K
Q

Istio's default gateway is not a gateway, it is a service

3/10/2021

I am trying to understand the Istio traffic routing. I installed Istio in demo mode and got to playing around with the samples. The samples have you install a few gateways (I did bookinfo-gateway and httpbin-gateway.

But it seems all my traffic goes through the "http2" port defined in istio-ingressgateway in the istio-system namespace.

The documentation makes reference to this:

Istio provides some preconfigured gateway proxy deployments (istio-ingressgateway and istio-egressgateway) that you can use - both are deployed if you use our demo installation

But when I run: kubectl -n istio-system get service istio-ingressgateway -o yaml the result shows kind: Service.

The other gateways the demos had me made show kind: Gateway.

So I am left confused...

  1. Is there a difference between a service and a gateway?
  2. How would I use the sample application gateways instead of the istio-ingressgateway (that is really a service).
  3. How does istio connect my VirtualService to the istio-ingressgateway. Is it just looking for all VirtualServices?
-- Vaccano
istio
istio-gateway
kubernetes

Similar Questions

I can't connect my ingress with my service
Kubernetes pod restrictions on cluster or namespace level
Pod image Update and restart container keep same IP question
Kubernetes. Statefulset objects are by default spread among worker nodes?
After Terraform creates cluster, how do you new Kubernetes credentials with helm provider?

1 Answer

3/10/2021

Is there a difference between a service and a gateway?

Yes.

  • The istio-ingressgateway is a kubernetes service of type LoadBalancer (or NodePort, depending on your setup) that serves as the entry point into your cluster. The ingressgateway is the ingress controller of istio and it is completely optional.
  • The gateway is a custom resource of istio, that serves as an entry into your mesh. It is bound to an ingressgateway by the selector, eg see https://github.com/istio/istio/blob/master/samples/httpbin/httpbin-gateway.yaml
kind: Gateway
[...]
spec:
  selector:
    istio: ingressgateway

How would I use the sample application gateways instead of the istio-ingressgateway (that is really a service).

You need both (or another form of ingress controller and route all traffic through the mesh gateway, more on that see below).

How does istio connect my VirtualService to the istio-ingressgateway. Is it just looking for all VirtualServices?

See this yaml file again: https://github.com/istio/istio/blob/master/samples/httpbin/httpbin-gateway.yaml

The gateway is bound to the ingressgateway.

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: httpbin-gateway
spec:
  selector:
    istio: ingressgateway
[...]

A VirtualService like the one in the file is bound to a gateway.

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: httpbin
spec:
  gateways:
  - httpbin-gateway
[...]

So if the traffic uses your gateway the VirtualService is considered.

Beside the gateways you configure, there is always the mesh gateway. So if you want your internal cluster traffic to use the istio configuration, you need to either add the mesh gateway to your virutal service:

  gateways:
  - httpbin-gateway
  - mesh

or create a separat virutal service for that. If you don't set any gateway, mesh gateway will be used, since it is the default. See: https://istio.io/latest/docs/reference/config/networking/virtual-service/#VirtualService -> the gateways entry

-- Chris
Source: StackOverflow