Kubernetes Services for Egress Traffic
This task shows that these Kubernetes mechanisms for accessing external services continue to work with Istio. The only configuration step you must perform is to use a TLS mode other than Istio’s mutual TLS. The external services are not part of an Istio service mesh so they cannot perform the mutual TLS of Istio. You must set the TLS mode according to the TLS requirements of the external service and according to the way your workload accesses the external service. If your workload issues plain HTTP requests and the external service requires TLS, you may want to perform TLS origination by Istio. If your workload already uses TLS, the traffic is already encrypted and you can just disable Istio’s mutual TLS.
This page describes how Istio can integrate with existing Kubernetes configurations. For new deployments, we recommend following .
While the examples in this task use HTTP protocols, Kubernetes Services for egress traffic work with other protocols as well.
Setup Istio by following the instructions in the .
The egress gateway and access logging will be enabled if you install the
demo
configuration profile.Deploy the sample app to use as a test source for sending requests. If you have automatic sidecar injection enabled, run the following command to deploy the sample app:
Otherwise, manually inject the sidecar before deploying the
sleep
application with the following command:$ kubectl apply -f <(istioctl kube-inject -f @samples/sleep/sleep.yaml@)
You can use any pod with
curl
installed as a test source.-
$ export SOURCE_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})
Create a namespace for a source pod without Istio control:
$ kubectl create namespace without-istio
Start the sample in the
without-istio
namespace.$ kubectl apply -f @samples/sleep/sleep.yaml@ -n without-istio
To send requests, create the
SOURCE_POD_WITHOUT_ISTIO
environment variable to store the name of the source pod:$ export SOURCE_POD_WITHOUT_ISTIO="$(kubectl get pod -n without-istio -l app=sleep -o jsonpath={.items..metadata.name})"
Verify that the Istio sidecar was not injected, that is the pod has one container:
$ kubectl get pod "$SOURCE_POD_WITHOUT_ISTIO" -n without-istio
NAME READY STATUS RESTARTS AGE
sleep-66c8d79ff5-8tqrl 1/1 Running 0 32s
Create a Kubernetes ExternalName service for
httpbin.org
in the default namespace:$ kubectl apply -f - <<EOF
kind: Service
apiVersion: v1
metadata:
name: my-httpbin
spec:
type: ExternalName
externalName: httpbin.org
ports:
- name: http
protocol: TCP
port: 80
EOF
Observe your service. Note that it does not have a cluster IP.
Access
httpbin.org
via the Kubernetes service’s hostname from the source pod without Istio sidecar. Note that the curl command below uses the :<service name>.<namespace>.svc.cluster.local
.$ kubectl exec "$SOURCE_POD_WITHOUT_ISTIO" -n without-istio -c sleep -- curl -sS my-httpbin.default.svc.cluster.local/headers
{
"headers": {
"Accept": "*/*",
"Host": "my-httpbin.default.svc.cluster.local",
"User-Agent": "curl/7.55.0"
}
}
Access
httpbin.org
via the Kubernetes service’s hostname from the source pod with Istio sidecar. Notice the headers added by Istio sidecar, for exampleX-Envoy-Decorator-Operation
. Also note that theHost
header equals to your service’s hostname.$ kubectl exec "$SOURCE_POD" -c sleep -- curl -sS my-httpbin.default.svc.cluster.local/headers
{
"headers": {
"Accept": "*/*",
"Content-Length": "0",
"Host": "my-httpbin.default.svc.cluster.local",
"User-Agent": "curl/7.64.0",
"X-B3-Sampled": "0",
"X-B3-Spanid": "5795fab599dca0b8",
"X-B3-Traceid": "5079ad3a4af418915795fab599dca0b8",
"X-Envoy-Decorator-Operation": "my-httpbin.default.svc.cluster.local:80/*",
"X-Envoy-Peer-Metadata": "...",
"X-Envoy-Peer-Metadata-Id": "sidecar~10.28.1.74~sleep-6bdb595bcb-drr45.default~default.svc.cluster.local"
}
}
$ kubectl delete destinationrule my-httpbin
$ kubectl delete service my-httpbin
-
$ kubectl apply -f - <<EOF
kind: Service
apiVersion: v1
metadata:
name: my-wikipedia
spec:
ports:
- protocol: TCP
port: 443
name: tls
EOF
Create endpoints for your service. Pick a couple of IPs from the Wikipedia ranges list.
$ kubectl apply -f - <<EOF
kind: Endpoints
apiVersion: v1
name: my-wikipedia
subsets:
- addresses:
- ip: 91.198.174.192
ports:
- port: 443
name: tls
EOF
Observe your service. Note that it has a cluster IP which you can use to access
wikipedia.org
.$ kubectl get svc my-wikipedia
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
my-wikipedia ClusterIP 172.21.156.230 <none> 443/TCP 21h
Send HTTPS requests to
wikipedia.org
by your Kubernetes service’s cluster IP from the source pod without Istio sidecar. Use the--resolve
option ofcurl
to accesswikipedia.org
by the cluster IP:In this case, the workload send HTTPS requests (open TLS connection) to the
wikipedia.org
. The traffic is already encrypted by the workload so you can safely disable Istio’s mutual TLS:$ kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: my-wikipedia
spec:
host: my-wikipedia.default.svc.cluster.local
trafficPolicy:
tls:
mode: DISABLE
EOF
Access
wikipedia.org
by your Kubernetes service’s cluster IP from the source pod with Istio sidecar:$ kubectl exec "$SOURCE_POD" -c sleep -- curl -sS --resolve en.wikipedia.org:443:"$(kubectl get service my-wikipedia -o jsonpath='{.spec.clusterIP}')" https://en.wikipedia.org/wiki/Main_Page | grep -o "<title>.*</title>"
<title>Wikipedia, the free encyclopedia</title>
Check that the access is indeed performed by the cluster IP. Notice the sentence
Connected to en.wikipedia.org (172.21.156.230)
in the output ofcurl -v
, it mentions the IP that was printed in the output of your service as the cluster IP.$ kubectl exec "$SOURCE_POD" -c sleep -- curl -sS -v --resolve en.wikipedia.org:443:"$(kubectl get service my-wikipedia -o jsonpath='{.spec.clusterIP}')" https://en.wikipedia.org/wiki/Main_Page -o /dev/null
* Added en.wikipedia.org:443:172.21.156.230 to DNS cache
* Hostname en.wikipedia.org was found in DNS cache
* Trying 172.21.156.230...
* TCP_NODELAY set
* Connected to en.wikipedia.org (172.21.156.230) port 443 (#0)
...
Cleanup of Kubernetes service with endpoints
$ kubectl delete destinationrule my-wikipedia
$ kubectl delete endpoints my-wikipedia
$ kubectl delete service my-wikipedia