Istio | Provides Istio implementation on Kubernetes | Cloud library

Our Security Dept requirement on egress traffic is very strict: Each app inside POD must go through some proxy with mTLS authentication (app-proxy) using dedicated cert for the app. They're suggesting using squid with tunneling to cope with double mTLS (one for proxy and the other one for the specific traffic app-server), but then we forced the app to be ssl-aware. Istio can come in and do the job but using out-of-the-box ISTIO_MUTUAL mode (between istio-proxy and egress gateway) is not the case for us.

So, I've tried using example Configure mutual TLS origination for egress traffic by modifying it a bit as follows (changes marked with #- and #+):

The knative docs describe the following:

To configure DNS for Knative, take the External IP or CNAME from setting up networking, and configure it with your DNS provider as follows

• If the networking layer produced an External IP address, then configure a wildcard A record for the domain:

  # Here knative.example.com is the domain suffix for your cluster

  *.knative.example.com == A 35.233.41.212

• If the networking layer produced a CNAME, then configure a CNAME record for the domain:

  # Here knative.example.com is the domain suffix for your cluster

  *.knative.example.com == CNAME a317a278525d111e89f272a164fd35fb-1510370581.eu-central-1.elb.amazonaws.com

However, my environment doesn't have an external load balancer and hence no EXTERNAL-IP:

I'm trying to deploy kubeflow on and OVH managed k8 cluster.

After the initial setup of the k8 cluster, I ran the following commands to install kubeflow, as suggested here:

I'm trying to configure a canary rollout for a demo, but I'm having trouble getting the traffic splitting to work with linkerd. The funny part is I was able to get this working with istio and i find istio to be much more complicated then linkerd.

I have a basic go-lang service define like this:

We are trying to setup an egress gateway in a multi-cluster/multi-primary mesh configuration where the egress gateway is located in only one cluster but used from both.

diagram of desired setup

The use case is that the clusters are in different network zones and we want to be able to route traffic to one zone transparently to the clients in the other zone.

We followed this guide in one cluster and it worked fine. However we have trouble setting up the VirtualService in the second cluster to use the egress gateway in the first cluster.

When deploying the following virtual service to the second cluster we get 503 with cluster_not_found.

I have an AWS classic load balancer. Here are my listeners :

The AWS classic load balancer is doing tls termination, and redirecting the traffic to port 30925 of my nodes
The process listening on port 30925 is an istio gateway, redirecting traffic afterwards based on the SNI of the request

However, the AWS classic load balancer doesn't seems to keep the SNI of the request after tls termination

Is there any documentation regarding the behavior of the load balancer in that situation?
I found a couple of links talking about SNI (here for example), but it's only talking about the load balancer itself handling the routing of the SNI

I have configured a K8S cluster with istio-ingressgateway as per the docs.

Although the HPE Container Platform managed haproxy gateway can route traffic to the istio-ingressgateway, I would like to access the host endpoints directly.

How can I determine the ingress IP addresses and ports for the hosts avoiding the managed haproxy gateway?

I'm pretty new to k8s and I'm trying to figure out how to expose to Internet, multiple HTTP services, in cheap manner. Currently I'm using AWS EKS cluster with managed node groups, so the cheap way will be not to provision any kind ELB as it cost. Also I would like those services to be in private subnets so just f.ex only Ingress Resource will be exposed and the nodes will stay private. One load balancer per svc is definitely not an option as it will break down my budget

The options I consider:

• Using K8s ingress resources (to be precise: Istio Ingress controller). But the downside of that is, when we creating ingress resource, AWS create Load Balancer for which I will need to pay.

• Run node groups in public subnets, and create K8s Services of type NodePort so I could reach service using NodeIP:NodePort (NodePort will be specific for each service). The downside of that I will need to remember all IPs and ports assigned to each service. I can live with one service but when the number increase that will be pretty awful to remember.

• At last, without any other option is to create one load balancer with public IP and also create Ingress controller with Istio. So I will reach each services by single DNS name of Load Balancer and I will route to services by request path.

Looking forward to any solution and inputs.

When load testing a kubernetes service where routing is done via istio, all the services in the cluster become unresponsive. This happens when there is 100% failure from the service that is being load tested.

Is there a way to prevent this? Should we apply istio circuit breaking?