Kubernetes with Istio Ingress Not Running on Standard HTTP Ports 443/80

7/13/2018

I am attempting to get Istio setup on Kubernetes as an ingress controller. The problem is that my two applications seem to be accessible from the Istio ingress controllers node port (E.g., http://[host]:31380/application1 and http://[host]:31380/application2) but not accessible from 443/80.

I am new to Kubernetes and Istio so I had use the https://istio.io/docs/guides/bookinfo/ guide as a reference. Following the guide was fairly easy and I was able to access the Bookinfo application using the node port as mentioned. I am unable to access it from 443/80 though. I used the helm chart to install Istio. I also don't see anything under Ingresses within the Kubernetes dashboard.

Here is an example of the gateway/virtual service yaml:

apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: myapp-gateway spec: selector: istio: ingressgateway # use istio default controller servers:

  • port: number: 80 name: http protocol: HTTP hosts:
    • "*"

apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: myapp-virtual-service spec: hosts:

  • "*" gateways:
  • myapp-gateway http:
  • match:
    • uri: prefix: /myapp route:
    • destination: host: myapp-app-service port: number: 7080
  • match:
    • uri: prefix: / route:
    • destination: host: kibana port: number: 5601

Any ideas on what I have to do to get it to listen on 443? Am I missing a component entirely?

-- leeman24
istio
kubernetes
kubernetes-ingress
routing

1 Answer

7/17/2018

If routing to your application is required to run on 443/80, your Kubernetes cluster must have an external load balancer deployed. If one is not present, the traffic will be routed to the ingress node port.

Refer to - https://istio.io/docs/tasks/traffic-management/ingress/#determining-the-ingress-ip-and-ports (Determining the ingress IP and ports):

"If the EXTERNAL-IP value is set, your environment has an external load balancer that you can use for the ingress gateway. If the EXTERNAL-IP value is (or perpetually ), your environment does not provide an external load balancer for the ingress gateway. In this case, you can access the gateway using the service’s node port."

Example for my bare-metal instance without an external load balancer:

[admin@master1 ~]$ kubectl get svc -n istio-system | grep istio-ingress istio-ingress LoadBalancer 10.114.107.196 <pending> 80:32400/TCP,443:31564/TCP 5d istio-ingressgateway LoadBalancer 10.99.1.148 <pending> 80:31380/TCP,443:31390/TCP,31400:31400/TCP 5d

If you are deploying to an online cloud provider such as IBM Bluemix (probably AWS/Azure/etc.), you should already have one configured. If your configuration is on bare-metal, you likely don't have a load balancer configured.

Example for my Bluemix instance with an external load balancer:

λ kubectl get svc -n istio-system | grep istio-ingress istio-ingress LoadBalancer 172.21.26.25 123.45.67.195 80:32000/TCP,443:31694/TCP 6h istio-ingressgateway LoadBalancer 172.21.139.142 123.45.67.196 80:31380/TCP,443:31390/TCP,31400:31400/TCP 6h

I have not yet gone back to deploy a load balancer to bare-metal so would like to hear if anyone has. I have briefly looked at Metal but have not spent much time on it.

-- leeman24
Source: StackOverflow