Search code examples
istio

Istio - what for all these ports are opened on LoadBalancer?

I looking on my ELB created by Istio, and I see all these open ports:

  • 80 (TCP) forwarding to 31380 (TCP)
  • 443 (TCP) forwarding to 31390 (TCP)
  • 853 (TCP) forwarding to 31107 (TCP)
  • 8060 (TCP) forwarding to 32130 (TCP)
  • 15011 (TCP) forwarding to 31942 (TCP)
  • 15030 (TCP) forwarding to 31438 (TCP)
  • 15031 (TCP) forwarding to 30695 (TCP)
  • 31400 (TCP) forwarding to 31400 (TCP)

All these ports are exposed to the Internet. Besides first two, what is the purpose of all the other exposed ports? Is there any way (via Istio configuration) to control what is exposed?

Solution

  • You can see the ports spec here: https://github.com/istio/istio/blob/master/install/kubernetes/helm/istio/values-istio-gateways.yaml#L65 ports: ## You can add custom gateway ports - port: 80 targetPort: 80 name: http2 # nodePort: 31380 - port: 443 name: https # nodePort: 31390 - port: 31400 name: tcp # nodePort: 31400 # Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect # to pilot/citadel if global.meshExpansion settings are enabled. - port: 15011 targetPort: 15011 name: tcp-pilot-grpc-tls - port: 8060 targetPort: 8060 name: tcp-citadel-grpc-tls # Addon ports for kiali are enabled in gateway - but will only redirect if # the gateway configuration for the various components are enabled. - port: 15029 - targetPort: 15029 # Telemetry-related ports are enabled in gateway - but will only redirect if # the gateway configuration for the various components are enabled. - port: 15030 targetPort: 15030 name: http2-prometheus - port: 15031 targetPort: 15031 name: http2-grafana - port: 15032 targetPort: 15032 name: http2-tracing

    These ports expose various components of Istio outside the cluster, for example for connecting VMs or other clusters with Istio, or for exposing Istio dashboard outside the cluster.

    You can control this exposure by helm installation options https://preliminary.istio.io/docs/reference/config/installation-options/#gateways-options, all the options named gateways.istio-ingressgateway.ports.

    For example, to limit the exposed ports to 80 and 443 only, run:

    helm template install/kubernetes/helm/istio --name istio --namespace istio-system -x charts/gateways/templates/service.yaml --set gateways.istio-ingressgateway.ports[0].port=80 --set gateways.istio-ingressgateway.ports[0].name=http2 --set gateways.istio-ingressgateway.ports[0].targetPort=80 --set gateways.istio-ingressgateway.ports[1].port=443 --set gateways.istio-ingressgateway.ports[1].name=https > $HOME/istio.yaml

    Inspect the generated $HOME/istio.yaml and verify that only the ports 80 and 443 are exposed for istio-ingressgateway service.