1

我使用运营商部署了 Istio ,并添加了一个只能从特定源范围(我们的 VPN)访问的自定义入口网关。

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  namespace: istio-system
  name: ground-zero-ingressgateway
spec:
  profile: empty
  components:
    ingressGateways:
      - name: istio-ingressgateway
        enabled: true
      - name: istio-vpn-ingressgateway
        label:
          app: istio-vpn-ingressgateway
          istio: vpn-ingressgateway
        enabled: true
        k8s:
          serviceAnnotations:
            ...
          service:
            loadBalancerSourceRanges:
              - "x.x.x.x/x"

现在我想配置 Istio 以使用Kubernetes Ingress 资源在服务网格集群之外公开服务。我使用kubernetes.io/ingress.class注解告诉 Istio 网关控制器它应该处理这个Ingress

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-ingress
  annotations:
    kubernetes.io/ingress.class: istio
spec:
   ...
  • Kubernetes 版本(EKS):1.19
  • Istio 版本:1.10.3

现在使用哪个入口网关控制器(istio-ingressgatewayistio-vpn-ingressgateway)?有没有办法指定应该使用哪一个?

P.S. I know that I could create a VirtualService and specify the correct gateway but we want to write a manifest that also works without Istio by specifying the correct ingress controller with an annotation.

4

1 回答 1

1

You can create an ingress class that references the ingress controller that is deployed by default in the istio-system namespace. This configuration with ingress will work, however to my current knowledge, this is only used for backwards compatibility. If you want to use istio ingress controller functionality, you should use istio gateway and virtual service instead:

Using the Istio Gateway, rather than Ingress, is recommended to make use of the full feature set that Istio offers, such as rich traffic management and security features.

If this solution is not optimal for you, you should use e.g. nginx ingress controller and you can still bind it with annotations (deprecated) or using IngressClass. To my present knowledge it is not possible to bind this ingress class with an additional ingress controller. If you need an explanation, documentation, you should create an issue on github.

Summary: The recommended option is to use the gateway with virtual service. Another possibility is to use nginx alone ingress with different classes and an ingress resource for them.

于 2021-08-18T12:13:12.577 回答