Comments (5)
Do we need to create a set of such dummy services adding another unnecessary hop? If we augment the routing proto to include static IPs or fqdns, what then? It might complicate code a bit but it won't require the end user to declare what services are external or be surprised to see a pod for each such service or service instance. (E.g. lb1.foo.maps.com, lb2.foo.maps.com).
from pilot.
This issue is specifically for the ExternalName
type services. Here is an example:
apiVersion: v1
kind: Service
metadata:
name: my-app
spec:
ports:
- port: 12345
type: ExternalName
externalName: myapp.whatever.google.com
This service does not get a cluster IP and does not have pods in the cluster.
Imagine we want to monitor the traffic through this service and enforce control policies like quota.
We need to route traffic through Istio Proxy, so we create a deployment with proxies. We then rewrite the external name in the service "my-app" to point to Istio proxies, and make sure Istio proxies route the incoming traffic to "myapp.whatever.google.com". With this change, Kube DNS sends proxy address to Istio and non-Istio in-cluster clients. For Istio client-side proxy-enabled clients, we can skip Kube DNS and use Envoy discovery service.
from pilot.
Initial design for this feature.
-
Redirect traffic to external services to Istio proxy.
Manager rewritesexternalName
field to point to a dedicated k8s service that selects proxy-egress pods running Istio proxy. The originalexternalName
is stored as an annotation on the service definition.
Manager also requires port definitions on the external services. Ports are optional forexternalName
services starting from k8s 1.6, but Envoy needs explicit listener ports in its configuration to capture traffic and choose the right protocol filter. Manager rejects external services with no port declarations. -
Deploy egress proxies.
There are two choices for deploying dedicated egress proxies:
2a) Deploy proxies per each external services.
Manager defines a new service for each external service to point to these proxies, which has the same port declarations and serves as the target DNS name.
2b) Share egress proxies between external services.
There is one shared deployment and one service for cluster-egress proxies.
The service is managed to list all ports across external services This shared service is the target DNS name in the external service externalName
.
Proxies identify traffic using the external service hostname or VIP address.
I prefer option b), since it seems to be more in-line with sidecar proxy configuration.
Istio proxy does not need to use iptables port-rewriting since it's the sole container in its pod.
- Handing cluster egress traffic for explicit IP addresses.
Current k8s workaround: use a regular service without pod selector, and manually add an Endpoint with the IP and port.
Proposed workaround: add an annotation forExternalName
services to override the DNS name with an explicit IP address. Currently, a custom endpoint is treated the same way as a regular pod, so it should be handled by existing sidecar client-side proxies. But non-istio pods need a dedicated server-side proxy deployment, which this design addresses.
from pilot.
fixed by #463
Option 2b is implemented currently, wherein applications are expected to access the external service via their respective Kube services (over HTTP). The egress proxy will do https to the external service. Support for traffic with explicit external IP address, tcp communication with external service (and https) is TBD
from pilot.
Closing
from pilot.
Related Issues (20)
- istioctl not defaulting ns to "default" HOT 1
- Sidecar injection with mutating webhooks HOT 4
- Tests :Sidecar injection with mutating webhooks HOT 3
- Istio injection is not working for modified Deployments. HOT 6
- Ingress with host network HOT 1
- Request Headers Route Rule with composite services does not work HOT 1
- handling service registry client errors HOT 3
- Redirecting all ingress http traffic to https HOT 1
- Relational database adapter for Pilot config store HOT 10
- Diego BBS adapter for Pilot platform data HOT 12
- bazel 0.7 - make setup fails with bazel error on macOS HOT 12
- Use readable cluster names in stats HOT 4
- Build fails on Intel for Istioctl(pilot) HOT 14
- destination.labels is ignored in weighted rule HOT 4
- fails to create mixer configs when namespace field is empty
- Compute Envoy config eagerly rather than on-demand HOT 33
- istioctl kube-inject doesn't work when my pod has 2 containers HOT 2
- Add a script to query pilot for proxy configurations HOT 1
- gRPC-web HOT 1
- How to access the external services when istio with sidecar injected. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pilot.