Open in app

Sign in

Write

Sign in

Istio TCP Ingress setup

Jeewan Sooriyaarachchi
3 min readJun 26, 2022

Here are the steps for configuring TCP ingress traffic with Istio. I would assume you already familiar with Kubernetes and Istio which are prerequisites to follow this article. This is very specific use case where enabling TCP Ingress traffic using Istio. I noticed that there is not much instructions on this configuration hence wanted to share these quick and dirty steps.

I will be using sample k8s deployment and service to demonstrate the ingress configuration.

  1. This is a deployment running nginx services.
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.14.2
        ports:

2. Then clusterip service must be created to allow access to above nginx within K8s cluster

apiVersion: v1
kind: Service
metadata:
  name: nginx-service
spec:
  selector:
    app: nginx
  ports:
    - protocol: TCP
      port: 8080
      targetPort: 80

3. Create Istio destination rule that represent the clusterIP service

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: nginx-dr
spec:
  host: nginx-service
  subsets:
  - name: prodversion
    labels:
      app: nginx
  • host is the name of cluster IP service created in previous step. We can use fully qualified service name if destination rule and service are in different namespaces. Ex nginx-service.default.svc.cluster.local
  • subsets can be define multiple sets of services for canary deployments
  • labels is similar to selector in service resource. It defines filters the cluster IP service that going to be part of this subset prodversion. These labels are from the pods behind the clusterIP services. But labels of pods will appear on clusterIP services as well by default.

4. Create Istio virtualservice

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: nginx-vs
spec:
  hosts:
  - "*"
  gateways:
   - tcp-gateways
  tcp:
  - name: "reviews-v2-routes"
    match:
    - port: 8090
    route:
    - destination:
        host: nginx-service
        subset: prodversion
  • host should be wild card since this virtualservice is for TCP traffic and it can’t identify layer 7 host headers.
  • gateways specify the Istio gateway that virtual service will be part of
  • match[0].port specify the port that ingress traffic uses. For example, user will access the nginx from this url from external http://mysite.com:8090
  • route[0].host specify the cluster ip service name we created above. You can use fqdn of service as well

5. Create Istio gateway

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: tcp-gateway
spec:
  selector:
    app: my-gateway-controller
  servers:
  - port:
      number: 8090
      name: tcp-web
      protocol: TCP
    hosts:
    - "*"
  • selector this is to select the Istio gateway controller. Istio gateway controller is configured as part of the Istio installation which I will not cover in this article.
  • .servers[0].portnumber specifies the port number that external users will use. Some forum suggested to use tcp-<prefix> format forname field. Then protocol should be TCP

6. Installing Istio ingress gateway proxy using operator is not part of this article but we have to add the ingress port configuration and update gateway proxies. Here is an example

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  name: default
spec:
  profile: default
  meshConfig:
    enablePrometheusMerge: false
  components:
    inressGateways:
    - name: istio-egressgateway
      enabled: false
    - name: internal-ingressgateway
      enabled: true
      label:
        app: internal-ingressgateway
      k8s:
        service:
          ports:
            - port: 8090
              targetPort: 8080
              nodePort: 31000
              name: tcp-nginx
              protocol: TCP
 values:
  ...
  • Just want to highlight on .spec.components.ingressGateways[1].k8s.service.ports section because rest of the configuration is out of scope for this article
  • port should be the one use by external users whereas targetPort is the port that clusterIP service listening on. nodePort is the one istio ingress gateway listening on.

Once you create all above services, you can verify it using below commands

  • List Istioin proxy status ‘istioctl proxy-status’
  • Then find the ports listening on any of the above proxy using the command `istioctl proxy-config listeners internal-ingressgateway-ldcn6.istio-system`. You should be able to see a entry similar to below.
0.0.0.0 8080  ALL   Cluster: outbound|8080|nginx-service|nginx-service.default.svc.cluster.local

This concludes the steps for enabling TCP ingress traffic from external to the internal K8s cluster using Istio.

--

--

Jeewan Sooriyaarachchi

Written by Jeewan Sooriyaarachchi

224 Followers

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams