Search code examples
kubernetesistioistio-gateway

Istio: run ingress gateway on every node

I am using an external TCP/UDP network load balancer (Fortigate), Kubernetes 1.20.6 and Istio 1.9.4. I have set set externalTrafficPolicy: Local and need to run ingress gateway on every node (as said here in network load balancer tab) . How do I do that?

This is my ingress gateway service:

kind: Service
apiVersion: v1
metadata:
  name: istio-ingressgateway
  namespace: istio-system
  uid: d1a86f50-ad14-415f-9c1e-d186fd72cb31
  resourceVersion: '1063961'
  creationTimestamp: '2021-04-28T19:25:37Z'
  labels:
    app: istio-ingressgateway
    install.operator.istio.io/owning-resource: unknown
    install.operator.istio.io/owning-resource-namespace: istio-system
    istio: ingressgateway
    istio.io/rev: default
    operator.istio.io/component: IngressGateways
    operator.istio.io/managed: Reconcile
    operator.istio.io/version: 1.9.4
    release: istio
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: >
      {"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"app":"istio-ingressgateway","install.operator.istio.io/owning-resource":"unknown","install.operator.istio.io/owning-resource-namespace":"istio-system","istio":"ingressgateway","istio.io/rev":"default","operator.istio.io/component":"IngressGateways","operator.istio.io/managed":"Reconcile","operator.istio.io/version":"1.9.4","release":"istio"},"name":"istio-ingressgateway","namespace":"istio-system"},"spec":{"ports":[{"name":"status-port","port":15021,"protocol":"TCP","targetPort":15021},{"name":"http2","port":80,"protocol":"TCP","targetPort":8080},{"name":"https","port":443,"protocol":"TCP","targetPort":8443},{"name":"tcp-istiod","port":15012,"protocol":"TCP","targetPort":15012},{"name":"tls","port":15443,"protocol":"TCP","targetPort":15443}],"selector":{"app":"istio-ingressgateway","istio":"ingressgateway"},"type":"LoadBalancer"}}
  managedFields:
    - manager: istio-operator
      ........operation: Apply
      apiVersion: v1
      time: '2021-05-04T18:02:38Z'
      fieldsType: FieldsV1
      fieldsV1:
        'f:metadata':
          'f:annotations':
            'f:kubectl.kubernetes.io/last-applied-configuration': {}
          'f:labels':
            'f:app': {}
            'f:install.operator.istio.io/owning-resource': {}
            'f:install.operator.istio.io/owning-resource-namespace': {}
            'f:istio': {}
            'f:istio.io/rev': {}
            'f:operator.istio.io/component': {}
            'f:operator.istio.io/managed': {}
            'f:operator.istio.io/version': {}
            'f:release': {}
        'f:spec':
          'f:ports':
            'k:{"port":80,"protocol":"TCP"}':
              .: {}
              'f:name': {}
              'f:port': {}
              'f:protocol': {}
              'f:targetPort': {}
            'k:{"port":443,"protocol":"TCP"}':
              .: {}
              'f:name': {}
              'f:port': {}
              'f:protocol': {}
              'f:targetPort': {}
            'k:{"port":15012,"protocol":"TCP"}':
              .: {}
              'f:name': {}
              'f:port': {}
              'f:protocol': {}
              'f:targetPort': {}
            'k:{"port":15021,"protocol":"TCP"}':
              .: {}
              'f:name': {}
              'f:port': {}
              'f:protocol': {}
              'f:targetPort': {}
            'k:{"port":15443,"protocol":"TCP"}':
              .: {}
              'f:name': {}
              'f:port': {}
              'f:protocol': {}
              'f:targetPort': {}
          'f:selector':
            'f:app': {}
            'f:istio': {}
          'f:type': {}
    - manager: kubectl-patch
      operation: Update
      apiVersion: v1
      time: '2021-05-04T18:01:23Z'
      fieldsType: FieldsV1
      fieldsV1:
        'f:spec':
          'f:externalIPs': {}
          'f:externalTrafficPolicy': {}
          'f:type': {}
  selfLink: /api/v1/namespaces/istio-system/services/istio-ingressgateway
spec:
  ports:
    - name: status-port
      protocol: TCP
      port: 15021
      targetPort: 15021
      nodePort: 30036
    - name: http2
      protocol: TCP
      port: 80
      targetPort: 8080
      nodePort: 32415
    - name: https
      protocol: TCP
      port: 443
      targetPort: 8443
      nodePort: 32418
    - name: tcp-istiod
      protocol: TCP
      port: 15012
      targetPort: 15012
      nodePort: 31529
    - name: tls
      protocol: TCP
      port: 15443
      targetPort: 15443
      nodePort: 30478
  selector:
    app: istio-ingressgateway
    istio: ingressgateway
  clusterIP: 10.103.72.212
  clusterIPs:
    - 10.103.72.212
  type: LoadBalancer
  externalIPs:
    - 10.43.34.38
    - 10.43.34.77
  sessionAffinity: None
  externalTrafficPolicy: Local
  healthCheckNodePort: 30788
status:
  loadBalancer: {}

The firewall has these two addresses 10.43.34.38 and 10.43.34.77, and relays requests to two K8S nodes on ports 32415 (http) and 32415 (https).

Solution

  • As brgsousa mentioned in the comment, the solution was redeploy as DaemonSet.

    Here is working yaml file:

    apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  meshConfig:
    accessLogFile: /dev/stdout
  components:
    ingressGateways:
    - name: istio-ingressgateway
      enabled: true
      k8s:
        overlays:
        - apiVersion: apps/v1
          kind: Deployment
          name: istio-ingressgateway
          patches:
          - path: kind
            value: DaemonSet
          - path: spec.strategy
          - path: spec.updateStrategy
            value:
              rollingUpdate:
                maxUnavailable: 50%
              type: RollingUpdate
    egressGateways:
    - name: istio-egressgateway
      enabled: true