Kubernetes Service APIs

This task describes how to configure Istio to expose a service outside of the service mesh cluster, using the Kubernetes Service APIs. These APIs are an actively developed evolution of the Kubernetes Service and Ingress APIs.

Setup

  1. Install the Service APIs CRDs:

    1. $ kubectl kustomize "github.com/kubernetes-sigs/service-apis/config/crd?ref=v0.1.0" | kubectl apply -f -

  2. Install Istio, or reconfigure an existing installation to enable the Service APIs controller:

    1. $ istioctl install --set values.pilot.env.PILOT_ENABLED_SERVICE_APIS=true

  3. Follow the instructions in the Determining the ingress IP and ports sections of the Ingress Gateways task in order to retrieve the external IP address of your ingress gateway.

Configuring a Gateway

See the Service APIs documentation for information about the APIs.

  1. Deploy a test application:

    Zip

    1. $ kubectl apply -f @samples/httpbin/httpbin.yaml@

  2. Deploy the Service APIs configuration:

    1. $ kubectl apply -f - <<EOF
    2. apiVersion: networking.x-k8s.io/v1alpha1
    3. kind: GatewayClass
    4. metadata:
    5.   name: istio
    6. spec:
    7.   controller: istio.io/gateway-controller
    8. ---
    9. apiVersion: networking.x-k8s.io/v1alpha1
    10. kind: Gateway
    11. metadata:
    12.   name: gateway
    13.   namespace: istio-system
    14. spec:
    15.   gatewayClassName: istio
    16.   listeners:
    17.   - hostname: "*"
    18.     port: 80
    19.     protocol: HTTP
    20.     routes:
    21.       namespaces:
    22.         from: All
    23.       selector:
    24.         matchLabels:
    25.           selected: "yes"
    26.       kind: HTTPRoute
    27. ---
    28. apiVersion: networking.x-k8s.io/v1alpha1
    29. kind: HTTPRoute
    30. metadata:
    31.   name: http
    32.   namespace: default
    33.   labels:
    34.     selected: "yes"
    35. spec:
    36.   gateways:
    37.     allow: All
    38.   hostnames: ["httpbin.example.com"]
    39.   rules:
    40.   - matches:
    41.     - path:
    42.         type: Prefix
    43.         value: /get
    44.     filters:
    45.     - type: RequestHeaderModifier
    46.       requestHeaderModifier:
    47.         add:
    48.           my-added-header: added-value
    49.     forwardTo:
    50.     - serviceName: httpbin
    51.       port: 8000
    52. EOF

  3. Access the httpbin service using curl:

    1. $ curl -s -I -HHost:httpbin.example.com "http://$INGRESS_HOST:$INGRESS_PORT/get"
    2. HTTP/1.1 200 OK
    3. server: istio-envoy
    4. ...

    Note the use of the -H flag to set the Host HTTP header to “httpbin.example.com”. This is needed because the HTTPRoute is configured to handle “httpbin.example.com”, but in your test environment you have no DNS binding for that host and are simply sending your request to the ingress IP.

  4. Access any other URL that has not been explicitly exposed. You should see an HTTP 404 error:

    1. $ curl -s -I -HHost:httpbin.example.com "http://$INGRESS_HOST:$INGRESS_PORT/headers"
    2. HTTP/1.1 404 Not Found
    3. ...

See also

Direct encrypted traffic from IBM Cloud Kubernetes Service Ingress to Istio Ingress Gateway

Configure the IBM Cloud Kubernetes Service Application Load Balancer to direct traffic to the Istio Ingress gateway with mutual TLS.

Istio as a Proxy for External Services

Configure Istio ingress gateway to act as a proxy for external services.

Deploy a Custom Ingress Gateway Using Cert-Manager

Describes how to deploy a custom ingress gateway using cert-manager manually.

Configuring Istio Ingress with AWS NLB

Describes how to configure Istio ingress with a network load balancer on AWS.

Configuring Gateway Network Topology [Experimental]

How to configure gateway network topology (experimental).

Ingress Gateway without TLS Termination

Describes how to configure SNI passthrough for an ingress gateway.