Kubernetes - Istio
Istio supports k8s
Gateway and istio
Ingress can point to different backend
Gateway -> VirtualService -> Service (LoadBalancer)
Istion ingress = istio-ingressgateway service / deployment running envoy + Gateway + VirtualService
networking.istio.io): configure layer 4-6 load balancing properties such as ports to expose, TLS settings, and so on.
networking.istio.io): application-layer traffic routing (L7); works in tandem with the
Gateway; defines the destination service; defines the rules that control how requests for a service are routed within an Istio service mesh; configure routing to the backend services.
An ingress controller is a piece of software that provides reverse proxy, configurable traffic routing, and TLS termination capabilities for Kubernetes services. Kubernetes ingress resources are used to configure the ingress rules and routes for individual Kubernetes services.
Istio provides some preconfigured gateway proxy deployments
istio-egressgateway: An egress gateway lets you configure a dedicated exit node for the traffic leaving the mesh, letting you limit which services can or should access external networks, or to enable secure control of egress traffic to add security to your mesh
Why Ingress? Otherwise needs multiple LoadBalancers, multiple public IPs.
Why not k8s
Ingress? The Kubernetes Ingress resource has for some time been known to have significant shortcomings, especially when using it to configure ingress traffic for large applications and when working with protocols other than HTTP.
- Kiali: The Console (i.e. UI) for Istio Service Mesh.
otel-collector: otel = OpenTelemetry. Collect logs.
istiod: run on Istio control plane; provsides service discovery, configuration and certificate management.
- Envoy: Envoy proxies are the only Istio components that interact with data plane traffic.
apiVersion: telemetry.istio.io/v1alpha1 kind: Telemetry apiVersion: networking.istio.io/v1beta1 kind: DestinationRule apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter
istiodof the primary cluster observes the API Servers in all clusters for endpoints. In this way, the control plane will be able to provide service discovery for workloads in all clusters. The service discovery includes both those with the sidecar and those without.
- Workloads / Services within the primary cluster opens direct connection to
- Workloads / Services within the remote clusters connects to the
istiodvia the Eastwest Gateway in the primary cluster.