Workload Entry

    When a workload connects to istiod, the status field in the custom resource will be updated to indicate the health of the workload along with other details, similar to how Kubernetes updates the status of a pod.

    The following example declares a workload entry representing a VM for the details.bookinfo.com service. This VM has sidecar installed and bootstrapped using the details-legacy service account. The service is exposed on port 80 to applications in the mesh. The HTTP traffic to this service is wrapped in Istio mutual TLS and sent to sidecars on VMs on target port 8080, that in turn forward it to the application on localhost on the same port.

    1. apiVersion: networking.istio.io/v1beta1
    2. kind: WorkloadEntry
    3. metadata:
    4.   name: details-svc
    5. spec:
    6.   # use of the service account indicates that the workload has a
    7.   # sidecar proxy bootstrapped with this service account. Pods with
    8.   # sidecars will automatically communicate with the workload using
    9.   # istio mutual TLS.
    10.   serviceAccount: details-legacy
    11.   address: 2.2.2.2
    12.   labels:
    13.     app: details-legacy
    14.     instance-id: vm1

    and the associated service entry

    1. apiVersion: networking.istio.io/v1beta1
    2. kind: ServiceEntry
    3. metadata:
    4.   name: details-svc
    5. spec:
    6.   - details.bookinfo.com
    8.   ports:
    9.   - number: 80
    10.     name: http
    11.     protocol: HTTP
    12.     targetPort: 8080
    13.   resolution: STATIC
    14.   workloadSelector:
    15.     labels:
    16.       app: details-legacy

    The following example declares the same VM workload using its fully qualified DNS name. The service entry’s resolution mode should be changed to DNS to indicate that the client-side sidecars should dynamically resolve the DNS name at runtime before forwarding the request.

    1. apiVersion: networking.istio.io/v1beta1
    2. kind: WorkloadEntry
    3. metadata:
    4.   name: details-svc
    5. spec:
    6.   # use of the service account indicates that the workload has a
    7.   # sidecar proxy bootstrapped with this service account. Pods with
    8.   # sidecars will automatically communicate with the workload using
    9.   # istio mutual TLS.
    10.   address: vm1.vpc01.corp.net
    11.   labels:
    12.     app: details-legacy
    13.     instance-id: vm1
    1. apiVersion: networking.istio.io/v1beta1
    2. kind: ServiceEntry
    3. metadata:
    4.   name: details-svc
    5. spec:
    7.   - details.bookinfo.com
    8.   location: MESH_INTERNAL
    9.   ports:
    10.   - number: 80
    11.     name: http
    12.     protocol: HTTP
    13.     targetPort: 8080
    14.   resolution: DNS
    15.   workloadSelector:
    16.     labels:

    WorkloadEntry enables specifying the properties of a single non-Kubernetes workload such a VM or a bare metal services that can be referred to by service entries.