Ingressgateway

To route HTTP(S) traffic into the cluster, we utilize the Ingress Gateway provided by Istio.

It can be configured using Istio’s resources, like Gateways and VirtualServices, and can leverage the functionalities of the service mesh.

The best source for detailed information about the specific features and the custom resources is Istio’s own documentation.

Also a good place to start is our workshop example describing all components to route HTTPS Traffic to a service.

However, in the following, let’s address some common questions related to the Ingressgateway in the University of Münster Kubernetes cluster.

Internal Services

The Istio Ingressgateways are reachable from outside of the University Network. If you still want to restrict your service to the university network, you can achieve this using an AuthorizationPolicy, as demonstrated in the following example:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: example
  namespace: example
spec:
  rules:
    - from:
        - source:
            principals:
              - cluster.local/ns/istio-ingressgateway/sa/istio-ingressgateway-service-account
            remoteIpBlocks:
              - 10.0.0.0/8
              - 128.176.0.0/16
              - 2001:4cf0::/29
      to:
        - operation:
            ports:
              - "8080"
  selector:
    matchLabels:
      app.kubernetes.io/name: example

Custom Error Pages

To enhance customer experience, we’ve replaced some Istio error pages with more user-friendly versions. In the current setup, these error pages are set globally and cannot be customized by administrators.

503 - Service Unavailable

When our Istio Ingress Gateway can’t find your service, a custom error page will inform the customer that the service is unavailable and advise them to contact the service administrator.

403 - Forbidden

By default, Istio responds with a RBAC: Access Denied message and a 403 HTTP status code if access is denied due to AuthorizationPolicies.

To display the custom error page instead, ensure that the label custom-error.k8s.uni-muenster.de/enabled: "true" is present on the pods and that all pods have an Istio Sidecar (which should already be in place due to the AuthorizationPolicies).