比例, 2=异常数
count: 500 # RT 阈值 (ms)
timeWindow: 10 # 熔断恢复时间 (秒)
minRequestAmount: 5
15 Higress 如何处理多集群流量?
答案:
Higress 可以配置多个集群的注册中心,实现跨集群的服务路由和负载均衡。
apiVersion: networking.higress.io/v1
kind: McpBridge
metadata:
name: multi-cluster
spec:
registries:
- name: cluster-a
type: nacos2
domain: cluster-a-nacos.example.com
port: 8848
- name: cluster-b
type: nacos2
domain: cluster-b-nacos.example.com
port: 8848
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: multi-cluster-ingress
annotations:
higress.io/cross-group-balancing-dns: "true"
spec:
ingressClassName: higress
rules:
- host: api.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: multi-cluster-svc
port:
number: 8080
16 Higress 的 JWT 认证如何配置?
答案:
apiVersion: extensions.higress.io/v1alpha1
kind: WasmPlugin
metadata:
name: jwt-auth
spec:
defaultConfig:
consumers:
- name: app-client
issuer: "https://auth.example.com"
jwks: |
{"keys": [...]}
audiences:
- "my-api"
rules:
- ingress:
- ingress_name: user-api
namespace: default
config:
_auth:
token:
header: "Authorization"
type: "Bearer"
17 Higress 如何实现请求/响应转换?
答案:
通过 Wasm Plugin 实现请求头和响应头的动态转换。
apiVersion: extensions.higress.io/v1alpha1
kind: WasmPlugin
metadata:
name: header-transform
spec:
defaultConfig:
headers:
set:
- header: "X-Gateway"
value: "higress"
add:
- header: "X-Request-ID"
value: "%UNIQUE_ID%"
remove:
- "X-Internal-Token"
18 Higress 如何实现跨域(CORS)?
答案:
apiVersion: extensions.higress.io/v1alpha1
kind: WasmPlugin
metadata:
name: cors
spec:
defaultConfig:
cors:
allow_origins:
- "https://app.example.com"
- "https://admin.example.com"
allow_methods:
- "GET"
- "POST"
- "PUT"
- "DELETE"
allow_headers:
- "Authorization"
- "Content-Type"
expose_headers:
- "X-Custom-Header"
max_age: "86400"
allow_credentials: true
19 Higress 如何实现 IP 黑白名单?
答案:
apiVersion: extensions.higress.io/v1alpha1
kind: WasmPlugin
metadata:
name: ip-restriction
spec:
defaultConfig:
ip_restriction:
whitelist:
- "10.0.0.0/8"
- "192.168.0.0/16"
blacklist:
- "10.0.1.100"
20 Higress 如何实现缓存?
答案:
apiVersion: extensions.higress.io/v1alpha1
kind: WasmPlugin
metadata:
name: cache
spec:
defaultConfig:
cache:
rules:
- path: "/api/public/*"
ttl: 60
max_size: "100MB"
- path: "/static/*"
ttl: 3600
max_size: "1GB"
21 Higress 如何实现重定向和重写?
答案:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: rewrite-ingress
annotations:
higress.io/rewrite-target: "/v2/$1"
spec:
ingressClassName: higress
rules:
- host: api.example.com
http:
paths:
- path: /api/(.*)
pathType: ImplementationSpecific
backend:
service:
name: api-svc
port:
number: 8080
22 Higress 和 Istio 的关系?
答案:
Higress 可以作为 Istio 的 Ingress Gateway 替代方案,提供更丰富的网关功能。
| 维度 | Istio Ingress Gateway | Higress |
|---|---|---|
| 配置方式 | VirtualService + Gateway | Ingress/Gateway API |
| 插件 | EnvoyFilter(Lua) | Wasm Plugin |
| 多注册中心 | 不支持 | McpBridge 原生支持 |
| 限流 | 需自定义 | Wasm Sentinel 插件 |
| 运维复杂度 | 高 | 中 |
| 配置热更新 | xDS | xDS |
23 Higress 如何处理大规模服务的路由性能?
答案:
Higress 基于 Envoy,使用 TLS 路由表优化服务路由性能。
# ConfigMap 优化
data:
envoy:
cluster_manager:
outlier_detection:
interval: "30s"
base_ejection_time: "30s"
consecutive_5xx: 3
listeners:
per_connection_buffer_limit_bytes: 32768
threading:
worker_thread_count: 4
24 Higress 如何自定义错误页面?
答案:
apiVersion: extensions.higress.io/v1alpha1
kind: WasmPlugin
metadata:
name: custom-error
spec:
defaultConfig:
error_pages:
service: "default/error-pages-svc"
status_codes:
- 404
- 503
25 Higress 如何处理多域名证书的自动匹配?
答案:
Higress 通过 Envoy 的 SNI(Server Name Indication)自动匹配 TLS 证书。
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: multi-domain
spec:
ingressClassName: higress
tls:
- hosts:
- app.example.com
- admin.example.com
secretName: wildcard-example-tls
- hosts:
- api.other.com
secretName: api-other-tls
rules:
- host: app.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app-svc
port:
number: 80
26 Higress 如何实现服务熔断?
答案:
apiVersion: extensions.higress.io/v1alpha1
kind: WasmPlugin
metadata:
name: circuit-breaker
spec:
defaultConfig:
circuit_breaker:
max_connections: 1000
max_pending_requests: 100
max_requests: 500
max_retries: 3
track_timeout: "30s"
27 Higress 的配置一致性校验机制是什么?
答案:
Higress Controller 在配置下发前进行多方校验保证配置一致性。
1. 格式校验:YAML 结构合法性、Ingress 语义验证
2. 关联校验:TLS Secret 是否存在、Service 是否存在
3. xDS 验证:Envoy 配置是否会加载成功
4. 健康检测:配置下发后确认是否被 Envoy 接受
5. 回滚机制:配置加载失败自动回滚
28 Higress 如何实现自定义健康检查?
答案:
apiVersion: extensions.higress.io/v1alpha1
kind: WasmPlugin
metadata:
name: health-check
spec:
defaultConfig:
health_check:
path: "/healthz"
healthy_threshold: 2
unhealthy_threshold: 3
interval: "10s"
timeout: "1s"
29 Higress 如何与 Istio Ambient Mesh 集成?
答案:
Higress 可作为 Ambient Mesh 的 Waypoint Proxy,处理 7 层流量。
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: higress-waypoint
spec:
gatewayClassName: higress
listeners:
- name: proxy
port: 15088
protocol: HBONE
30 Higress 的故障排查工具和方法有哪些?
答案:
# 检查控制面状态
kubectl -n higress-system get pods
kubectl -n higress-system logs deployment/higress-controller
# 检查 Envoy 配置
higress-controller dump config_dump > envoy_config.json
# 检查 xDS 状态
higress-controller dump clusters
higress-controller dump listeners
higress-controller dump routes
# 访问日志
kubectl -n higress-system logs -l app=higress-gateway --tail=100
# 调试
higress-controller debug config
higress-controller debug connections