nginx - 在没有端口的情况下访问Istio部署的网站

Question

我有几个AWS EC2实例，并在它们上部署了Rancher实例。在Rancher上，我使用Kubernetes部署了一个网站，并使用Istio部署了该网站来处理网络，我可以使用http://portal.website.com:31380登录。我还拥有AWS Route 53，以使URL正常工作，并使nginx跨EC2实例用于负载均衡器。

但是我希望能够仅使用http://portal.website.com登录，因此删除端口。我有办法吗？

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
 name: portal-gateway
spec:
 selector:
   istio: ingressgateway
 servers:
 - port:
     number: 80
     name: http
     protocol: HTTP
   hosts:
   - "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
 name: ingress
spec:
 hosts:
 - "*"
 gateways:
 - portal-gateway
 http:
 - match:
   - uri:
       prefix: "/"
   rewrite:
     uri: "/"
   route:
   - destination:
       host: portal
       port:
         number: 80
   websocketUpgrade: true
---
apiVersion: v1
kind: Service
metadata:
 name: portal
spec:
 ports:
   - protocol: TCP
     port: 80
     targetPort: 8080
 selector:
   app: portal
 type: ClusterIP

编辑:我正在31380上访问它，因为它被设置为使用NodePort( https://kubernetes.io/docs/concepts/services-networking/service/#nodeport)。 Istio文档说 If the EXTERNAL-IP value is <none> (or perpetually <pending>), your environment does not provide an external load balancer for the ingress gateway. In this case, you can access the gateway using the service’s node port.
这是 kubectl get svc istio-ingressgateway -n istio-system的输出

名称类型集群IP外部IP端口的年龄
istio-ingressgateway NodePort 10.43.200.101 15020:30051 / TCP，80:31380 / TCP，443:31390 / TCP，31400:31400 / TCP，15029:30419 / TCP，15030:30306 / TCP，15031:31130 / TCP，15032 :32720 / TCP，15443:30361 / TCP 3h27m

Answer 1

正如您提到的，istio documentation说

If the EXTERNAL-IP value is (or perpetually ), your environment does not provide an external load balancer for the ingress gateway. In this case, you can access the gateway using the service’s node port.

如果我们看看关于NodePort的kubernetes documentation

If you set the type field to NodePort, the Kubernetes control plane allocates a port from a range specified by --service-node-port-range flag (default: 30000-32767). Each node proxies that port (the same port number on every Node) into your Service. Your Service reports the allocated port in its .spec.ports[*].nodePort field.

因此，如果入口网关是NodePort，则必须使用 http://portal.website.com:31380。
如果要使用 http://portal.website.com，则必须将其更改为 LoadBalancer。
如@sachin所述，如果您像AWS一样使用云，则可以使用带有适当注释的AWS Load Balancer配置Istio。

On cloud providers which support external load balancers, setting the type field to LoadBalancer provisions a load balancer for your Service. The actual creation of the load balancer happens asynchronously, and information about the provisioned balancer is published in the Service's .status.loadBalancer

我看到您使用aws，因此您可以在以下链接中了解更多有关它的信息:

https://docs.aws.amazon.com/eks/latest/userguide/load-balancing.html

https://istio.io/latest/blog/2018/aws-nlb/

如果是前提条件，那么您可以看看 metalLB

MetalLB is a load-balancer implementation for bare metal Kubernetes clusters, using standard routing protocols.

Kubernetes does not offer an implementation of network load-balancers (Services of type LoadBalancer) for bare metal clusters. The implementations of Network LB that Kubernetes does ship with are all glue code that calls out to various IaaS platforms (GCP, AWS, Azure…). If you’re not running on a supported IaaS platform (GCP, AWS, Azure…), LoadBalancers will remain in the “pending” state indefinitely when created.

Bare metal cluster operators are left with two lesser tools to bring user traffic into their clusters, “NodePort” and “externalIPs” services. Both of these options have significant downsides for production use, which makes bare metal clusters second class citizens in the Kubernetes ecosystem.

MetalLB aims to redress this imbalance by offering a Network LB implementation that integrates with standard network equipment, so that external services on bare metal clusters also “just work” as much as possible.

您可以在下面的链接中了解更多信息:

https://medium.com/@emirmujic/istio-and-metallb-on-minikube-242281b1134b