Egress
Let’s see an example of using egress route by deploying a recommendation:v3
version. Service Entries allow you to apply rules to allow internal services interact with external services.
In this case, we are going to configure Istio to access http://worldclockapi.com/api/json/cet/now from the internal service (recommendation:v3).
Change to the blocking-by-default policy
By default, Istio configures the Envoy proxy to passthrough requests for unknown external services. Although this provides a convenient way to get started with Istio, configuring stricter control is usually preferable.
Run the following command to change the global.outboundTrafficPolicy.mode
option from ALLOW_ANY
to REGISTRY_ONLY
:
kubectl get configmap istio -n istio-system -o yaml | sed 's/mode: ALLOW_ANY/mode: REGISTRY_ONLY/g' | kubectl replace -n istio-system -f -
Deploy recommendation v3 and Redirect all Users to it
kubectl apply -f manifests/kubernetes/recommendation-v3.yml
kubectl apply -f manifests/istio/egress/recommendation-destination-rule-v1-v2-v3.yml
kubectl apply -f manifests/istio/egress/recommendation-v3-virtual-service.yml
Then access to the service:
curl $GATEWAY_IP/customer
Since no Egress service entry has been registered to access an external site, the service will return a 500 error. |
Let’s fix it by registering a service entry to allow access to worldclockapi
.
Allow Access an external HTTP service
Create a ServiceEntry to allow access to an external HTTP service worldclockapi.com
:
kubectl apply -f manifests/istio/egress/service-entry-egress-worldclockapi.yml
kubectl get serviceentry
curl $customer
customer => preference => Mon, 16 Jul 2018 12:03:38 GMT recommendation v3 from '7b445dd469-j6rkg': 1
or shell into the pod and run curl
command:
kubectl exec -it $(kubectl get pods -o jsonpath="{.items[*].metadata.name}" -l app=recommendation,version=v3) -c recommendation -- curl http://worldclockapi.com/api/json/cet/now