我的书签
添加书签
移除书签Kubernetes Ingress
This task describes how to configure Istio to expose a service outside of the service mesh cluster, using the Kubernetes Ingress Resource.
Using the Istio Gateway, rather than Ingress, is recommended to make use of the full feature set that Istio offers, such as rich traffic management and security features.
Before you begin
Follow the instructions in the Before you begin and Determining the ingress IP and ports sections of the Ingress Gateways task.
Configuring ingress using an Ingress resource
A Kubernetes Ingress Resources exposes HTTP and HTTPS routes from outside the cluster to services within the cluster.
Let’s see how you can configure a Ingress on port 80 for HTTP traffic.
Create an
Ingressresource:$ kubectl apply -f - <<EOFapiVersion: networking.k8s.io/v1beta1kind: Ingressmetadata:annotations:kubernetes.io/ingress.class: istioname: ingressspec:rules:- host: httpbin.example.comhttp:paths:- path: /status/*backend:serviceName: httpbinservicePort: 8000EOF
The
kubernetes.io/ingress.classannotation is required to tell the Istio gateway controller that it should handle thisIngress, otherwise it will be ignored.Access the httpbin service using curl:
$ curl -s -I -HHost:httpbin.example.com "http://$INGRESS_HOST:$INGRESS_PORT/status/200"HTTP/1.1 200 OKserver: istio-envoy...
Note that you use the
-Hflag to set the Host HTTP header to “httpbin.example.com”. This is needed because theIngressis configured to handle “httpbin.example.com”, but in your test environment you have no DNS binding for that host and are simply sending your request to the ingress IP.Access any other URL that has not been explicitly exposed. You should see an HTTP 404 error:
$ curl -s -I -HHost:httpbin.example.com "http://$INGRESS_HOST:$INGRESS_PORT/headers"HTTP/1.1 404 Not Found...
Next Steps
TLS
Ingress supports specifying TLS settings. This is supported by Istio, but the referenced Secret must exist in the namespace of the istio-ingressgateway deployment (typically istio-system). cert-manager can be used to generate these certificates.
Specifying path type
By default, Istio will treat paths as exact matches, unless they end in /* or .*, in which case they will become prefix matches. Other regular expressions are not supported.
In Kubernetes 1.18, a new field, pathType, was added. This allows explicitly declaring a path as Exact or Prefix.
Specifying IngressClass
In Kubernetes 1.18, a new resource, IngressClass, was added, replacing the kubernetes.io/ingress.class annotation on the Ingress resource. If you are using this resource, you will need to set the controller field to istio.io/ingress-controller. For example:
apiVersion: networking.k8s.io/v1beta1kind: IngressClassmetadata:name: istiospec:controller: istio.io/ingress-controller---apiVersion: networking.k8s.io/v1beta1kind: Ingressmetadata:name: ingressspec:ingressClassName: istiorules:- host: httpbin.example.comhttp:paths:- path: /pathType: Prefixbackend:serviceName: httpbinservicePort: 8000
Cleanup
Delete the Ingress configuration, and shutdown the httpbin service:
$ kubectl delete ingress ingress$ kubectl delete --ignore-not-found=true -f @samples/httpbin/httpbin.yaml@
See also
Direct encrypted traffic from IBM Cloud Kubernetes Service Ingress to Istio Ingress Gateway
Configure the IBM Cloud Kubernetes Service Application Load Balancer to direct traffic to the Istio Ingress gateway with mutual TLS.
Istio as a Proxy for External Services
Configure Istio ingress gateway to act as a proxy for external services.
Deploy a Custom Ingress Gateway Using Cert-Manager
Describes how to deploy a custom ingress gateway using cert-manager manually.
Configuring Istio Ingress with AWS NLB
Describes how to configure Istio ingress with a network load balancer on AWS.
Configuring Gateway Network Topology [Experimental]
How to configure gateway network topology (experimental).
Ingress Gateway without TLS Termination
Describes how to configure SNI passthrough for an ingress gateway.
