问题
I looking on my ELB created by Istio, and I see all these open ports:
- 80 (TCP) forwarding to 31380 (TCP)
- 443 (TCP) forwarding to 31390 (TCP)
- 853 (TCP) forwarding to 31107 (TCP)
- 8060 (TCP) forwarding to 32130 (TCP)
- 15011 (TCP) forwarding to 31942 (TCP)
- 15030 (TCP) forwarding to 31438 (TCP)
- 15031 (TCP) forwarding to 30695 (TCP)
- 31400 (TCP) forwarding to 31400 (TCP)
All these ports are exposed to the Internet. Besides first two, what is the purpose of all the other exposed ports? Is there any way (via Istio configuration) to control what is exposed?
回答1:
You can see the ports spec here: https://github.com/istio/istio/blob/master/install/kubernetes/helm/istio/values-istio-gateways.yaml#L65
ports:
## You can add custom gateway ports
- port: 80
targetPort: 80
name: http2
# nodePort: 31380
- port: 443
name: https
# nodePort: 31390
- port: 31400
name: tcp
# nodePort: 31400
# Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect
# to pilot/citadel if global.meshExpansion settings are enabled.
- port: 15011
targetPort: 15011
name: tcp-pilot-grpc-tls
- port: 8060
targetPort: 8060
name: tcp-citadel-grpc-tls
# Addon ports for kiali are enabled in gateway - but will only redirect if
# the gateway configuration for the various components are enabled.
- port: 15029
- targetPort: 15029
# Telemetry-related ports are enabled in gateway - but will only redirect if
# the gateway configuration for the various components are enabled.
- port: 15030
targetPort: 15030
name: http2-prometheus
- port: 15031
targetPort: 15031
name: http2-grafana
- port: 15032
targetPort: 15032
name: http2-tracing
These ports expose various components of Istio outside the cluster, for example for connecting VMs or other clusters with Istio, or for exposing Istio dashboard outside the cluster.
You can control this exposure by helm installation options https://preliminary.istio.io/docs/reference/config/installation-options/#gateways-options, all the options named gateways.istio-ingressgateway.ports.
For example, to limit the exposed ports to 80 and 443 only, run:
helm template install/kubernetes/helm/istio --name istio --namespace istio-system -x charts/gateways/templates/service.yaml --set gateways.istio-ingressgateway.ports[0].port=80 --set gateways.istio-ingressgateway.ports[0].name=http2 --set gateways.istio-ingressgateway.ports[0].targetPort=80 --set gateways.istio-ingressgateway.ports[1].port=443 --set gateways.istio-ingressgateway.ports[1].name=https > $HOME/istio.yaml
Inspect the generated $HOME/istio.yaml and verify that only the ports 80 and 443 are exposed for istio-ingressgateway service.
来源:https://stackoverflow.com/questions/53994034/istio-what-for-all-these-ports-are-opened-on-loadbalancer