You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When deploying a gateway, you must opt-in to injection by adding an injection label or annotation to the gateway `deployment` object. The following example `ConfigMap` object deploys a gateway with automatic injection.
9
+
When deploying a gateway, you must opt-in to injection by adding an injection label or annotation to the gateway `deployment` object. The following example deploys a gateway.
10
10
11
11
.Prerequisites
12
12
13
13
* The namespace must be a member of the mesh by defining it in the `ServiceMeshMemberRoll` or by creating a `ServiceMeshMember` resource.
14
14
15
-
.Example deployment with annotations
15
+
.Procedure
16
+
17
+
. Set a unique label for the Istio ingress gateway. This setting is required to ensure that the gateway can select the workload. This example uses `ingressgateway` as the name of the gateway.
18
+
+
16
19
[source,yaml]
17
20
----
18
-
apiVersion: v1
19
-
kind: Service
20
-
metadata:
21
-
name: istio-ingressgateway
22
-
namespace: istio-ingress
23
-
spec:
24
-
type: LoadBalancer
25
-
selector:
21
+
apiVersion: v1
22
+
kind: Service
23
+
metadata:
24
+
name: istio-ingressgateway
25
+
namespace: istio-ingress
26
+
spec:
27
+
type: ClusterIP
28
+
selector:
29
+
istio: ingressgateway
30
+
ports:
31
+
- name: http
32
+
port: 80
33
+
targetPort: 8080
34
+
- name: https
35
+
port: 443
36
+
targetPort: 8443
37
+
---
38
+
apiVersion: apps/v1
39
+
kind: Deployment
40
+
metadata:
41
+
name: istio-ingressgateway
42
+
namespace: istio-ingress
43
+
spec:
44
+
selector:
45
+
matchLabels:
26
46
istio: ingressgateway
27
-
ports:
28
-
- port: 80
29
-
name: http
30
-
- port: 443
31
-
name: https
32
-
---
33
-
apiVersion: apps/v1
34
-
kind: Deployment
35
-
metadata:
36
-
name: istio-ingressgateway
37
-
namespace: istio-ingress
38
-
spec:
39
-
selector:
40
-
matchLabels:
47
+
template:
48
+
metadata:
49
+
annotations:
50
+
inject.istio.io/templates: gateway
51
+
labels:
41
52
istio: ingressgateway
42
-
template:
43
-
metadata:
44
-
annotations:
45
-
inject.istio.io/templates: gateway <1>
46
-
labels:
47
-
istio: ingressgateway <2>
48
-
sidecar.istio.io/inject: "true" <3>
49
-
spec:
50
-
containers:
51
-
- name: istio-proxy
52
-
image: auto <4>
53
-
---
54
-
apiVersion: rbac.authorization.k8s.io/v1 <5>
55
-
kind: Role
56
-
metadata:
57
-
name: istio-ingressgateway-sds
58
-
namespace: istio-ingress
59
-
rules:
60
-
- apiGroups: [""]
61
-
resources: ["secrets"]
62
-
verbs: ["get", "watch", "list"]
63
-
---
64
-
apiVersion: rbac.authorization.k8s.io/v1
65
-
kind: RoleBinding
66
-
metadata:
67
-
name: istio-ingressgateway-sds
68
-
namespace: istio-ingress
53
+
sidecar.istio.io/inject: "true" <1>
54
+
spec:
55
+
containers:
56
+
- name: istio-proxy
57
+
image: auto <2>
58
+
----
59
+
<1> Enable gateway injection by setting the `sidecar.istio.io/inject` field to `"true"`.
60
+
<2> Set the `image` field to `auto` so that the image automatically updates each time the pod starts.
61
+
62
+
. Set up roles to allow reading credentials for TLS.
63
+
+
64
+
[source,yaml]
65
+
----
66
+
apiVersion: rbac.authorization.k8s.io/v1
67
+
kind: Role
68
+
metadata:
69
+
name: istio-ingressgateway-sds
70
+
namespace: istio-ingress
71
+
rules:
72
+
- apiGroups: [""]
73
+
resources: ["secrets"]
74
+
verbs: ["get", "watch", "list"]
75
+
---
76
+
apiVersion: rbac.authorization.k8s.io/v1
77
+
kind: RoleBinding
78
+
metadata:
79
+
name: istio-ingressgateway-sds
80
+
namespace: istio-ingress
69
81
roleRef:
70
82
apiGroup: rbac.authorization.k8s.io
71
83
kind: Role
@@ -74,8 +86,69 @@ subjects:
74
86
- kind: ServiceAccount
75
87
name: default
76
88
----
77
-
<1> Select the gateway injection template rather than the default sidecar template.
78
-
<2> Set a unique label for the gateway. This setting is required to ensure Gateways can select this workload.
79
-
<3> Enable gateway injection. If connecting to a revisioned control plane, replace with `istio.io/rev: revision-name`.
80
-
<4> The image automatically updates each time the pod starts.
81
-
<5> Set up roles to allow reading credentials for TLS.
89
+
90
+
. Grant access to the new gateway from outside the cluster, which is required whenever `spec.security.manageNetworkPolicy` is set to `true`.
91
+
+
92
+
[source,yaml]
93
+
----
94
+
apiVersion: networking.k8s.io/v1
95
+
kind: NetworkPolicy
96
+
metadata:
97
+
name: gatewayingress
98
+
namespace: istio-ingress
99
+
spec:
100
+
podSelector:
101
+
matchLabels:
102
+
istio: ingressgateway
103
+
ingress:
104
+
- {}
105
+
policyTypes:
106
+
- Ingress
107
+
----
108
+
109
+
. Automatically scale the pod when ingress traffic increases. This example sets the minimum replicas to `2` and the maximum replicas to `5`. It also creates another replica when utilization reaches 80%.
110
+
+
111
+
[source,yaml]
112
+
----
113
+
apiVersion: autoscaling/v2
114
+
kind: HorizontalPodAutoscaler
115
+
metadata:
116
+
labels:
117
+
istio: ingressgateway
118
+
release: istio
119
+
name: ingressgatewayhpa
120
+
namespace: istio-ingress
121
+
spec:
122
+
maxReplicas: 5
123
+
metrics:
124
+
- resource:
125
+
name: cpu
126
+
target:
127
+
averageUtilization: 80
128
+
type: Utilization
129
+
type: Resource
130
+
minReplicas: 2
131
+
scaleTargetRef:
132
+
apiVersion: apps/v1
133
+
kind: Deployment
134
+
name: istio-ingressgateway
135
+
----
136
+
137
+
. Specify the minimum number of pods that must be running on the node. This example ensures one replica is running if a pod gets restarted on a new node.
Copy file name to clipboardExpand all lines: modules/ossm-gateways.adoc
+3-1Lines changed: 3 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,7 +9,9 @@
9
9
10
10
You can use a gateway to manage inbound and outbound traffic for your mesh to specify which traffic you want to enter or leave the mesh. Gateway configurations are applied to standalone Envoy proxies that are running at the edge of the mesh, rather than sidecar Envoy proxies running alongside your service workloads.
11
11
12
-
Unlike other mechanisms for controlling traffic entering your systems, such as the Kubernetes Ingress APIs, {SMProductName} gateways allow you to use the full power and flexibility of traffic routing. The {SMProductName} gateway resource can layer 4-6 load balancing properties, such as ports, to expose and configure {SMProductName} TLS settings. Instead of adding application-layer traffic routing (L7) to the same API resource, you can bind a regular {SMProductName} virtual service to the gateway and manage gateway traffic like any other data plane traffic in a service mesh.
12
+
Unlike other mechanisms for controlling traffic entering your systems, such as the Kubernetes Ingress APIs, {SMProductName} gateways use the full power and flexibility of traffic routing.
13
+
14
+
The {SMProductName} gateway resource can use layer 4-6 load balancing properties, such as ports, to expose and configure {SMProductName} TLS settings. Instead of adding application-layer traffic routing (L7) to the same API resource, you can bind a regular {SMProductName} virtual service to the gateway and manage gateway traffic like any other data plane traffic in a service mesh.
13
15
14
16
Gateways are primarily used to manage ingress traffic, but you can also configure egress gateways. An egress gateway lets you configure a dedicated exit node for the traffic leaving the mesh. This enables you to limit which services have access to external networks, which adds security control to your service mesh. You can also use a gateway to configure a purely internal proxy.
0 commit comments