...
| Name of the Cluster | Microservice | Istio Configuration | Comments | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Cluster01 |
|
| |||||||||||
| Cluster02 | httpbin |
|
Cluster01 Resources
1. ServiceEntry - To enable access to httpbin
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: servicename-httpbin
spec:
hosts:
- httpbin.default.global
# template for the remote service name - <servicename.namespace.global>
# Treat remote cluster services as part of the service mesh
# as all clusters in the service mesh share the same root of trust.
location: MESH_INTERNAL
ports:
- name: http1
number: 8000
protocol: http
resolution: DNS
addresses:
# the IP address to which httpbin.<namespace>.<logicalcloudname> will resolve to
# must be unique for each remote service, within a given cluster.
# This address need not be routable. Traffic for this IP will be captured
# by the sidecar and routed appropriately.
- 240.0.0.2
endpoints:
# This is the routable address of the istio ingress gateway in cluster02
# routed to this address.
- address: 172.25.55.50
ports:
http1: 15443 //Sni. Do not change this
|
2. DestinationRule for
...
TLS, Loadbalancing and circuit
...
breaking - productpage
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: bookinfo-productpage-dr
namespace: default
spec:
host: "productpage.default.svc.cluster.local"
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
loadbalancer:
consistentHash:
httpCookie: "user2"
connectionPool:
tcp:
maxConnections: 10
http:
http2MaxRequests: 1000
maxRequestsPerConnection: 100
outlierDetection:
consecutiveErrors: 7
interval: 5m
baseEjectionTime: 15m
|
...
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: deny-all
namespace: default
spec:
selector:
matchLabels:
app: productpage
rules:
- from:
- source:
principals: ["cluster.global/ns/default/sa/sleep", "cluster.global/ns/default/sa/bookinfo-user" ]
to:
- operation:
methods: ["GET"]
paths: ["/static*"]
- operation:
methods: ["GET"]
paths: ["/api/v1/products"]
|
Cluster 02 Resources
...
4. DestinationRule for TLS - sleep
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntryDestinationRule metadata: name: servicename-bookinfo-productpagesleep-dr namespace: default spec: hostshost: - productpage "sleep.default.global.svc.cluster.local" #trafficPolicy: template for the remotetls: service name - <servicename.namespace.global> mode: ISTIO_MUTUAL |
Cluster 02 Resources
1. ServiceEntry - To enable access to bookinfo-productpage
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: servicename-bookinfo-productpage spec: hosts: - productpage.default.global # template for the remote service name - <servicename.namespace.global> # # Treat remote cluster services as part of the service mesh # as all clusters in the service mesh share the same root of trust. location: MESH_INTERNAL ports: - name: http1 number: 8000 protocol: http resolution: DNS addresses: # the IP address to which httpbin.<namespace>.<logicalcloudname> will resolve to # must be unique for each remote service, within a given cluster. # This address need not be routable. Traffic for this IP will be captured # by the sidecar and routed appropriately. - 240.0.0.3 endpoints: # This is the routable address of the istio ingress gateway in cluster02 # routed to this address. - address: 172.25.55.210 ports: http1: 15443 //Sni. Do not change this |
2. DestinationRule for simple TLS, Loadbalancing and circuit breaking
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: httpbin-dr
namespace: default
spec:
host: "httpbin.default.svc.cluster.local"
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
loadbalancer:
consistentHash:
httpCookie: "user1"
connectionPool:
tcp:
modemaxConnections: ISTIO_MUTUAL10
loadbalancer http:
consistentHash http2MaxRequests: 1000
httpCookiemaxRequestsPerConnection: "user1"
100
outlierDetection:
connectionPoolconsecutiveErrors: 7
tcpinterval: 5m
baseEjectionTime: maxConnections: 10
http15m
|
2. AuthorizationPolicy
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: deny-all namespace: default spec: selector: http2MaxRequests: 1000matchLabels: maxRequestsPerConnectionapp: 100httpbin outlierDetectionrules: - consecutiveErrors: 7from: - intervalsource: 5m baseEjectionTime: 15m |
2. AuthorizationPolicy
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: deny-all namespace: default spec: selector: matchLabels: principals: ["cluster.local/ns/default/sa/sleep"] to: - operation: methods: ["GET"] paths: ["/status*"] - appoperation: httpbin rules: - from: - source:methods: ["POST"] principalspaths: ["cluster.local/ns/default/sa/sleep"] to/headers"] |
3. DestinationRule for TLS - sleep
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: sleep- operation:dr methods: ["GET"] paths: ["/status*"] - operationnamespace: default spec: host: "sleep.default.svc.cluster.local" trafficPolicy: methods: ["POST"]tls: pathsmode: ["/headers"]ISTIO_MUTUAL |