Istio | Provides Istio implementation on Kubernetes | Cloud library
kandi X-RAY | Istio Summary
kandi X-RAY | Istio Summary
Following is the Service Mesh for billing appliation. Source code is in the respective folders. For more information on Kubernetes visit For more information on Istio visit
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
- Get billing service information for an account
- Get BillSummary for an account
- String representation of this transaction .
- Get BillDto Bill
- Returns customer by id
- Return all transactions associated with an account
- Get the customer by id
- The rest template .
- Entry point for the spring application .
Istio Key Features
Istio Examples and Code Snippets
Community Discussions
Trending Discussions on Istio
QUESTION
I have bunch of GRPC microservices and they are using self signed certs. I add authentication info to the GRPC channel which is then used to identify endpoints and provide right services.
Now I want migrate to Istio mTLS.
In phase one, I got Istio to BYPASS all GRPC connections and my services works as it is now.
In Phase two, I want to hand off TLS to Istio, but I am stuck on how to pass the authentication information to GRPC?
How do you handle auth in Istio mTLS setup?
GRPC can support other authentication mechanisms Has anyone used this to inject Istio auth info to GRPC? any other suggestions on how you implemented this in your setup
I am using go-lang just in case if this can be useful to provide any additional information.
Thanks
...ANSWER
Answered 2021-Jun-11 at 09:21One way of doing this is using grpc.WithInsecure()
, this way you don't have to add certificates to your services, since istio-proxy
containers in your pods will TLS terminate any incoming connections.
Client side:
QUESTION
Our Security Dept requirement on egress traffic is very strict: Each app inside POD must go through some proxy with mTLS authentication (app-proxy) using dedicated cert for the app. They're suggesting using squid with tunneling to cope with double mTLS (one for proxy and the other one for the specific traffic app-server), but then we forced the app to be ssl-aware. Istio can come in and do the job but using out-of-the-box ISTIO_MUTUAL mode (between istio-proxy and egress gateway) is not the case for us.
So, I've tried using example Configure mutual TLS origination for egress traffic by modifying it a bit as follows (changes marked with #- and #+):
...ANSWER
Answered 2021-Jun-09 at 08:40OK, finally I've solved it. The key point here is the part of DestinationRule spec, which says:
- credentialName -> NOTE: This field is currently applicable only at gateways. Sidecars will continue to use the certificate paths.
So I've modified the following manifests:
client deployment of sleep.yml (to mount certs)
QUESTION
The knative docs describe the following:
To configure DNS for Knative, take the External IP or CNAME from setting up networking, and configure it with your DNS provider as follows
If the networking layer produced an External IP address, then configure a wildcard A record for the domain:
# Here knative.example.com is the domain suffix for your cluster
*.knative.example.com == A 35.233.41.212
If the networking layer produced a CNAME, then configure a CNAME record for the domain:
# Here knative.example.com is the domain suffix for your cluster
*.knative.example.com == CNAME a317a278525d111e89f272a164fd35fb-1510370581.eu-central-1.elb.amazonaws.com
However, my environment doesn't have an external load balancer and hence no EXTERNAL-IP:
...ANSWER
Answered 2021-May-31 at 18:53Setting up DNS as follows works ok so far for me:
QUESTION
I'm trying to deploy kubeflow on and OVH managed k8 cluster.
After the initial setup of the k8 cluster, I ran the following commands to install kubeflow, as suggested here:
...ANSWER
Answered 2021-Jun-07 at 12:38QUESTION
I'm trying to configure a canary rollout for a demo, but I'm having trouble getting the traffic splitting to work with linkerd. The funny part is I was able to get this working with istio and i find istio to be much more complicated then linkerd.
I have a basic go-lang service define like this:
...ANSWER
Answered 2021-Jun-03 at 05:06After reading this: https://linkerd.io/2.10/tasks/using-ingress/ I discovered you need to modify your ingress controller with a special annotation:
QUESTION
We are trying to setup an egress gateway in a multi-cluster/multi-primary mesh configuration where the egress gateway is located in only one cluster but used from both.
The use case is that the clusters are in different network zones and we want to be able to route traffic to one zone transparently to the clients in the other zone.
We followed this guide in one cluster and it worked fine. However we have trouble setting up the VirtualService
in the second cluster
to use the egress gateway in the first cluster.
When deploying the following virtual service to the second cluster we get 503 with cluster_not_found.
...ANSWER
Answered 2021-May-31 at 14:52According to the comments the solution should works as below:
To create a multi-cluster deployment you can use this tutorial. In this situation cross cluster workload of normal services works fine. However, there is a problem with getting the traffic to the egress gateway routed via the eastwest gateway. This can be solved with this example.
You should also change kind: VirtualService
to kind: ServiceEntry
in both clusters.
Like Tobias Henkel mentioned:
I got it to work fine with the service entry if I target the ingress gateway on ports 80/443 which then dispatches further to the mesh external services.
You can also use Admiral to automate traffic routing.
See also:
QUESTION
I have an AWS classic load balancer. Here are my listeners :
The AWS classic load balancer
is doing tls termination, and redirecting the traffic to port 30925
of my nodes
The process listening on port 30925
is an istio gateway, redirecting traffic afterwards based on the SNI
of the request
However, the AWS classic load balancer
doesn't seems to keep the SNI
of the request after tls termination
Is there any documentation regarding the behavior of the load balancer in that situation?
I found a couple of links talking about SNI
(here for example), but it's only talking about the load balancer itself handling the routing of the SNI
ANSWER
Answered 2021-May-31 at 10:05Based on the comments.
If you terminate SSL on the load balancer (LB), SSL-related information is not carried over to your targets. To ensure full SSL-forwarding to your targets, you have to use TCP listener. This way your targets will be responsible for handling SSL, and subsequently will be able to custom process it.
QUESTION
I have configured a K8S cluster with istio-ingressgateway as per the docs.
Although the HPE Container Platform managed haproxy gateway can route traffic to the istio-ingressgateway, I would like to access the host endpoints directly.
How can I determine the ingress IP addresses and ports for the hosts avoiding the managed haproxy gateway?
...ANSWER
Answered 2021-May-30 at 14:49This is how I found the information:
QUESTION
I'm pretty new to k8s and I'm trying to figure out how to expose to Internet, multiple HTTP services, in cheap manner. Currently I'm using AWS EKS cluster with managed node groups, so the cheap way will be not to provision any kind ELB as it cost. Also I would like those services to be in private subnets so just f.ex only Ingress Resource will be exposed and the nodes will stay private. One load balancer per svc is definitely not an option as it will break down my budget
The options I consider:
Using K8s ingress resources (to be precise: Istio Ingress controller). But the downside of that is, when we creating ingress resource, AWS create Load Balancer for which I will need to pay.
Run node groups in public subnets, and create K8s Services of type NodePort so I could reach service using NodeIP:NodePort (NodePort will be specific for each service). The downside of that I will need to remember all IPs and ports assigned to each service. I can live with one service but when the number increase that will be pretty awful to remember.
At last, without any other option is to create one load balancer with public IP and also create Ingress controller with Istio. So I will reach each services by single DNS name of Load Balancer and I will route to services by request path.
Looking forward to any solution and inputs.
...ANSWER
Answered 2021-May-28 at 10:01I don't think there is any magic here. Option 1 and 3 are basically one and the same (unless I am missing something). As you pointed out I don't think option 2 is viable for the reasons you call out. You have a number of options to go with. I don't know the Istio ingress (but I assume it will be fine). We often see customers using either the NGINX ingress or the ALB ingress.
All of these options require a Load Balancer.
QUESTION
When load testing a kubernetes service where routing is done via istio, all the services in the cluster become unresponsive. This happens when there is 100% failure from the service that is being load tested.
Is there a way to prevent this? Should we apply istio circuit breaking?
...ANSWER
Answered 2021-May-26 at 07:44In short, yes. Circuit Breaker pattern was designed for detecting when the endpoint is responding slowly or not responding at all.
Slow responding endpoints are especially troublesome because as you already find out it may cause your system lag. The circuit breaker is a proxy that controls flow to an endpoint. If the endpoint fails or is too slow (based on your configuration), the proxy will open the circuit to the container.
With connectionPool
parameters you can set how many requests you want to be pending over the one that's being established. If you set http1MaxPendingRequests
to 1 and maxRequestsPerConnection
to 1
any additional requests than that will by denied until the pending request is being processed.
Another useful option is OutlierDetection. It detects faulty instances and then make it unavailable for a pre-configured time (sometimes called sleep window). While the container is in that period of time its excluded from routing and loadbalancing and has time to recover while not being overloaded with more requests.
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
Install Istio
CD into the Istio insall directory on your machine.
All Pods should either be completed or running. Alls services deployed.
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page