Five-minute K8S practice - Istio gateway

In the previous issue of k8s-Service Mesh Practice-Configuring Mesh, we explained how to configure Mesh requests within the cluster. Istio can also handle external traffic of the cluster, which is our common gateway.

picture

In fact, it is similar to the previously mentioned k8s entry to actual combat-using Ingress Ingress, which is a method of exposing internal services.

Just using Istio-gateway is more flexible.

picture

Here is a function comparison chart, which clearly shows that Istio-gateway supports more functions. If you are a medium or large enterprise that has already used Istio, it is still recommended to have Istio-gateway, so that you can manage internal and external network traffic using the same control plane.

Creating a Gateway

Before we get started, we first need to create an Istio-Gateway resource:

 apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: istio-ingress-gateway namespace: default spec: servers: - port: number: 80 name: http protocol: HTTP hosts: - 'www.service1.io' selector: app: istio-ingressgateway #与现有的gateway 关联istio: ingressgateway

The label that matches the selector can be associated with the gateway that comes with Istio when we install it.

 # 查看gateway 的label k get pod -n istio-system NAME READY STATUS istio-ingressgateway-649f75b6b9-klljw 1/1 Running k describe pod istio-ingressgateway-649f75b6b9-klljw -n istio-system |grep Labels Labels: app=istio-ingressgateway

picture

This Gateway component will be installed when we install Istio for the first time.

This configuration means that the gateway will proxy all requests accessed through the domain name www.service1.io.

After that, we need to use the gateway just now to bind to the service of our service. At this time, we need to use VirtualService:

 apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: k8s-combat-istio-http-vs spec: gateways: - istio-ingress-gateway # 绑定刚才创建的gateway 名称hosts: - www.service1.io http: - name: default route: - destination: host: k8s-combat-service-istio-mesh #service 名称port: number: 8081 subset: v1

This is the same VirtualService configuration used for the internal traffic of the Mesh we talked about earlier.

This means that traffic passing through www.service1.io and the istio-ingress-gateway gateway will enter this virtual service, but all requests will enter the subset: v1 group.

This grouping information can be found in the previous section:

 apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: k8s-combat-service-ds spec: host: k8s-combat-service-istio-mesh subsets: - name: v1 labels: app: k8s-combat-service-v1 - name: v2 labels: app: k8s-combat-service-v2

Then we visit this domain name to get a response. At the same time, we open the Pod of the k8s-combat-service-istio-mesh service to view the log and find that all requests enter v1. If this restriction is not required, delete subset: v1.

 curl http://www.service1.io/ping

The local host needs to be configured: 127.0.0.1 www.service1.io

picture

Another point is that we need to get the external IP of the gateway to bind the IP to the domain name www.service1.io just now (host, or domain name management console).

If you are using the kubernetes cluster that comes with docker-desktop, you can directly use 127.0.0.1, which will be bound by default.

If you use minikube to install, you need to use minikube tunnel to manually bind a local IP to the service of type LoadBalancer. For details, please refer to the document: https://minikube.sigs.k8s.io/docs/tasks/loadbalancer

If it is used in a production environment, the cloud service provider will automatically bind an external IP.

principle

picture

The access request process is similar to the Kubernetes Ingress process mentioned earlier, except that the gateway is a service routed by VirtualService, and many routing rules can be customized in this VirtualService.

Summarize

The service mesh Istio has been basically introduced. In the future, trace, log, and metrics related to Telemetry will be updated in the operation and maintenance chapter, which will also be related to Istio. Interested friends can continue to pay attention.

All source code of this article can be accessed here: https://github.com/crossoverJie/k8s-combat