K
Q

Not understanding how best to use istio gateways

7/19/2019

I have recently got into Istio, and trying to rap my head around the gateway concept.

so fundamentally, I get what it is: an entryway into the service-mesh.

however what I don't understand is how best to use the gateways.

I have installed istio via helm on my k8s cluster, and ran through the bookinfo tutorial.

I created the bookinfo-gateway:

spec:
  servers:
    - hosts:
        - '*'
      port:
        name: http
        number: 80
        protocol: HTTP
  selector:
    istio: ingressgateway

and can access the service via the ingress-gateway created by istio

(found via kubectl get svc -n istio-system).

It seems the gateway I created is tied to the gateway LOADBALANCER created by istio via the selector.

I created a virtualservice, and pointed it to the bookinfo gateway:

spec:
  hosts:
    - '*'
  gateways:
    - bookinfo-gateway
  http:
    - match:
 ....

What I don't understand is when/why I would create another gateway. I can also create ANOTHER virtualservice, and point it to the bookinfo-gateway as well.

So when would I create another Gateway? would it only be when I created another istio-ingress-gateway (one with a different IP)?

-- nate
istio
kubernetes

Similar Questions

kubernetes hpa request cpu and target cpu values
Is there a way in GCP to load balance sftp services running in GKE in different regions?
kubernetes client-go error: an empty namespace may not be set during creation
Error: validation failed: unable to recognize "": no matches for kind "Deployment" in version ""
Terraform: create namespaces and role binding using lists
How to route test traffic through kubernetes cluster (minikube)?
How to make kubernetes.client.api.batch_v1_api.BatchV1Api.delete_namespaced_job wait till deletion is complete
Kubernetes Cluster master/ Worker Nodes

1 Answer

7/20/2019

I am somewhat new to Istio as well. Here are a few things to keep in mind.

1) The Istio Ingress Gateway by default lets nothing into the cluster. 2) You define a gateway to let traffic in on the port(s) and protocol(s) you specify with it. The gateway does NOT aim traffic at anything. It just allows it in. 3) To aim traffic from a gateway definition to a actual Kubernetes service you use a Virtual Service (which is really a route). It is the virtual service that connects a gateway to a kubernetes service and aims traffic at it that meet a certain criterial. In particular certain labels. Or certain host that traffic is coming from.

4) The service is Kubernetes stable ip load balancer to the service which is physically deployed on one or more pods.

So to clarify. Istio Ingress Gateway is single point into cluster. Nothing is coming in until you provide a gateway. In the gateway you specify a port and protocol. Like http, 80. This allows that traffic in but it wont go anywhere.

try not to think of the gateway as another path along the traffic flow. Its more a directive to the actual gateway which is always Istio Ingress Gateway. It just says let this kind of traffic in on this port.

Now if you notice virtual service checks labels and based on labels directs to services also based on labels. So you might have more than one virtual service using same gateway to connect to different services.

So I think of it as gateways subdivide traffic from Istio Ingress Gateway by port and protocol. Again they allow certain type of traffic in but do not aim it. A virtual service (route) always routes traffic that has been defined by a gateway to one or more services based on labels.

I dont know if you can have two gateways using same port and protocol.

-- Steven Smart
Source: StackOverflow