1、ingress
在k8s+istio环境中,可以通过istio-ingress(类似于OpenResty、Nginx)允许将集群内部服务暴露出去,注意namespace。
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: product
namespace: product
annotations:
kubernetes.io/ingress.class: "istio"
spec:
rules:
- http:
paths:
- path: /sz/.*
backend:
serviceName: productdetail
servicePort: 8081
2、egress
默认情况下,有istio管理的服务不能访问集群外部url,原因是istio所管理的服务的流量均走sidercar代理envoy,而该代理默认只会转发集群内部流量(如遇到connection refused...被这问题困扰了好久...),所以,若想与集群外部服务交互,需进行配置egress,目前支持http、https、tcp协议。
2.1、http egress
apiVersion: config.istio.io/v1alpha2
kind: EgressRule
metadata:
name: baidu-egress-rule
spec:
destination:
service: www.baidu.com
ports:
- port: 80
protocol: http
2.2、https egress
apiVersion: config.istio.io/v1alpha2
kind: EgressRule
metadata:
name: https-baidu-egress-rule
spec:
destination:
service: www.baidu.com
ports:
- port: 443
protocol: https
2.3、tcp egress
apiVersion: config.istio.io/v1alpha2
kind: EgressRule
metadata:
name: tcp-logservice-egress-rule
spec:
destination:
service: 10.0.0.111
ports:
- port: 8080
protocol: tcp
2.4、其他
除此之外,我们可以在启用istioctl注入相关yaml文件时加上,--includeIPRanges=10.0.0.1/24,IP为集群内IP。
istioctl kube-inject -f k8s.yaml --includeIPRanges=10.0.0.1/24> k8s-istio.yaml
kubectl apply -f k8s-istio.yaml