Istio

Securing connections from ingress to services in Kubernetes with TLS

佐手、 提交于 2019-12-12 04:03:08
问题 I am working on securing my Kubernetes cluster with a TLS connection configured in the ingress rule, which essentially terminates the SSL connection at the load balancer. So far so good. A question came up about whether it would make sense to secure the connection from the load balancer to each of the services running in Kubernetes cluster. My understanding of how Kubernetes works is that services should be able to go up and come down dynamically with no guarantee that the private IPs remain

Envoy Pod to Pod communication within a Service in K8

萝らか妹 提交于 2019-12-11 17:41:59
问题 Is it possible to send a http Rest request to another K8 Pod that belongs to the same Service in Kubernetes when Envoy is configured? Important : I have another question here that directed me to ask with Envoy specific tags. E. G. Service name = UserService , 2 Pods (replica = 2) Pod 1 --> Pod 2 //using pod ip not load balanced hostname Pod 2 --> Pod 1 The connection is over Rest GET 1.2.3.4:7079/user/1 The value for host + port is taken from kubectl get ep Both of the pod IP's work

Kubernetes pods can not make https request after deploying istio service mesh

烈酒焚心 提交于 2019-12-11 17:14:18
问题 I am exploring the istio service mesh on my k8s cluster hosted on EKS(Amazon). I tried deploying istio-1.2.2 on a new k8s cluster with the demo.yml file used for bookapp demonstration and most of the use cases I understand properly. Then, I deployed istio using helm default profile(recommended for production) on my existing dev cluster with 100s of microservices running and what I noticed is my services can can call http endpoints but not able to call external secure endpoints(https://www

Unable to communicate between 2 node,js apps in Istio enabled GKE cluster

我怕爱的太早我们不能终老 提交于 2019-12-11 15:52:39
问题 I have created a GKE cluster and deployed two node.js basic apps in it named nodeservice1 and nodeservice2 where only nodeservice1 is open to world (Allow unauthenticated calls=true) . My nodeservice1 is internally calling nodeservice2 via restcall and returning what nodeservice2 returns. I am able to call nodeservice1 via curl command, it works fine. When I hit endpoint ../restcall (Which actually calls nodeservice2 internally), it doesn't return anything but HTTPS 200 OK . Note: Both of the

How to access istio created dashboard

点点圈 提交于 2019-12-11 15:18:38
问题 I installed istio on kubernetes without helm. I can see pods and services are created in istio-system namespace. All service like grafana, Prometheus are created and their ports are not exposed. As load-balancer-service is created so that one load balancer is also created in AWS, I wanted to access grafana, prometheus etc dashboard from an external network through newly created load balancer endpoint but that dashboard is not accessible from load balancer endpoint. I tried port forwarding

kubernetes-dashboard exposing through istio [1.0.0] ingress --istio-ingressgateway

僤鯓⒐⒋嵵緔 提交于 2019-12-11 13:44:54
问题 I have configured istio ingress with lets encrypt certificate. I am able to access different service on https which are running on different port by using gateways and virtualservice. But kubernetes-dashboard run on 443 port in kube-system namespace and with its own certificate, How i can expose it through istio gateways and virtualservice. I have defined sub domain for dashboard and created gateways,virtualservice and it was directing 443 trafic to kuberentes dashboard service , but its not

Not able to access a Istio enabled GKE service directly from browser but only through curl

北城余情 提交于 2019-12-11 11:03:08
问题 I deployed a node app on cloud run option (GKE Cluster with Istio enabled). I checked the services running using 'kubectl get services -n istio-system' and It shows NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) istio-ingressgateway LoadBalancer 10.4.15.63 34.80.18.249 15020:30228/TCP,80:31380/TCP,443:31390/TCP nodeservice1 ExternalName <none> istio-ingressgateway.istio-system.svc.cluster.local nodeservice1-qdvk6 ClusterIP 10.4.12.102 <none> 80/TCP nodeservice1-qdvk6-metrics ClusterIP 10.4.8.162

阿里巴巴 Service Mesh 落地的架构与挑战

故事扮演 提交于 2019-12-11 11:01:41
【推荐】2019 Java 开发者跳槽指南.pdf(吐血整理) >>> 点击下载《不一样的 双11 技术:阿里巴巴经济体云原生实践》 本文节选自《不一样的 双11 技术:阿里巴巴经济体云原生实践》一书,点击上方图片即可下载! 作者 | 方克明(溪翁)阿里云中间件技术部技术专家 导读 :云原生已成为整个阿里巴巴经济体构建面向未来的技术基础设施,Service Mesh 作为云原生的关键技术之一,顺利完成在 双11 核心应用严苛而复杂场景下的落地验证。本文作者将与大家分享在完成这一目标过程中我们所面临和克服的挑战。 部署架构 切入主题前,需要交代一下在 双11 核心应用上落地的部署架构,如下图所示。在这篇文章中,我们主要聚焦于 Service A 和 Service B 之间 RPC 协议的 Mesh 化。 图中示例说明了 Service Mesh 所包含的三大平面:即数据平面(Data Plane)、控制平面(Control Plane)和运维平面(Operation Plane)。数据平面我们采用的是开源的 Envoy(上图中的 Sidecar,请读者注意这两个词在本文中可以互换使用),控制平面采用的是开源的 Istio(目前只使用了其中的 Pilot 组件),运维平面则完全自研。 与半年前落地时不同,这次 双11 核心应用上落地我们采用了 Pilot 集群化部署的模式,即

Pod cannot curl external website after adding istio egress gateway

安稳与你 提交于 2019-12-11 10:58:22
问题 I'm following the Istio doc (https://istio.io/docs/examples/advanced-egress/egress-gateway/) to set up an egress gateway. The results I got is different from what the doc describes and I wonder how can I fix it. I have a simply docker container with a sidecar injected. After I applied a gateway config for google.com similar to the one provided by the doc: cat <<EOF | kubectl apply -f - apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: google spec: hosts: - google.com

Istio - what for all these ports are opened on LoadBalancer?

烈酒焚心 提交于 2019-12-11 06:05:50
问题 I looking on my ELB created by Istio, and I see all these open ports: 80 (TCP) forwarding to 31380 (TCP) 443 (TCP) forwarding to 31390 (TCP) 853 (TCP) forwarding to 31107 (TCP) 8060 (TCP) forwarding to 32130 (TCP) 15011 (TCP) forwarding to 31942 (TCP) 15030 (TCP) forwarding to 31438 (TCP) 15031 (TCP) forwarding to 30695 (TCP) 31400 (TCP) forwarding to 31400 (TCP) All these ports are exposed to the Internet. Besides first two, what is the purpose of all the other exposed ports? Is there any
订阅 Istio