Istio in Practice – Ingress Gateway

By : rinormaloku
This entry is part 3 of 12 in the series Istio around everything else
Istio around everything else
  1. Istio an introduction
  2. Getting started with Istio
  3. Istio in Practice – Ingress Gateway
  4. Istio in Practice – Routing with VirtualService
  5. Istio out of the box: Kiali, Grafana & Jaeger
  6. A/B Testing – DestinationRules in Practice
  7. Shadowing – VirtualServices in Practice
  8. Canary Deployments with Istio
  9. Timeouts, Retries and CircuitBreakers with Istio
  10. Authentication in Istio
  11. Authorization in Istio
  12. Istio series Summary

Intro to Ingress Gateway

A best practice for allowing traffic into your cluster is through Istio’s Ingress Gateway which positions itself at the edge of the cluster and on incoming traffic enables Istio’s features like routing, security, monitoring.

During Istio’s installation, the Ingress Gateway component and a service that exposes it externally were installed into the cluster, to get its External IP execute the command below:

$ kubectl get svc -n istio-system -l istio=ingressgateway
NAME                   TYPE           CLUSTER-IP     EXTERNAL-IP    PORT(S)             
istio-ingressgateway   LoadBalancer   10.0.132.127   13.93.30.120   80:31380/TCP,443[...]

In the continuation of this article we will access the application on this IP (referred to as the EXTERNAL-IP), for convenience, save it in a variable by executing the command below:

$ EXTERNAL_IP=$(kubectl get svc -n istio-system \
   -l app=istio-ingressgateway \
   -o jsonpath='{.items[0].status.loadBalancer.ingress[0].ip}')

Try to reach the IP in your browser and you will get a Service Unavailable error, as by default Istio doesn’t allow any incoming traffic until we define a Gateway.

Fig. 1. Istio blocking ingress traffic

The Gateway Resource

A Gateway is a Kubernetes CustomResourceDefinition defined upon Istio’s installation in our cluster that enables us to specify the Ports, Protocol and Hosts for which we want to allow incoming traffic.

In our scenario, we want to allow HTTP traffic on Port 80, for all hosts. Achieved with the following resource definition:

All the configuration is self-explanatory besides the selector istio: ingressgateway. Using this selector, we can specify to which Ingress Gateway to apply the configuration, and in our case, it is the default ingress gateway controller installed on Istio setup.

Apply the above configuration by executing the command below:

$ kubectl apply -f resource-manifests/istio/http-gateway.yaml 
gateway.networking.istio.io "http-gateway" created

The gateway now allows access in port 80 but it has no concept where to route the requests.

Fig. 2. Ingress allowed, but routing not configured

That is achieved using Virtual Services, which is the main topic of the next article, let’s get over there!

Istio in Practice – Routing with VirtualService >>
If you enjoyed the article, please share and comment below!
  • Mukesh Negi

    I have a question on Istio White Listing. I will thankful if you can provide me some hints.

    https://discuss.istio.io/t/white-list-both-ip-and-some-of-the-services/3315

  • Yuva Raj

    Firstly Thanks a lot for the articles, it is really help and impressive. I am new to kubernetes and istio world.

    I am facing issue in accessing the frontend, I just followed the same in the articles. Installed Istio in same way, when I run the below command, I am getting EXTERNAL-IP as localhost.
    kubectl get svc -n istio-system -l istio=ingressgateway

    and when I run the another command to assign the EXTERNAL_IP, it doesn’t show any output and its blank. Appreciate your help to resolve this issue.

    • Hi Yuva,

      What distribution of Kubernetes are you using?

      • Yuva Raj

        Using minikube version: v1.6.1 and istio version: 1.4.2. I tried the bookinfo sample application which is working fine.

        • Hi Yuva,

          To get the external IP please check the docs on how to do it on Minikube. I don’t have it currently installed, but it could be that you just have to specify the port on localhost and that would work for you? (previously instead of the localhost you’d get a Machine IP)

          I’d really recommend a cloud provider, something like GCP, Digital Ocean, and Azure. Which would enable you to have the same setup as on the articles. Minikube will work as well, though you’d have to find out workarounds.

          • Yuva Raj

            Thanks Rinor, I exposed the external ip by running the below command and applied virtual service as well. Still I am not able access the front end 🙁
            export EXTERNAL_IP=$(minikube ip)
            echo $EXTERNAL_IP
            192.168.64.2
            I tried http://192.168.64.2/ and getting 404 error. Am I missing something here?