Istio TCP Ingress setup
Here are the steps for configuring TCP ingress traffic with Istio. I would assume you already familiar with Kubernetes and Istio which are prerequisites to follow this article. This is very specific use case where enabling TCP Ingress traffic using Istio.
I noticed that there is not much instructions on this configuration hence wanted to share these quick and dirty steps.
I will be using sample k8s deployment and service to demonstrate the ingress configuration.
- This is a deployment running nginx services.
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
2. Then clusterip service must be created to allow access to above nginx within K8s cluster
apiVersion: v1
kind: Service
metadata:
name: nginx-service
spec:
selector:
app: nginx
ports:
- protocol: TCP
port: 8080
targetPort: 80
3. Create Istio destination rule that represent the clusterIP service
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: nginx-dr
spec:
host: nginx-service
subsets:
- name: prodversion
labels:
app: nginx
host
is the name of cluster IP service created in previous step. We can use fully qualified service name if destination rule and service are in different namespaces. Exnginx-service.default.svc.cluster.local
subsets
can be define multiple sets of services for canary deploymentslabels
is similar to selector in service resource. It defines filters the cluster IP service that going to be part of this subsetprodversion.
These labels are from the pods behind the clusterIP services. But labels of pods will appear on clusterIP services as well by default.
4. Create Istio virtualservice
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: nginx-vs
spec:
hosts:
- "*"
gateways:
- tcp-gateways
tcp:
- name: "reviews-v2-routes"
match:
- port: 8090
route:
- destination:
host: nginx-service
subset: prodversion
host
should be wild card since this virtualservice is for TCP traffic and it can’t identify layer 7 host headers.gateways
specify the Istio gateway that virtual service will be part ofmatch[0].port
specify the port that ingress traffic uses. For example, user will access the nginx from this url from externalhttp://mysite.com:8090
route[0].host
specify the cluster ip service name we created above. You can use fqdn of service as well
5. Create Istio gateway
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: tcp-gateway
spec:
selector:
app: my-gateway-controller
servers:
- port:
number: 8090
name: tcp-web
protocol: TCP
hosts:
- "*"
selector
this is to select the Istio gateway controller. Istio gateway controller is configured as part of the Istio installation which I will not cover in this article..servers[0].port
—number
specifies the port number that external users will use. Some forum suggested to use tcp-<prefix> format forname
field. Thenprotocol
should be TCP
6. Installing Istio ingress gateway proxy using operator is not part of this article but we have to add the ingress port configuration and update gateway proxies. Here is an example
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
name: default
spec:
profile: default
meshConfig:
enablePrometheusMerge: false
components:
inressGateways:
- name: istio-egressgateway
enabled: false
- name: internal-ingressgateway
enabled: true
label:
app: internal-ingressgateway
k8s:
service:
ports:
- port: 8090
targetPort: 8080
nodePort: 31000
name: tcp-nginx
protocol: TCP
values:
...
- Just want to highlight on
.spec.components.ingressGateways[1].k8s.service.ports
section because rest of the configuration is out of scope for this article port
should be the one use by external users whereastargetPort
is the port that clusterIP service listening on.nodePort
is the one istio ingress gateway listening on.
Once you create all above services, you can verify it using below commands
- List Istioin proxy status ‘istioctl proxy-status’
- Then find the ports listening on any of the above proxy using the command `istioctl proxy-config listeners internal-ingressgateway-ldcn6.istio-system`. You should be able to see a entry similar to below.
0.0.0.0 8080 ALL Cluster: outbound|8080|nginx-service|nginx-service.default.svc.cluster.local
This concludes the steps for enabling TCP ingress traffic from external to the internal K8s cluster using Istio.