kubernetes - Istio 入口和导出网关的用途

Question

我无法理解入口和导出 Istio 网关控制的流量。

1. 例如，应用程序在 MQ 队列上设置监听器。这是入口或导出流量的示例吗？我以为应用程序发起连接的地方，然后这个流量将被引导到导出网关。相反，如果应用程序是端点，则流量必须通过入口网关进行路由。
2. 假设应用程序 A 是应用程序 B 的外部服务。应用程序 A 向 B 发出休息请求。该请求是否应该通过入口路由？现在应用程序 B 向 A 发出休息请求。流量现在应该通过导出吗？

Answer 1

让我们从一些理论开始。我发现很少有资源描述 istio 入口网关和导出网关的工作原理。

Istio documentation

Istio uses ingress and egress gateways to configure load balancers executing at the edge of a service mesh. An ingress gateway allows you to define entry points into the mesh that all incoming traffic flows through. Egress gateway is a symmetrical concept; it defines exit points from the mesh. Egress gateways allow you to apply Istio features, for example, monitoring and route rules, to traffic exiting the mesh.

---

Istio in action book

For our applications and services to provide anything meaningful, they’re going to need tointeract with applications that live outside of our cluster. That could be existing monolithapplications, off-the-shelf software, messaging queues, databases, and 3rd party partner systems.To do this, operators will need to configure Istio to allow traffic into the cluster and be veryspecific about what traffic is allowed to leave the cluster.The Istio components that provide this functionality are the istio-ingressgateway andistio-egressgateway.

这张图很好地展示了它

---

Banzaicloud

An ingress gateway serves as the entry point for all services running within the mesh.

egress gateways are exit points from the mesh that allow us to apply Istio features. This includes applying features like monitoring and route rules to traffic that’s exiting the mesh.

---

关于您的问题

For example, an application sets up listeners on an MQ queue. Is this an example of ingress or egress traffic? I thought that where the application initiates the connection, then this traffic will be directed to the egress gateway. Conversely, if the application is an endpoint, then traffic must be routed through the ingress gateway.

我不熟悉消息队列，但根据上图，我们假设消费者在网格内，因此生产者服务必须通过入口网关到达那里。

[Producer Service] -> ingress gateway -> [envoy sidecar -> Consumer Service]

所以是的，流量必须通过入口网关路由

---

Let's say application A is an external service to application B. Application A makes a rest request to B. Should this request be routed through ingress? Now application B makes a rest request to A. Should traffic go through egress now?

如果服务网格内部的服务想要与外部服务对话，我们应该从配置 egress 开始和 service entry

Because all outbound traffic from an Istio-enabled pod is redirected to its sidecar proxy by default, accessibility of URLs outside of the cluster depends on the configuration of the proxy. By default, Istio configures the Envoy proxy to passthrough requests for unknown services. Although this provides a convenient way to get started with Istio, configuring stricter control is usually preferable.

据我所知，流量会喜欢这样。

appA -> external service outside the mesh
appB -> injected service in the istio mesh

假设您要使用 curl从appA到appB

[app A](curl ingress-external-ip/特定路径或端口) -> ingress gateway -> [envoy sidecar -> appB]

假设您要使用 curl从 appB 到 appA

[appB -> envoy sidecar](curl appA) -> egress gateway -> [appA]

---

如果您有任何问题或想讨论一些事情，请在评论中告诉我。