Search code examples
kubernetesgoogle-kubernetes-enginekubernetes-ingressistiogke-networking

Cannot access to Kubernetes Ingress (Istio) on GKE

I set up Istio (Kubernetes Ingress mode, NOT Istio Gateway) on GKE. However, I cannot access from outside using curl

kubectl get svc -n istio-system | grep ingressgateway

istio-ingressgateway LoadBalancer 10.48.11.240 35.222.111.100 15020:30115/TCP,80:31420/TCP,443:32019/TCP,31400:31267/TCP,15029:30180/TCP,15030:31055/TCP,15031:32226/TCP,15032:30437/TCP,15443:31792/TCP 41h

curl 35.222.111.100

curl: (7) Failed to connect to 35.222.111.100 port 80: Connection refused

This is the config of Ingress:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: istio
  name: ingress
spec:
  rules:
    - http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: in-keycloak
                port:
                  number: 8080

This is the config of the Service:

apiVersion: v1
kind: Service
metadata:
  name: in-keycloak
  labels:
    app: keycloak
spec:
  ports:
    - name: http
      port: 8080
      targetPort: 8080
  selector:
    app: keycloak
  type: ClusterIP

If I use the same config for Docker Desktop on local machine (MacOS), it works fine.

Solution

  • There are 2 things that must be met on GKE to make it work with istio on private cluster.

    1.To make istio work on GKE you should follow these instructions to prepare a GKE cluster for Istio. It also inclused to open a 15017 port so istio could work.

    For private GKE clusters

An automatically created firewall rule does not open port 15017. This is needed by the Pilot discovery validation webhook.

To review this firewall rule for master access:

$ gcloud compute firewall-rules list --filter="name~gke-${CLUSTER_NAME}-[0-9a-z]*-master"

To replace the existing rule and allow master access:

$ gcloud compute firewall-rules update <firewall-rule-name> --allow tcp:10250,tcp:443,tcp:15017

    2.Comparing to istio documentation I would say your ingress is not properly configured, below you can find an ingress resource from the documentation you might try to use instead:

    apiVersion: networking.k8s.io/v1beta1
kind: IngressClass
metadata:
  name: istio
spec:
  controller: istio.io/ingress-controller
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: ingress
spec:
  ingressClassName: istio
  rules:
  - host: httpbin.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          serviceName: httpbin
          servicePort: 8000