Introduction to Istio Resources

2025-01-21 2025-03-26 Istio Istio , Kubernetes , Service Mesh
目录
  1. Gateway
  2. VirtualService
  3. DestinationRule
  4. ServiceEntry
  5. Sidecar
  6. PeerAuthentication
  7. AuthorizationPolicy
  8. Summary of Key Istio CRDs

Istio is an open platform that provides a uniform way to connect, manage, and secure microservices. It supports managing traffic, enforcing access policies, and aggregating telemetry data, all without requiring changes to the actual services. This article will introduce the basic resources of Istio, including Gateway, VirtualService, DestinationRule, ServiceEntry, Sidecar, and AuthorizationPolicy.

Gateway

Purpose:
Defines an entry point into the service mesh (usually at the edge of the cluster) for external traffic.

Example:
This Gateway allows HTTPS traffic on port 443 to a my-app service.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: my-gateway
  namespace: istio-system
spec:
  selector:
    istio: ingressgateway  # Applies to the Istio ingress gateway
  servers:
    - port:
        number: 443
        name: https
        protocol: HTTPS
      hosts:
        - "my-app.example.com"
      tls:
        mode: SIMPLE
        credentialName: my-app-cert  # Secret containing TLS certificate

VirtualService

Purpose:
Defines rules for routing traffic to services inside the mesh.

Example:
This VirtualService directs requests to my-app based on different paths.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: my-app
spec:
  hosts:
    - "my-app.example.com"
  gateways:
    - my-gateway
  http:
    - match:
        - uri:
            prefix: "/v1"
      route:
        - destination:
            host: my-app
            subset: v1
    - match:
        - uri:
            prefix: "/v2"
      route:
        - destination:
            host: my-app
            subset: v2

Explanation:
• Requests with /v1 go to v1 of my-app.
• Requests with /v2 go to v2 of my-app.

DestinationRule

Purpose:
Defines policies for service subsets, load balancing, and connection settings.

Example:
This rule defines subsets for v1 and v2 of my-app.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: my-app
spec:
  host: my-app
  trafficPolicy:
    loadBalancer:
      simple: ROUND_ROBIN
  subsets:
    - name: v1
      labels:
        version: v1
    - name: v2
      labels:
        version: v2

Explanation:
• Defines subsets v1 and v2, mapped to corresponding pod labels (version: v1 and version: v2).
• Uses ROUND_ROBIN load balancing.

ServiceEntry

Purpose:
Allows Istio to handle services that are external to the mesh.

Example:
This ServiceEntry registers api.external.com as an external service.

1
2
3
4
5
6
7
8
9
10
11
12
13
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: external-api
spec:
  hosts:
    - "api.external.com"
  location: MESH_EXTERNAL
  ports:
    - number: 443
      name: https
      protocol: HTTPS
  resolution: DNS

Explanation:
• Allows traffic to api.external.com (e.g., a SaaS API).
• Uses DNS resolution to route traffic.

Sidecar

Purpose:
Controls egress traffic for a specific namespace or workload.

Example:
This Sidecar restricts traffic for workloads in default namespace.

1
2
3
4
5
6
7
8
9
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: default-sidecar
  namespace: default
spec:
  egress:
    - hosts:
        - "./*"  # Only allows traffic to services in the same namespace

Explanation:
• Limits outbound traffic to only services within the default namespace.

PeerAuthentication

Purpose:
Defines mutual TLS (mTLS) and authentication policies.

Example:
This enforces STRICT mTLS for all services in a namespace.

1
2
3
4
5
6
7
8
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: default
spec:
  mtls:
    mode: STRICT

Explanation:
• All services in default namespace must communicate using mTLS.

AuthorizationPolicy

Purpose:
Controls access permissions to services within the mesh.

Example:
This policy allows only users with a specific JWT claim to access my-app.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: my-app-policy
  namespace: default
spec:
  selector:
    matchLabels:
      app: my-app
  action: ALLOW
  rules:
    - from:
        - source:
            requestPrincipals: ["user@example.com"]

Explanation:
• Only requests with user@example.com as JWT claim are allowed.

Summary of Key Istio CRDs

CRD Purpose
Gateway Defines external entry points (e.g., ingress)
VirtualService Controls request routing
DestinationRule Defines subsets, load balancing, and connection settings
ServiceEntry Enables communication with external services
Sidecar Configures egress traffic control for workloads
PeerAuthentication Enforces mTLS for secure communication
AuthorizationPolicy Manages access control for services
版权声明
作者: xawei
链接: https://xawei.xyz/2025/01/21/Introduction%20to%20Istio%20resources/
本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。
AWS NLB后端服务间歇性超时问题
Use VPC Endpoint to Keep Your Network Traffic in AWS