I have a question regarding the interaction between Knative serving, Istio, and AWS Application Load Balancers (ALB from now on).
I'm deploying Knative Serving v0.20 using the YAML manifests (not the kn console) and Istio using the Helm charts. Also, I've been following some online guides (here and here) to have Istio use an ALB instead of creating an ELB. According to them, the major configuration change needed to have Istio use the ALB is gateways.istio-ingressgateway.type=NodePort. That change makes Istio not create its load balancer.
However, I noticed that, when Istio does not create the load balancer, Kubernetes won't let me delete the following Knative ingress:
kind: Ingress
apiVersion: networking.internal.knative.dev/v1alpha1
metadata:
annotations:
networking.knative.dev/ingress.class: istio.ingress.networking.knative.dev
creationTimestamp: '2021-03-09T12:52:30Z'
deletionGracePeriodSeconds: 0
deletionTimestamp: '2021-03-09T13:13:30Z'
finalizers:
- ingresses.networking.internal.knative.dev
generateName: default-domain-
generation: 2
managedFields:
- apiVersion: networking.internal.knative.dev/v1alpha1
fieldsType: FieldsV1
fieldsV1:
'f:metadata':
'f:annotations':
.: {}
'f:networking.knative.dev/ingress.class': {}
'f:generateName': {}
'f:spec':
.: {}
'f:rules': {}
manager: default-domain
operation: Update
time: '2021-03-09T12:52:30Z'
- apiVersion: networking.internal.knative.dev/v1alpha1
fieldsType: FieldsV1
fieldsV1:
'f:metadata':
'f:finalizers':
.: {}
'v:"ingresses.networking.internal.knative.dev"': {}
'f:status':
.: {}
'f:conditions': {}
'f:observedGeneration': {}
'f:privateLoadBalancer':
.: {}
'f:ingress': {}
'f:publicLoadBalancer':
.: {}
'f:ingress': {}
manager: controller
operation: Update
time: '2021-03-09T12:52:43Z'
name: default-domain-fq97m
namespace: knative-serving
resourceVersion: '48071'
selfLink: >-
/apis/networking.internal.knative.dev/v1alpha1/namespaces/knative-serving/ingresses/default-domain-fq97m
uid: 84323bd8-018d-4d30-b933-91ebba604811
spec:
rules:
- hosts:
- default-domain-tn6xq.default-domain.invalid
http:
paths:
- splits:
- percent: 100
serviceName: default-domain-service
serviceNamespace: knative-serving
servicePort: 80
visibility: ExternalIP
status:
conditions:
- lastTransitionTime: '2021-03-09T12:52:43Z'
status: 'True'
type: LoadBalancerReady
- lastTransitionTime: '2021-03-09T12:52:30Z'
status: 'True'
type: NetworkConfigured
- lastTransitionTime: '2021-03-09T12:52:43Z'
status: 'True'
type: Ready
observedGeneration: 1
privateLoadBalancer:
ingress:
- domainInternal: knative-local-gateway.istio-system.svc.cluster.local
publicLoadBalancer:
ingress:
- domainInternal: istio-ingressgateway.istio-system.svc.cluster.local
I believe the main reason to be the finalizers section. As a matter of fact, if I modify the resource in the cluster, replacing
finalizers:
- ingresses.networking.internal.knative.dev
with finalizers: [] then Kubernetes lets me destroy it.
I searched for an explanation in the documentation and online, but haven't found any. At first, I thought I was messing up with the AWS ALB controller, so I tried to change Istio's configuration without creating any ALBs but the issue wouldn't disappear.
Do you know what that Ingress is used for and how can I solve (or, at least, work around) this issue? Pointers to relevant discussions/examples/docs are welcome as well!
Thank you so much!