I have a flaskr app I wrote that has two containers. I'm implementing istio to get used to it. I'm having an issue though where ServiceEntry's are not allowing TCP port 22 (ssh) traffic from a container external to the mesh. My ServiceEntry's look like this and overall app looks like this.
*ubuntu@k8s-master:~/applications$ kubectl get serviceentry srx-ssh-service-entry -n home-devices-app -o yaml
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
creationTimestamp: "2019-02-25T01:29:10Z"
generation: 1
name: srx-ssh-service-entry
namespace: home-devices-app
resourceVersion: "7848269"
selfLink: /apis/networking.istio.io/v1alpha3/namespaces/home-devices-app/serviceentries/srx-ssh-service-entry
uid: c03f2f27-389c-11e9-ad97-000c297d3726
spec:
addresses:
- 22.22.22.22/32
hosts:
- 22.22.22.22
location: MESH_EXTERNAL
ports:
- name: tcp
number: 22
protocol: tcp
resolution: NONE
ubuntu@k8s-master:~/applications$ kubectl get serviceentry ex-ssh-service-entry -n home-devices-app -o yaml
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
creationTimestamp: "2019-02-25T01:29:10Z"
generation: 1
name: ex-ssh-service-entry
namespace: home-devices-app
resourceVersion: "7848270"
selfLink: /apis/networking.istio.io/v1alpha3/namespaces/home-devices-app/serviceentries/ex-ssh-service-entry
uid: c040f3d1-389c-11e9-ad97-000c297d3726
spec:
addresses:
- 192.168.4.1/32
hosts:
- 192.168.4.1
location: MESH_EXTERNAL
ports:
- name: tcp
number: 22
protocol: tcp
resolution: NONE
ubuntu@k8s-master:~/applications$*Here is some other pieces of info if it helps. Any help is appreciated!
ubuntu@k8s-master:~/applications$ cat home-device*
kind: Service
apiVersion: v1
metadata:
name: home-devices-app-service
namespace: home-devices-app
spec:
selector:
app: home-devices-app
type: NodePort
ports:
- nodePort: 31337
port: 5000
name: http
targetPort: 5000
---
apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
kind: Deployment
metadata:
name: home-devices-deployment
namespace: home-devices-app
labels:
app: home-devices-app
spec:
replicas: 2 # tells deployment to run 2 pods matching the template
selector:
matchLabels:
app: home-devices-app
template:
metadata:
labels:
app: home-devices-app
spec:
containers:
- name: home-devices-app
image: lemon-flaskr-container:2.2
imagePullPolicy: Never
ports:
- containerPort: 5000
kind: Service
apiVersion: v1
metadata:
name: home-devices-app-srx-function-service
namespace: home-devices-app
spec:
ports:
- port: 5001
name: http
targetPort: 5001
selector:
app: home-devices-app-srx-function
---
apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
kind: Deployment
metadata:
name: home-devices-srx-function-deployment
namespace: home-devices-app
labels:
app: home-devices-app-srx-function
spec:
replicas: 2 # tells deployment to run 2 pods matching the template
selector:
matchLabels:
app: home-devices-app-srx-function
template:
metadata:
labels:
app: home-devices-app-srx-function
spec:
containers:
- name: lemon-home-dev-srx-function
image: lemon-home-dev-srx-function:1.0
imagePullPolicy: Never
ports:
- containerPort: 5001
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: home-devices-app-envoy-gateway
namespace: home-devices-app
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: "home-devices-app-virtual-service"
namespace: home-devices-app
spec:
hosts:
- "*"
gateways:
- home-devices-app-envoy-gateway
http:
- match:
- uri:
exact: /guestwifi
route:
- destination:
host: "home-devices-app-service"
port:
number: 5000