K
Q

Cannot allow external traffic through ISTIO

4/29/2019

I am trying to setup Istio and I need to whitelist few ports for allowing non mTLS traffic from outside world coming in through specfic port for few pods runnings in local k8s.

I am unable to find a successful way of doing it.

Tried Service entry, policy and destination rule and didnt succeed.

Helps is highly appreciated.

version.BuildInfo{Version:"1.1.2", GitRevision:"2b1331886076df103179e3da5dc9077fed59c989", User:"root", Host:"35adf5bb-5570-11e9-b00d-0a580a2c0205", GolangVersion:"go1.10.4", DockerHub:"docker.io/istio", BuildStatus:"Clean", GitTag:"1.1.1"}```

Service Entry
```apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: external-traffic
  namespace: cloud-infra
spec:
  hosts:
  - "*.cluster.local"
  ports:
  - number: 50506
    name: grpc-xxx
    protocol: TCP
  location: MESH_EXTERNAL
  resolution: NONE```
-- yog raj
istio
kubernetes

Similar Questions

How to expose kubernetes service on prem using 443/80
Big Query - Invalid credential at Util.parseHttpRespBody from nodejs application deployed in GKE
Local kubeadm K8S access to private gcr.io
using k8s go-client locally to connect to cluster

2 Answers

5/13/2019

From your question, I understood that you want to control your ingress traffic allow some ports to your services that functioning in your mesh/cluster from outside, but your configuration is for egress traffic.

In order to control and allow ports to your services from outside, you can follow these steps.

1.Make sure that containerPort included to your deployment/pod configuration. For more info

2.You have to have service pointing to your backends/pods. For more info about Kubernetes Services. 3.Then in your Istio enabled cluster, you have to create Gateway similar to below configuration:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: your-service-gateway
  namespace: foo-namespace # Use same namespace with backend service
spec:
  selector:
    istio: ingressgateway # use Istio default gateway implementation
  servers:
  - port:
      number: 80
      name: HTTP
      protocol: HTTP
    hosts:
    - "*"

4.Then configure route to your service for traffic entering via the this gateway by creating VirtualService:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: your-service
  namespace: foo-namespace # Use same namespace with backend service
spec:
  hosts:
  - "*"
  gateways:
  - your-service-gateway # define gateway name
  http:
  - match:
    - uri:
        prefix: "/"
    route:
    - destination:
        port:
          number: 3000 # Backend service port
        host: your-service # Backend service name

Hope it helps.

-- coolinuxoid
Source: StackOverflow
4/30/2019

You need to add a DestinationRule and a Policy :

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: destinationrule-test
spec:
  host: service-name
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
    portLevelSettings:
    - port:
        number: 8080
      tls:
        mode: DISABLE
---
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: policy-test
spec:
  targets:
  - name: service-name
    ports:
    - number: 8080
  peers:

This has been tested with istio 1.0, but it will probably work for istio 1.1. It is heavily inspired by the documentation https://istio.io/help/ops/setup/app-health-check/

-- Alexandre Cartapanis
Source: StackOverflow