無法使用 Istio 網關訪問 kubernetes 集群

Question

我有一個帶有 Istio 入口的 k8s 集群。 我部署了一個部署、服務、網關和一個虛擬服務，但我仍然無法從集群外部訪問我的服務。 我可以通過訪問指定的 nodePort 上的工作人員來訪問我的服務，但我希望 Istio 網關仍將偵聽我的主機上的端口 80，但它看起來不是那樣。 我在這里做錯了什么？

服務.yaml：

apiVersion: v1
kind: Service
metadata:
  name: microservices-service
spec:
  type: NodePort
  selector:
    app: microservices-deployment
  ports:
    - port: 5001
      targetPort: 5001
      nodePort: 30007

部署.yaml：

apiVersion: apps/v1
kind: Deployment
metadata:
  name: microservices-deployment
  labels:
    app: microservices-deployment
spec:
  replicas: 3
  template:
    metadata:
      name: microservices-deployment
      labels:
        app: microservices-deployment
    spec:
      containers:
        - name: microservices-deployment
          image: *** private docker registry ***
          imagePullPolicy: Always
          ports:
            - containerPort: 5001
      restartPolicy: Always
      imagePullSecrets:
        - name: regcred
  selector:
    matchLabels:
      app: microservices-deployment

入口.yaml：

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: microservices-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: microservices
spec:
  hosts:
  - "*"
  gateways:
  - microservices-gateway
  http:
    - match:
      route:
      - destination:
          host: *** master hostname ***
          port:
            number: 5001

非常感謝！

Answer 1

我檢查了您的配置，一切看起來都設置正確。 只有一個小錯誤需要修復，那就是您的虛擬服務。

改變它從

http:
    - match:
      route:
      - destination:
          host: *** master hostname ***
          port:
            number: 5001

到

  http:
  - route:
    - destination:
        host: microservices-service
        port:
          number: 5001

您應該可以使用 istio 網關 external-ip LoadBalancer/NodePort 訪問它。 更多關於它在這里。

kubectl get svc -n istio-system | grep istio-ingress

---

nginx 的快速示例，請注意我使用的是 LoadBalancer 而不是 NodePort。

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx1
spec:
  selector:
    matchLabels:
      run: nginx1
  replicas: 1
  template:
    metadata:
      labels:
        run: nginx1
        app: frontend
    spec:
      containers:
      - name: nginx1
        image: nginx
        ports:
        - containerPort: 80
        lifecycle:
          postStart:
            exec:
              command: ["/bin/sh", "-c", "echo Hello nginx1 > /usr/share/nginx/html/index.html"]

---

apiVersion: v1
kind: Service
metadata:
  name: nginx
  labels:
    app: frontend
spec:
  ports:
  - port: 80
    protocol: TCP
  selector:
    app: frontend

---

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: nginx-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"

---

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: nginx-virtual
spec:
  gateways:
  - nginx-gateway
  hosts:
  - "*"
  http:
  - route:
    - destination:
        host: nginx.default.svc.cluster.local
        port:
          number: 80

---

kubectl get svc -n istio-system | grep ingress
istio-ingressgateway   LoadBalancer   xx.x.xx.xxx   xx.xx.xx.xx  15021:30880/TCP,80:31983/TCP,443:31510/TCP,15443:32267/TCP   2d2h

用 curl 測試

curl -v xx.xx.xx.xx/
GET / HTTP/1.1
HTTP/1.1 200 OK
Hello nginx1