Reputation: 1948
Cannot access to Kubernetes Ingress (Istio) on GKE
I set up Istio (Kubernetes Ingress mode, NOT Istio Gateway) on GKE. However, I cannot access from outside using curl
kubectl get svc -n istio-system | grep ingressgateway
istio-ingressgateway LoadBalancer 10.48.11.240 35.222.111.100 15020:30115/TCP,80:31420/TCP,443:32019/TCP,31400:31267/TCP,15029:30180/TCP,15030:31055/TCP,15031:32226/TCP,15032:30437/TCP,15443:31792/TCP 41h
curl 35.222.111.100
curl: (7) Failed to connect to 35.222.111.100 port 80: Connection refused
This is the config of Ingress:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: istio
name: ingress
spec:
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: in-keycloak
port:
number: 8080
This is the config of the Service:
apiVersion: v1
kind: Service
metadata:
name: in-keycloak
labels:
app: keycloak
spec:
ports:
- name: http
port: 8080
targetPort: 8080
selector:
app: keycloak
type: ClusterIP
If I use the same config for Docker Desktop on local machine (MacOS), it works fine.
Upvotes: 2
Views: 636
Answers (1)
Reputation: 8840
There are 2 things that must be met on GKE to make it work with istio on private cluster.
1.To make istio work on GKE you should follow these instructions to prepare a GKE cluster for Istio. It also inclused to open a 15017 port so istio could work.
For private GKE clusters
An automatically created firewall rule does not open port 15017. This is needed by the Pilot discovery validation webhook.
To review this firewall rule for master access:
$ gcloud compute firewall-rules list --filter="name~gke-${CLUSTER_NAME}-[0-9a-z]*-master"
To replace the existing rule and allow master access:
$ gcloud compute firewall-rules update <firewall-rule-name> --allow tcp:10250,tcp:443,tcp:15017
2.Comparing to istio documentation I would say your ingress is not properly configured, below you can find an ingress resource from the documentation you might try to use instead:
apiVersion: networking.k8s.io/v1beta1
kind: IngressClass
metadata:
name: istio
spec:
controller: istio.io/ingress-controller
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress
spec:
ingressClassName: istio
rules:
- host: httpbin.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
serviceName: httpbin
servicePort: 8000
Upvotes: 0
Related Questions
- Cannot access `istio-ingressgateway` when install istio on GKE
- K8S: Routing with Istio return 404
- How do I point Kubernetes Ingress to the Istio ingress gateway?
- Unable to open Istio ingress-gateway for gRPC
- gke ingress unable to route traffic to services
- Installing Istio in GKE
- Kubernetes Ingress on GKE
- Connecting to Istio ingress gateway gives a 404 error
- Cannot reach resource through ingress on GKE
- Not able to access a Istio enabled GKE service directly from browser but only through curl