Istio intercept particular traffic
Sometimes intercept external access traffic in mesh to internal service is needed
Http to Internal service when access external domain in mesh network
when access http://edition.cnn.com
in mesh network then should redirect to hello.test-ns.svc.cluster.local
internal service.
- Create a ServiceEntry resource to defination the external domain entry
1apiVersion: networking.istio.io/v1alpha3
2kind: ServiceEntry
3metadata:
4 name: redirect-cnn-to-internal
5 namespace: test-ns
6spec:
7 hosts:
8 - edition.cnn.com
9 ports:
10 - number: 80
11 name: http
12 protocol: HTTP
13 - number: 443
14 name: https
15 protocol: HTTPS
16 resolution: NONE
- Create a VirtualService to serve target traffic
1apiVersion: networking.istio.io/v1alpha3
2kind: VirtualService
3metadata:
4 name: redirect-cnn-to-internal
5 namespace: test-ns
6spec:
7 gateways:
8 - mesh
9 hosts:
10 - edition.cnn.com
11 http:
12 - name: all-traffic-to-internal-hello
13 route:
14 - destination:
15 host: >-
16 hello.test-ns.svc.cluster.local
17 port:
18 number: 80
You can also set the destination rule for timeout
1apiVersion: networking.istio.io/v1alpha3
2kind: DestinationRule
3metadata:
4 name: hello-test-ns-dr
5spec:
6 host: hello.test-ns.svc.cluster.local
7 trafficPolicy:
8 connectionPool:
9 tcp:
10 connectTimeout: 1s
You can Injection the fault
5 second delay for 1 out of every 1000 requests
1apiVersion: networking.istio.io/v1alpha3
2kind: VirtualService
3metadata:
4 name: hello-test-inject-fault
5spec:
6 gateways:
7 - mesh
8 hosts:
9 - edition.cnn.com
10 http:
11 - fault:
12 delay:
13 percentage:
14 value: 0.1
15 fixedDelay: 5s
16 route:
17 - destination:
18 host: >-
19 hello.test-ns.svc.cluster.local
Also redirect to external services immediate
define the external service entry
1apiVersion: networking.istio.io/v1beta1
2kind: ServiceEntry
3metadata:
4 name: google
5 namespace: istio-system
6spec:
7 hosts:
8 - google.com
9 location: MESH_EXTERNAL
10 ports:
11 - number: 443
12 name: https
13 protocol: TLS
14 resolution: DNS
and define the destination rule
1apiVersion: networking.istio.io/v1beta1
2kind: DestinationRule
3metadata:
4 name: google
5 namespace: istio-system
6spec:
7 host: "google.com"
8 trafficPolicy:
9 tls:
10 mode: SIMPLE
connect to gateway and ingress traffic
1route:
2- destination:
3 host: google.com
4 port:
5 number: 443
Repaired the aws MetaDataV2 403 failed in EKS pods
1---
2apiVersion: networking.istio.io/v1beta1
3kind: ServiceEntry
4metadata:
5 name: aws-metadata
6 namespace: istio-system
7spec:
8 hosts:
9 - aws.metadata.internal
10 location: MESH_EXTERNAL
11 addresses:
12 - 169.254.169.254
13 ports:
14 - number: 80
15 name: tcp-80
16 protocol: tcp
17 - number: 443
18 name: tcp-443
19 protocol: tcp
20
21 resolution: STATIC
22 endpoints:
23 - address: 169.254.169.254