Idou teaches you about Istio10: How to use Istio to manage K8S Egress traffic

preface

In the previous article, we looked at how to control incoming traffic. This article focuses on how to access out-of-cluster services when using Istio, namely managing outgoing traffic.

By default, Istio cannot directly access external services in the cluster. To expose external services to clients in the Istio cluster, you can use either of the following methods:

1. Configuration ServiceEntry

2. Configure global. Proxy. IncludeIPRanges

Configure serviceEntry to access external services

ServiceEntry is used to add additional entries to the service registry maintained internally by Istio so that automatically discovered services in the grid can access and route to these manually added services.

ServiceEntry describes the attributes of the service (DNS name, VIP, port, protocol, and endpoint). Such services may be network specific apis, or items in the registry of services that are inside the grid but not on the platform (such as a set of virtual machine services that need to communicate with Kubernetes services).

Configuring ServiceEntry is also simple, allowing access from within the grid to external services over HTTP,HTTPS,Mongo,TCP, and more. The following lists the configuration for accessing external TCP and HTTP services respectively. For details about ServiceEntry configuration parameters, see:

Istio. IO/docs/refere…

Example of configuring external TCP service access:

ApiVersion: networking. Istio. IO/v1alpha3 kind: ServiceEntry metadata: name: mysql spec: hosts: - 192.168.0.245 ports: - number: 3306 name: tcp protocol: TCPCopy the code

Example of configuring external HTTP service access:

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: foo-ext
spec:
  hosts:
  - foo.com
  ports:
  - number: 80
    name: http
    protocol: HTTP
Copy the code

The community recommends setting ServiceEntry to access external services. However, if there are many services that need to be accessed outside the cluster, configuring them one by one is cumbersome and difficult to manage.

configurationglobal.proxy.includeIPRanges

If you use the HELM Istio installation, can be set at the HELM of the global. Proxy. ClusterIP includeIPRanges variables for cluster scope, then for installation.

To modify the configurations of the installed Istio, you need to change the value -i of the Configmap named IStio-Sidecar-Injector to clusterIP. Later, the POD of all services is restarted and Sidecar is injected again. You will then see that the value of the -i parameter of initContainers in the POD has changed to the clusterIP range after restart.

In this way, only IP addresses in the cluster use sidecar to invoke external services, bypassing the Istio Sidecar proxy, so that services can directly access corresponding external addresses.

Compared with ServiceEntry, Istio can be configured globally and all external services can be directly accessed. However, the disadvantage is that the access traffic of services outside the cluster cannot be controlled. For example, the access traffic of middleware services outside the cluster cannot be fusing limited. It also requires users to understand cloud vendor-specific knowledge and configuration.

The last

There is no perfect solution in the community, please refer to the discussion:

groups.google.com/forum/#! Sea…