在没有端口的情况下访问 Istio 部署的网站

Visiting an Istio deployed website without the port

我有几个 AWS EC2 实例,我在它们上面部署了一个 Rancher 实例。在 Rancher 上,我使用 Kubernetes 部署了一个网站,并使用 Istio 部署它来处理网络,我可以使用 http://portal.website.com:31380 登录。我也有 AWS Route 53 来获得 URL 工作和 nginx 跨 EC2 实例的负载均衡器。

但我希望仅使用 http://portal.website.com 即可登录,因此删除端口。我有办法做到这一点吗?

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
 name: portal-gateway
spec:
 selector:
   istio: ingressgateway
 servers:
 - port:
     number: 80
     name: http
     protocol: HTTP
   hosts:
   - "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
 name: ingress
spec:
 hosts:
 - "*"
 gateways:
 - portal-gateway
 http:
 - match:
   - uri:
       prefix: "/"
   rewrite:
     uri: "/"
   route:
   - destination:
       host: portal
       port:
         number: 80
   websocketUpgrade: true
---
apiVersion: v1
kind: Service
metadata:
 name: portal
spec:
 ports:
   - protocol: TCP
     port: 80
     targetPort: 8080
 selector:
   app: portal
 type: ClusterIP

编辑:我在 31380 上访问它,因为它设置为使用 NodePort (https://kubernetes.io/docs/concepts/services-networking/service/#nodeport)。 Istio 文档说 If the EXTERNAL-IP value is <none> (or perpetually <pending>), your environment does not provide an external load balancer for the ingress gateway. In this case, you can access the gateway using the service’s node port.

这是kubectl get svc istio-ingressgateway -n istio-system

的输出

名称类型群集 IP 外部 IP 端口年龄 istio-ingressgateway NodePort 10.43.200.101 15020:30051/TCP,80:31380/TCP,443:31390/TCP,31400:31400/TCP,15029:30419/TCP,15030:30306/TCP,15031:31130/TCP ,15032:32720/TCP,15443:30361/TCP 3h27m

正如你提到的,istio documentation

If the EXTERNAL-IP value is (or perpetually ), your environment does not provide an external load balancer for the ingress gateway. In this case, you can access the gateway using the service’s node port.


如果我们看一下 kubernetes documentation 关于 NodePort

If you set the type field to NodePort, the Kubernetes control plane allocates a port from a range specified by --service-node-port-range flag (default: 30000-32767). Each node proxies that port (the same port number on every Node) into your Service. Your Service reports the allocated port in its .spec.ports[*].nodePort field.

所以如果你的入口网关是 NodePort 那么你必须使用 http://portal.website.com:31380.

如果要使用http://portal.website.com to would have to change it to LoadBalancer.

正如@sachin 提到的,如果您像 aws 一样使用云,您可以使用带有适当注释的 AWS Load Balancer 配置 Istio。

On cloud providers which support external load balancers, setting the type field to LoadBalancer provisions a load balancer for your Service. The actual creation of the load balancer happens asynchronously, and information about the provisioned balancer is published in the Service's .status.loadBalancer

我看到你使用 aws,所以你可以在下面阅读更多相关信息 links:


如果是内部部署,那么您可以看看 metalLB

MetalLB is a load-balancer implementation for bare metal Kubernetes clusters, using standard routing protocols.

Kubernetes does not offer an implementation of network load-balancers (Services of type LoadBalancer) for bare metal clusters. The implementations of Network LB that Kubernetes does ship with are all glue code that calls out to various IaaS platforms (GCP, AWS, Azure…). If you’re not running on a supported IaaS platform (GCP, AWS, Azure…), LoadBalancers will remain in the “pending” state indefinitely when created.

Bare metal cluster operators are left with two lesser tools to bring user traffic into their clusters, “NodePort” and “externalIPs” services. Both of these options have significant downsides for production use, which makes bare metal clusters second class citizens in the Kubernetes ecosystem.

MetalLB aims to redress this imbalance by offering a Network LB implementation that integrates with standard network equipment, so that external services on bare metal clusters also “just work” as much as possible.

您可以在下面阅读更多相关信息 link: