我正在尝试设置istio,我需要为允许来自外部世界的非MTL流量通过Specfic端口进入Specfic端口,以获取本地K8的几个PODS运行。
。我找不到成功的方法。
尝试了服务输入,策略和目的地规则,但没有成功。
帮助您得到高度赞赏。
version.BuildInfo{Version:"1.1.2", GitRevision:"2b1331886076df103179e3da5dc9077fed59c989", User:"root", Host:"35adf5bb-5570-11e9-b00d-0a580a2c0205", GolangVersion:"go1.10.4", DockerHub:"docker.io/istio", BuildStatus:"Clean", GitTag:"1.1.1"}```
Service Entry
```apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: external-traffic
namespace: cloud-infra
spec:
hosts:
- "*.cluster.local"
ports:
- number: 50506
name: grpc-xxx
protocol: TCP
location: MESH_EXTERNAL
resolution: NONE```
您需要添加目标列和策略:
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: destinationrule-test
spec:
host: service-name
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
portLevelSettings:
- port:
number: 8080
tls:
mode: DISABLE
---
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: policy-test
spec:
targets:
- name: service-name
ports:
- number: 8080
peers:
这已通过ISTIO 1.0进行了测试,但可能适用于ISTIO 1.1。它受到文档的启发,https://istio.io/help/help/setup/app-health-check/
从您的问题中,我了解您要控制的入口流量允许您从外部在网格/群集中运行的服务的某些端口,但是您的配置是用于出口流量。/p>
为了控制和允许端口从外部到您的服务,您可以按照以下步骤进行操作。
1.确保您的部署/POD配置中包含containerPort。有关更多信息
2.您必须有服务指向后端/豆荚。有关Kubernetes服务的更多信息。3.在启用ISTIO群集中,您必须创建Gateway以下以下配置:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: your-service-gateway
namespace: foo-namespace # Use same namespace with backend service
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
servers:
- port:
number: 80
name: HTTP
protocol: HTTP
hosts:
- "*"
4.然后通过创建VirtualService:
gateway进入。 apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: your-service
namespace: foo-namespace # Use same namespace with backend service
spec:
hosts:
- "*"
gateways:
- your-service-gateway # define gateway name
http:
- match:
- uri:
prefix: "/"
route:
- destination:
port:
number: 3000 # Backend service port
host: your-service # Backend service name
希望它有帮助。