Ingressgateway

Using Istio’s Service Mesh Features

To route HTTP(S) traffic into the cluster, we utilize the Ingress Gateway provided by Istio.

It can be configured using Istio’s resources, like Gateways and VirtualServices, and can leverage the functionalities of the service mesh.

The best source for detailed information about the specific features and the custom resources is Istio’s own documentation.

Also a good place to start is our workshop example describing all components to route HTTPS Traffic to a service.

However, in the following, let’s address some common questions related to the Ingressgateway in the University of Münster Kubernetes cluster.

Internal Services

The Istio Ingressgateways are reachable from outside of the University Network. If you still want to restrict your service to the university network, you can achieve this using an AuthorizationPolicy, as demonstrated in the following example:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: example
  namespace: example
spec:
  rules:
    - from:
        - source:
            principals:
              - cluster.local/ns/istio-ingressgateway/sa/istio-ingressgateway-service-account
            remoteIpBlocks:
              - 10.0.0.0/8
              - 128.176.0.0/16
              - 2001:4cf0::/29
      to:
        - operation:
            ports:
              - "8080"
  selector:
    matchLabels:
      app.kubernetes.io/name: example