Shulou(Shulou.com)06/02 Report--

In the last article, we learned how to control ingress traffic. This article mainly introduces how to access services outside the cluster when using Istio, that is, how to manage egress traffic.

The Istio installed by default cannot directly access the external services of the cluster. If you need to expose the external services to the clients in the Istio cluster, there are two options:

Configure ServiceEntry

Configure global.proxy.includeIPRanges

Configure serviceEntry to access external services

ServiceEntry is used to add additional entries to the service registry maintained internally by Istio so that automatically discovered services in the grid can be accessed and routed to these manually joined services.

ServiceEntry describes the properties of the service (DNS name, VIP, port, protocol, and endpoint). Such services may be off-grid API, or entries within the grid but not in the platform's service registry (such as a set of virtual machine services that need to communicate with Kubernetes services).

Configuring ServiceEntry is also simple, allowing access to external services such as HTTP,HTTPS,Mongo,TCP from within the grid. The following lists the access configurations for external TCP services and HTTP services, respectively. For more information on the definition of configuration parameters for ServiceEntry, please see:

Https://istio.io/docs/reference/config/istio.networking.v1alpha3/#ServiceEntry

Example of external TCP service access configuration:

ApiVersion: networking.istio.io/v1alpha3kind: ServiceEntrymetadata: name: mysqlspec: hosts:-192.168.0.245 ports:-number: 3306 name: tcp protocol: TCP

Example of external HTTP service access configuration:

ApiVersion: networking.istio.io/v1alpha3kind: ServiceEntrymetadata: name: foo-extspec: hosts:-foo.com ports:-number: 80 name: http protocol: HTTP

Although the way recommended by the community is to set up ServiceEntry to access external services, if there are many services that need to be accessed outside the cluster, it is troublesome to configure them one by one, and it is not easy to manage.

Configure global.proxy.includeIPRanges

If you install Istio using HELM, you can set the global.proxy.includeIPRanges variable in Helm to the scope of the cluster clusterIP, and then install it.

If you want to change the configuration of the installed Istio, you need to change the value of "- I" of the Configmap named istio-sidecar-injector to cluster clusterIP, restart the pod of all services later, and re-inject sidecar. Then you will see that the-I parameter value of the initContainers in the pod has changed to the range of the cluster clusterIP after the restart.

In this way, only the IP in the cluster invokes the external service beyond the Istio sidecar proxy through sidecar, so that the service can directly access the corresponding external address.

Compared to configuring ServiceEntry, this method is simple to configure Istio globally, and all external services can be accessed directly. However, the disadvantage is that it is unable to govern the access traffic of services outside the cluster, for example, it is not possible to circuit breaker and limit the flow of middleware services outside the cluster, and users are required to understand the specific knowledge and configuration of cloud providers.

At present, there is no perfect solution for the community, please refer to the discussion:

Https://groups.google.com/forum/#!searchin/istio-dev/serviceentry%7Csort:date/istio-dev/0RCt7Jqrcg8/7Ylrr4TABQAJ

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.