istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

gateway-api: add Gateway API instructions to egress gateways doc (#14473) 

* gateway-api: add Gateway API instructions to egress gateways doc

* network policies

* regen snips

* gtw test

* demo profile

* fix test

* more test fixes

* use gw

* remove crds

* wait for routes

* fix snip

* try retry request

* sleep

* sleep longer

* try next section

* lint

* use profile none

* uninstall -y

* go.sum
This commit is contained in:
Frank Budinsky 2024-01-17 11:12:58 -05:00 committed by GitHub
parent 12f85bc44a
commit a8a2de802c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
8 changed files with 1002 additions and 330 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
content/en/boilerplates/gateway-api-experimental.md
View File

@ -1,18 +0,0 @@
---
---
{{< tip >}}
{{< boilerplate gateway-api-future >}}
{{< boilerplate gateway-api-choose >}}
{{< /tip >}}
{{< warning >}}
The following Gateway API instructions include features that are both
[experimental](https://gateway-api.sigs.k8s.io/geps/overview/#status)
and Istio specific. Before using the Gateway API instructions, make sure to
install the **experimental version** of the Gateway API CRDs:
{{< text syntax=bash snip_id=install_experimental_crds >}}
$ kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd/experimental?ref={{< k8s_gateway_api_version >}}" | kubectl apply -f -
{{< /text >}}
{{< /warning >}}

9
content/en/boilerplates/gateway-api-gamma-support.md
View File

@ -6,11 +6,10 @@
{{< /tip >}}
{{< warning >}}
Note that this document uses the Gateway API to configure internal mesh (east-west) traffic,
i.e., not just ingress (north-south) traffic.
Configuring internal mesh traffic is an
[experimental feature](https://gateway-api.sigs.k8s.io/geps/overview/#status)
of the Gateway API, currently under development.
This document configures internal mesh (east-west) traffic
that requires Gateway API features that are either
[experimental](https://gateway-api.sigs.k8s.io/geps/overview/#status)
or Istio specific.
Before using the Gateway API instructions, make sure to:
1) Install the **experimental version** of the Gateway API CRDs:

2
content/en/docs/tasks/traffic-management/egress/egress-control/index.md
View File

@ -257,7 +257,7 @@ Similar to inter-cluster requests, routing rules
can also be configured for external services that are accessed using `ServiceEntry` configurations.
In this example, you set a timeout rule on calls to the `httpbin.org` service.
{{< boilerplate gateway-api-experimental >}}
{{< boilerplate gateway-api-gamma-support >}}
1) From inside the pod being used as the test source, make a _curl_ request to the `/delay` endpoint of the
httpbin.org external service:

2
content/en/docs/tasks/traffic-management/egress/egress-control/snips.sh
View File

@ -19,7 +19,7 @@
# WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE:
# docs/tasks/traffic-management/egress/egress-control/index.md
####################################################################################################
source "content/en/boilerplates/snips/gateway-api-experimental.sh"
source "content/en/boilerplates/snips/gateway-api-gamma-support.sh"
snip_before_you_begin_1() {
kubectl apply -f samples/sleep/sleep.yaml

35
content/en/docs/tasks/traffic-management/egress/egress-gateway/gtwapi_test.sh Normal file
View File

@ -0,0 +1,35 @@
#!/usr/bin/env bash
# shellcheck disable=SC1090,SC2154
# Copyright Istio Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
source "tests/util/gateway-api.sh"
install_gateway_api_crds
# @setup profile=none
istioctl install --set profile=minimal --set values.pilot.env.PILOT_ENABLE_ALPHA_GATEWAY_API=true --set meshConfig.accessLogFile=/dev/stdout -y
_wait_for_deployment istio-system istiod
source "content/en/docs/tasks/traffic-management/egress/egress-gateway/test.sh"
# @cleanup
snip_cleanup_http_gateway_2
snip_cleanup_https_gateway_2
snip_cleanup_network_policies_2
snip_cleanup_1
istioctl uninstall --purge -y
kubectl delete ns istio-system
remove_gateway_api_crds

686
content/en/docs/tasks/traffic-management/egress/egress-gateway/index.md
View File

@ -37,20 +37,56 @@ on them cannot access the Internet. Defining an egress gateway, directing all th
allocating public IPs to the egress gateway nodes allows the application nodes to access external services in a
controlled way.
{{< boilerplate before-you-begin-egress >}}
{{< boilerplate gateway-api-gamma-support >}}
## Before you begin
* Setup Istio by following the instructions in the [Installation guide](/docs/setup/).
{{< tip >}}
The egress gateway and access logging will be enabled if you install the `demo`
[configuration profile](/docs/setup/additional-setup/config-profiles/).
{{< /tip >}}
* Deploy the [sleep]({{< github_tree >}}/samples/sleep) sample app to use as a test source for sending requests.
{{< text bash >}}
$ kubectl apply -f @samples/sleep/sleep.yaml@
{{< /text >}}
{{< tip >}}
You can use any pod with `curl` installed as a test source.
{{< /tip >}}
* Set the `SOURCE_POD` environment variable to the name of your source pod:
{{< text bash >}}
$ export SOURCE_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})
{{< /text >}}
{{< warning >}}
The instructions in this task create a destination rule for the egress gateway in the `default` namespace
and assume that the client, `SOURCE_POD`, is also running in the `default` namespace.
If not, the destination rule will not be found on the
[destination rule lookup path](/docs/ops/best-practices/traffic-management/#cross-namespace-configuration)
and the client requests will fail.
{{< /warning >}}
* [Enable Envoys access logging](/docs/tasks/observability/logs/access-log/#enable-envoy-s-access-logging)
if not already enabled. For example, using `istioctl`:
{{< warning >}}
The instructions in this task create a destination rule for the egress gateway in the `default` namespace
and assume that the client, `SOURCE_POD`, is also running in the `default` namespace.
If not, the destination rule will not be found on the
[destination rule lookup path](/docs/ops/best-practices/traffic-management/#cross-namespace-configuration)
and the client requests will fail.
{{< /warning >}}
{{< text bask >}}
$ istioctl install <flags-you-used-to-install-Istio> --set meshConfig.accessLogFile=/dev/stdout
{{< /text >}}
## Deploy Istio egress gateway
{{< tip >}}
Egress gateways are [deployed automatically](/docs/tasks/traffic-management/ingress/gateway-api/#deployment-methods)
when using Gateway API to configure them. You can skip this section if you are using the `Gateway API` instructions
in the following sections.
{{< /tip >}}
1. Check if the Istio egress gateway is deployed:
{{< text bash >}}
@ -135,18 +171,22 @@ First create a `ServiceEntry` to allow direct traffic to an external service.
1. Create an egress `Gateway` for _edition.cnn.com_, port 80, and a destination rule for
traffic directed to the egress gateway.
{{< tip >}}
To direct multiple hosts through an egress gateway, you can include a list of hosts, or use `*` to match all, in the `Gateway`.
The `subset` field in the `DestinationRule` should be reused for the additional hosts.
{{< /tip >}}
{{< tabset category-name="config-api" >}}
{{< text bash >}}
$ kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
{{< tab name="Istio APIs" category-value="istio-apis" >}}
{{< tip >}}
To direct multiple hosts through an egress gateway, you can include a list of hosts, or use `*` to match all, in the `Gateway`.
The `subset` field in the `DestinationRule` should be reused for the additional hosts.
{{< /tip >}}
{{< text bash >}}
$ kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-egressgateway
spec:
spec:
selector:
istio: egressgateway
servers:
@ -156,28 +196,61 @@ First create a `ServiceEntry` to allow direct traffic to an external service.
protocol: HTTP
hosts:
- edition.cnn.com
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: egressgateway-for-cnn
spec:
spec:
host: istio-egressgateway.istio-system.svc.cluster.local
subsets:
- name: cnn
EOF
{{< /text >}}
EOF
{{< /text >}}
1. Define a `VirtualService` to direct traffic from the sidecars to the egress gateway and from the egress gateway
{{< /tab >}}
{{< tab name="Gateway API" category-value="gateway-api" >}}
{{< text bash >}}
$ kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: cnn-egress-gateway
annotations:
networking.istio.io/service-type: ClusterIP
spec:
gatewayClassName: istio
listeners:
- name: http
hostname: edition.cnn.com
port: 80
protocol: HTTP
allowedRoutes:
namespaces:
from: Same
EOF
{{< /text >}}
{{< /tab >}}
{{< /tabset >}}
4) Configure route rules to direct traffic from the sidecars to the egress gateway and from the egress gateway
to the external service:
{{< text bash >}}
$ kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
{{< tabset category-name="config-api" >}}
{{< tab name="Istio APIs" category-value="istio-apis" >}}
{{< text bash >}}
$ kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: direct-cnn-through-egress-gateway
spec:
spec:
hosts:
- edition.cnn.com
gateways:
@ -205,10 +278,54 @@ First create a `ServiceEntry` to allow direct traffic to an external service.
port:
number: 80
weight: 100
EOF
{{< /text >}}
EOF
{{< /text >}}
1. Resend the HTTP request to [http://edition.cnn.com/politics](https://edition.cnn.com/politics).
{{< /tab >}}
{{< tab name="Gateway API" category-value="gateway-api" >}}
{{< text bash >}}
$ kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: direct-cnn-to-egress-gateway
spec:
parentRefs:
- kind: ServiceEntry
group: networking.istio.io
name: cnn
hostnames:
- edition.cnn.com
rules:
- backendRefs:
- name: cnn-egress-gateway-istio
port: 80
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: forward-cnn-from-egress-gateway
spec:
parentRefs:
- name: cnn-egress-gateway
hostnames:
- edition.cnn.com
rules:
- backendRefs:
- kind: Hostname
group: networking.istio.io
name: edition.cnn.com
port: 80
EOF
{{< /text >}}
{{< /tab >}}
{{< /tabset >}}
5) Resend the HTTP request to [http://edition.cnn.com/politics](https://edition.cnn.com/politics).
{{< text bash >}}
$ kubectl exec "$SOURCE_POD" -c sleep -- curl -sSL -o /dev/null -D - http://edition.cnn.com/politics
@ -225,37 +342,81 @@ First create a `ServiceEntry` to allow direct traffic to an external service.
The output should be the same as in the step 2.
1. Check the log of the `istio-egressgateway` pod for a line corresponding to our request.
If Istio is deployed in the `istio-system` namespace, the command to print the log is:
6) Check the log of the egress gateway pod for a line corresponding to our request.
{{< text bash >}}
$ kubectl logs -l istio=egressgateway -c istio-proxy -n istio-system | tail
{{< /text >}}
{{< tabset category-name="config-api" >}}
You should see a line similar to the following:
{{< tab name="Istio APIs" category-value="istio-apis" >}}
{{< text plain >}}
[2019-09-03T20:57:49.103Z] "GET /politics HTTP/2" 301 - "-" "-" 0 0 90 89 "10.244.2.10" "curl/7.64.0" "ea379962-9b5c-4431-ab66-f01994f5a5a5" "edition.cnn.com" "151.101.65.67:80" outbound|80||edition.cnn.com - 10.244.1.5:80 10.244.2.10:50482 edition.cnn.com -
{{< /text >}}
If Istio is deployed in the `istio-system` namespace, the command to print the log is:
Note that you only redirected the traffic from port 80 to the egress gateway. The HTTPS traffic to port 443
went directly to _edition.cnn.com_.
{{< text bash >}}
$ kubectl logs -l istio=egressgateway -c istio-proxy -n istio-system | tail
{{< /text >}}
You should see a line similar to the following:
{{< text plain >}}
[2019-09-03T20:57:49.103Z] "GET /politics HTTP/2" 301 - "-" "-" 0 0 90 89 "10.244.2.10" "curl/7.64.0" "ea379962-9b5c-4431-ab66-f01994f5a5a5" "edition.cnn.com" "151.101.65.67:80" outbound|80||edition.cnn.com - 10.244.1.5:80 10.244.2.10:50482 edition.cnn.com -
{{< /text >}}
{{< /tab >}}
{{< tab name="Gateway API" category-value="gateway-api" >}}
Access the log corresponding to the egress gateway using the Istio-generated pod label:
{{< text bash >}}
$ kubectl logs -l istio.io/gateway-name=cnn-egress-gateway -c istio-proxy | tail
{{< /text >}}
You should see a line similar to the following:
{{< text plain >}}
[2024-01-09T15:35:47.283Z] "GET /politics HTTP/1.1" 301 - via_upstream - "-" 0 0 2 2 "172.30.239.55" "curl/7.87.0-DEV" "6c01d65f-a157-97cd-8782-320a40026901" "edition.cnn.com" "151.101.195.5:80" outbound|80||edition.cnn.com 172.30.239.16:55636 172.30.239.16:80 172.30.239.55:59224 - default.forward-cnn-from-egress-gateway.0
{{< /text >}}
{{< /tab >}}
{{< /tabset >}}
Note that you only redirected the HTTP traffic from port 80 through the egress gateway.
The HTTPS traffic to port 443 went directly to _edition.cnn.com_.
### Cleanup HTTP gateway
Remove the previous definitions before proceeding to the next step:
{{< tabset category-name="config-api" >}}
{{< tab name="Istio APIs" category-value="istio-apis" >}}
{{< text bash >}}
$ kubectl delete gateway istio-egressgateway
$ kubectl delete serviceentry cnn
$ kubectl delete gateway istio-egressgateway
$ kubectl delete virtualservice direct-cnn-through-egress-gateway
$ kubectl delete destinationrule egressgateway-for-cnn
{{< /text >}}
{{< /tab >}}
{{< tab name="Gateway API" category-value="gateway-api" >}}
{{< text bash >}}
$ kubectl delete serviceentry cnn
$ kubectl delete gtw cnn-egress-gateway
$ kubectl delete httproute direct-cnn-to-egress-gateway
$ kubectl delete httproute forward-cnn-from-egress-gateway
{{< /text >}}
{{< /tab >}}
{{< /tabset >}}
## Egress gateway for HTTPS traffic
In this section you direct HTTPS traffic (TLS originated by the application) through an egress gateway.
You need to specify port 443 with protocol `TLS` in a corresponding `ServiceEntry`, an egress `Gateway` and a `VirtualService`.
You need to specify port 443 with protocol `TLS` in a corresponding `ServiceEntry` and egress `Gateway`.
1. Define a `ServiceEntry` for `edition.cnn.com`:
@ -289,18 +450,22 @@ You need to specify port 443 with protocol `TLS` in a corresponding `ServiceEntr
1. Create an egress `Gateway` for _edition.cnn.com_, a destination rule and a virtual service
to direct the traffic through the egress gateway and from the egress gateway to the external service.
{{< tip >}}
To direct multiple hosts through an egress gateway, you can include a list of hosts, or use `*` to match all, in the `Gateway`.
The `subset` field in the `DestinationRule` should be reused for the additional hosts.
{{< /tip >}}
{{< tabset category-name="config-api" >}}
{{< text bash >}}
$ kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
{{< tab name="Istio APIs" category-value="istio-apis" >}}
{{< tip >}}
To direct multiple hosts through an egress gateway, you can include a list of hosts, or use `*` to match all, in the `Gateway`.
The `subset` field in the `DestinationRule` should be reused for the additional hosts.
{{< /tip >}}
{{< text bash >}}
$ kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-egressgateway
spec:
spec:
selector:
istio: egressgateway
servers:
@ -312,21 +477,21 @@ You need to specify port 443 with protocol `TLS` in a corresponding `ServiceEntr
- edition.cnn.com
tls:
mode: PASSTHROUGH
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: egressgateway-for-cnn
spec:
spec:
host: istio-egressgateway.istio-system.svc.cluster.local
subsets:
- name: cnn
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: direct-cnn-through-egress-gateway
spec:
spec:
hosts:
- edition.cnn.com
gateways:
@ -357,10 +522,73 @@ You need to specify port 443 with protocol `TLS` in a corresponding `ServiceEntr
port:
number: 443
weight: 100
EOF
{{< /text >}}
EOF
{{< /text >}}
1. Send an HTTPS request to [https://edition.cnn.com/politics](https://edition.cnn.com/politics).
{{< /tab >}}
{{< tab name="Gateway API" category-value="gateway-api" >}}
{{< text bash >}}
$ kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: cnn-egress-gateway
annotations:
networking.istio.io/service-type: ClusterIP
spec:
gatewayClassName: istio
listeners:
- name: tls
hostname: edition.cnn.com
port: 443
protocol: TLS
tls:
mode: Passthrough
allowedRoutes:
namespaces:
from: Same
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TLSRoute
metadata:
name: direct-cnn-to-egress-gateway
spec:
parentRefs:
- kind: ServiceEntry
group: networking.istio.io
name: cnn
hostnames:
- edition.cnn.com
rules:
- backendRefs:
- name: cnn-egress-gateway-istio
port: 443
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TLSRoute
metadata:
name: forward-cnn-from-egress-gateway
spec:
parentRefs:
- name: cnn-egress-gateway
hostnames:
- edition.cnn.com
rules:
- backendRefs:
- kind: Hostname
group: networking.istio.io
name: edition.cnn.com
port: 443
EOF
{{< /text >}}
{{< /tab >}}
{{< /tabset >}}
4) Send an HTTPS request to [https://edition.cnn.com/politics](https://edition.cnn.com/politics).
The output should be the same as before.
{{< text bash >}}
@ -371,21 +599,50 @@ You need to specify port 443 with protocol `TLS` in a corresponding `ServiceEntr
...
{{< /text >}}
1. Check the log of the egress gateway's proxy. If Istio is deployed in the `istio-system` namespace, the command to
print the log is:
5) Check the log of the egress gateway's proxy.
{{< text bash >}}
$ kubectl logs -l istio=egressgateway -n istio-system
{{< /text >}}
{{< tabset category-name="config-api" >}}
You should see a line similar to the following:
{{< tab name="Istio APIs" category-value="istio-apis" >}}
{{< text plain >}}
[2019-01-02T11:46:46.981Z] "- - -" 0 - 627 1879689 44 - "-" "-" "-" "-" "151.101.129.67:443" outbound|443||edition.cnn.com 172.30.109.80:41122 172.30.109.80:443 172.30.109.112:59970 edition.cnn.com
{{< /text >}}
If Istio is deployed in the `istio-system` namespace, the command to print the log is:
{{< text bash >}}
$ kubectl logs -l istio=egressgateway -n istio-system
{{< /text >}}
You should see a line similar to the following:
{{< text plain >}}
[2019-01-02T11:46:46.981Z] "- - -" 0 - 627 1879689 44 - "-" "-" "-" "-" "151.101.129.67:443" outbound|443||edition.cnn.com 172.30.109.80:41122 172.30.109.80:443 172.30.109.112:59970 edition.cnn.com
{{< /text >}}
{{< /tab >}}
{{< tab name="Gateway API" category-value="gateway-api" >}}
Access the log corresponding to the egress gateway using the Istio-generated pod label:
{{< text bash >}}
$ kubectl logs -l istio.io/gateway-name=cnn-egress-gateway -c istio-proxy | tail
{{< /text >}}
You should see a line similar to the following:
{{< text plain >}}
[2024-01-11T21:09:42.835Z] "- - -" 0 - - - "-" 839 2504306 231 - "-" "-" "-" "-" "151.101.195.5:443" outbound|443||edition.cnn.com 172.30.239.8:34470 172.30.239.8:443 172.30.239.15:43956 edition.cnn.com -
{{< /text >}}
{{< /tab >}}
{{< /tabset >}}
### Cleanup HTTPS gateway
{{< tabset category-name="config-api" >}}
{{< tab name="Istio APIs" category-value="istio-apis" >}}
{{< text bash >}}
$ kubectl delete serviceentry cnn
$ kubectl delete gateway istio-egressgateway
@ -393,6 +650,21 @@ $ kubectl delete virtualservice direct-cnn-through-egress-gateway
$ kubectl delete destinationrule egressgateway-for-cnn
{{< /text >}}
{{< /tab >}}
{{< tab name="Gateway API" category-value="gateway-api" >}}
{{< text bash >}}
$ kubectl delete serviceentry cnn
$ kubectl delete gtw cnn-egress-gateway
$ kubectl delete tlsroute direct-cnn-to-egress-gateway
$ kubectl delete tlsroute forward-cnn-from-egress-gateway
{{< /text >}}
{{< /tab >}}
{{< /tabset >}}
## Additional security considerations
Note that defining an egress `Gateway` in Istio does not in itself provides any special treatment for the nodes
@ -422,22 +694,22 @@ bypassing of the egress gateway. To test the network policy, you create a namesp
the [sleep]({{< github_tree >}}/samples/sleep) sample to it, and then attempt to send requests to a gateway-secured
external service.
1. Follow the steps in the
1) Follow the steps in the
[Egress gateway for HTTPS traffic](#egress-gateway-for-https-traffic) section.
1. Create the `test-egress` namespace:
2) Create the `test-egress` namespace:
{{< text bash >}}
$ kubectl create namespace test-egress
{{< /text >}}
1. Deploy the [sleep]({{< github_tree >}}/samples/sleep) sample to the `test-egress` namespace.
3) Deploy the [sleep]({{< github_tree >}}/samples/sleep) sample to the `test-egress` namespace.
{{< text bash >}}
$ kubectl apply -n test-egress -f @samples/sleep/sleep.yaml@
{{< /text >}}
1. Check that the deployed pod has a single container with no Istio sidecar attached:
4) Check that the deployed pod has a single container with no Istio sidecar attached:
{{< text bash >}}
$ kubectl get pod "$(kubectl get pod -n test-egress -l app=sleep -o jsonpath={.items..metadata.name})" -n test-egress
@ -445,7 +717,7 @@ external service.
sleep-776b7bcdcd-z7mc4 1/1 Running 0 18m
{{< /text >}}
1. Send an HTTPS request to [https://edition.cnn.com/politics](https://edition.cnn.com/politics) from the `sleep` pod in
5) Send an HTTPS request to [https://edition.cnn.com/politics](https://edition.cnn.com/politics) from the `sleep` pod in
the `test-egress` namespace. The request will succeed since you did not define any restrictive policies yet.
{{< text bash >}}
@ -453,29 +725,57 @@ external service.
200
{{< /text >}}
1. Label the namespaces where the Istio components (the control plane and the gateways) run.
If you deployed the Istio components to `istio-system`, the command is:
6) Label the namespaces where the Istio control plane and egress gateway are running.
If you deployed Istio in the `istio-system` namespace, the command is:
{{< text bash >}}
$ kubectl label namespace istio-system istio=system
{{< /text >}}
{{< tabset category-name="config-api" >}}
1. Label the `kube-system` namespace.
{{< tab name="Istio APIs" category-value="istio-apis" >}}
{{< text bash >}}
$ kubectl label namespace istio-system istio=system
{{< /text >}}
{{< /tab >}}
{{< tab name="Gateway API" category-value="gateway-api" >}}
{{< text bash >}}
$ kubectl label namespace istio-system istio=system
$ kubectl label namespace default gateway=true
{{< /text >}}
{{< /tab >}}
{{< /tabset >}}
7) Label the `kube-system` namespace.
{{< text bash >}}
$ kubectl label ns kube-system kube-system=true
{{< /text >}}
1. Define a `NetworkPolicy` to limit the egress traffic from the `test-egress` namespace to traffic destined to
`istio-system`, and to the `kube-system` DNS service (port 53):
8) Define a `NetworkPolicy` to limit the egress traffic from the `test-egress` namespace to traffic destined to
the control plane, gateway, and to the `kube-system` DNS service (port 53).
{{< text bash >}}
$ cat <<EOF | kubectl apply -n test-egress -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
{{< warning >}}
[Network policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/)
are implemented by the network plugin in your Kubernetes cluster.
Depending on your test cluster, the traffic may not be blocked in the following
step.
{{< /warning >}}
{{< tabset category-name="config-api" >}}
{{< tab name="Istio APIs" category-value="istio-apis" >}}
{{< text bash >}}
$ cat <<EOF | kubectl apply -n test-egress -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-egress-to-istio-system-and-kube-dns
spec:
spec:
podSelector: {}
policyTypes:
- Egress
@ -491,20 +791,50 @@ external service.
- namespaceSelector:
matchLabels:
istio: system
EOF
{{< /text >}}
EOF
{{< /text >}}
{{< warning >}}
[Network policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/)
are implemented by the network plugin in your Kubernetes cluster.
Depending on your test cluster, the traffic may not be blocked in the following
step.
{{< /warning >}}
{{< /tab >}}
1. Resend the previous HTTPS request to [https://edition.cnn.com/politics](https://edition.cnn.com/politics). Now it
{{< tab name="Gateway API" category-value="gateway-api" >}}
{{< text bash >}}
$ cat <<EOF | kubectl apply -n test-egress -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-egress-to-istio-system-and-kube-dns
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
kube-system: "true"
ports:
- protocol: UDP
port: 53
- to:
- namespaceSelector:
matchLabels:
istio: system
- to:
- namespaceSelector:
matchLabels:
gateway: "true"
EOF
{{< /text >}}
{{< /tab >}}
{{< /tabset >}}
9) Resend the previous HTTPS request to [https://edition.cnn.com/politics](https://edition.cnn.com/politics). Now it
should fail since the traffic is blocked by the network policy. Note that the `sleep` pod cannot bypass
`istio-egressgateway`. The only way it can access `edition.cnn.com` is by using an Istio sidecar proxy and by
directing the traffic to `istio-egressgateway`. This setting demonstrates that even if some malicious pod manages to
the egress gateway. The only way it can access `edition.cnn.com` is by using an Istio sidecar proxy and by
directing the traffic to the egress gateway. This setting demonstrates that even if some malicious pod manages to
bypass its sidecar proxy, it will not be able to access external sites and will be blocked by the network policy.
{{< text bash >}}
@ -522,76 +852,140 @@ external service.
connect to 151.101.65.67 port 443 failed: Connection timed out
{{< /text >}}
1. Now inject an Istio sidecar proxy into the `sleep` pod in the `test-egress` namespace by first enabling
10) Now inject an Istio sidecar proxy into the `sleep` pod in the `test-egress` namespace by first enabling
automatic sidecar proxy injection in the `test-egress` namespace:
{{< text bash >}}
$ kubectl label namespace test-egress istio-injection=enabled
{{< /text >}}
1. Then redeploy the `sleep` deployment:
11) Then redeploy the `sleep` deployment:
{{< text bash >}}
$ kubectl delete deployment sleep -n test-egress
$ kubectl apply -f @samples/sleep/sleep.yaml@ -n test-egress
{{< /text >}}
1. Check that the deployed pod has two containers, including the Istio sidecar proxy (`istio-proxy`):
12) Check that the deployed pod has two containers, including the Istio sidecar proxy (`istio-proxy`):
{{< text bash >}}
$ kubectl get pod "$(kubectl get pod -n test-egress -l app=sleep -o jsonpath={.items..metadata.name})" -n test-egress -o jsonpath='{.spec.containers[*].name}'
sleep istio-proxy
{{< /text >}}
{{< tabset category-name="config-api" >}}
1. Create a similar destination rule as used for the `sleep` pod in the `default` namespace, to direct the `test-egress` namespace traffic through the egress gateway:
{{< tab name="Istio APIs" category-value="istio-apis" >}}
{{< text bash >}}
$ kubectl apply -n test-egress -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
{{< text bash >}}
$ kubectl get pod "$(kubectl get pod -n test-egress -l app=sleep -o jsonpath={.items..metadata.name})" -n test-egress -o jsonpath='{.spec.containers[*].name}'
sleep istio-proxy
{{< /text >}}
Before proceeding, you'll need to create a similar destination rule as the one used for the `sleep` pod in the `default` namespace,
to direct the `test-egress` namespace traffic through the egress gateway:
{{< text bash >}}
$ kubectl apply -n test-egress -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: egressgateway-for-cnn
spec:
spec:
host: istio-egressgateway.istio-system.svc.cluster.local
subsets:
- name: cnn
EOF
{{< /text >}}
EOF
{{< /text >}}
1. Send an HTTPS request to [https://edition.cnn.com/politics](https://edition.cnn.com/politics). Now it should succeed
since the traffic flows to `istio-egressgateway` in the `istio-system` namespace, which is allowed by the
Network Policy you defined. `istio-egressgateway` forwards the traffic to `edition.cnn.com`.
{{< /tab >}}
{{< tab name="Gateway API" category-value="gateway-api" >}}
{{< text bash >}}
$ kubectl get pod "$(kubectl get pod -n test-egress -l app=sleep -o jsonpath={.items..metadata.name})" -n test-egress -o jsonpath='{.spec.containers[*].name}'
sleep istio-proxy
{{< /text >}}
{{< /tab >}}
{{< /tabset >}}
13) Send an HTTPS request to [https://edition.cnn.com/politics](https://edition.cnn.com/politics). Now it should succeed
since the traffic flows to the egress gateway is allowed by the
Network Policy you defined. The gateway then forwards the traffic to `edition.cnn.com`.
{{< text bash >}}
$ kubectl exec "$(kubectl get pod -n test-egress -l app=sleep -o jsonpath={.items..metadata.name})" -n test-egress -c sleep -- curl -sS -o /dev/null -w "%{http_code}\n" https://edition.cnn.com/politics
200
{{< /text >}}
1. Check the log of the egress gateway's proxy. If Istio is deployed in the `istio-system` namespace, the command to
print the log is:
14) Check the log of the egress gateway's proxy.
{{< text bash >}}
$ kubectl logs -l istio=egressgateway -n istio-system
{{< /text >}}
{{< tabset category-name="config-api" >}}
You should see a line similar to the following:
{{< tab name="Istio APIs" category-value="istio-apis" >}}
{{< text plain >}}
[2020-03-06T18:12:33.101Z] "- - -" 0 - "-" "-" 906 1352475 35 - "-" "-" "-" "-" "151.101.193.67:443" outbound|443||edition.cnn.com 172.30.223.53:39460 172.30.223.53:443 172.30.223.58:38138 edition.cnn.com -
{{< /text >}}
If Istio is deployed in the `istio-system` namespace, the command to print the log is:
{{< text bash >}}
$ kubectl logs -l istio=egressgateway -n istio-system
{{< /text >}}
You should see a line similar to the following:
{{< text plain >}}
[2020-03-06T18:12:33.101Z] "- - -" 0 - "-" "-" 906 1352475 35 - "-" "-" "-" "-" "151.101.193.67:443" outbound|443||edition.cnn.com 172.30.223.53:39460 172.30.223.53:443 172.30.223.58:38138 edition.cnn.com -
{{< /text >}}
{{< /tab >}}
{{< tab name="Gateway API" category-value="gateway-api" >}}
Access the log corresponding to the egress gateway using the Istio-generated pod label:
{{< text bash >}}
$ kubectl logs -l istio.io/gateway-name=cnn-egress-gateway -c istio-proxy | tail
{{< /text >}}
You should see a line similar to the following:
{{< text plain >}}
[2024-01-12T19:54:01.821Z] "- - -" 0 - - - "-" 839 2504837 46 - "-" "-" "-" "-" "151.101.67.5:443" outbound|443||edition.cnn.com 172.30.239.60:49850 172.30.239.60:443 172.30.239.21:36512 edition.cnn.com -
{{< /text >}}
{{< /tab >}}
{{< /tabset >}}
### Cleanup network policies
1. Delete the resources created in this section:
{{< text bash >}}
$ kubectl delete -f @samples/sleep/sleep.yaml@ -n test-egress
$ kubectl delete destinationrule egressgateway-for-cnn -n test-egress
$ kubectl delete networkpolicy allow-egress-to-istio-system-and-kube-dns -n test-egress
$ kubectl label namespace kube-system kube-system-
$ kubectl label namespace istio-system istio-
$ kubectl delete namespace test-egress
{{< /text >}}
{{< tabset category-name="config-api" >}}
{{< tab name="Istio APIs" category-value="istio-apis" >}}
{{< text bash >}}
$ kubectl delete -f @samples/sleep/sleep.yaml@ -n test-egress
$ kubectl delete destinationrule egressgateway-for-cnn -n test-egress
$ kubectl delete networkpolicy allow-egress-to-istio-system-and-kube-dns -n test-egress
$ kubectl label namespace kube-system kube-system-
$ kubectl label namespace istio-system istio-
$ kubectl delete namespace test-egress
{{< /text >}}
{{< /tab >}}
{{< tab name="Gateway API" category-value="gateway-api" >}}
{{< text bash >}}
$ kubectl delete -f @samples/sleep/sleep.yaml@ -n test-egress
$ kubectl delete networkpolicy allow-egress-to-istio-system-and-kube-dns -n test-egress
$ kubectl label namespace kube-system kube-system-
$ kubectl label namespace istio-system istio-
$ kubectl label namespace default gateway-
$ kubectl delete namespace test-egress
{{< /text >}}
{{< /tab >}}
{{< /tabset >}}
1. Follow the steps in the [Cleanup HTTPS gateway](#cleanup-https-gateway) section.

255
content/en/docs/tasks/traffic-management/egress/egress-gateway/snips.sh
View File

@ -19,7 +19,19 @@
# WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE:
# docs/tasks/traffic-management/egress/egress-gateway/index.md
####################################################################################################
source "content/en/boilerplates/snips/before-you-begin-egress.sh"
source "content/en/boilerplates/snips/gateway-api-gamma-support.sh"
snip_before_you_begin_1() {
kubectl apply -f samples/sleep/sleep.yaml
}
snip_before_you_begin_2() {
export SOURCE_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})
}
! read -r -d '' snip_before_you_begin_3 <<\ENDSNIP
$ istioctl install --set values.pilot.env.PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING=true <flags-you-used-to-install-Istio> --set meshConfig.accessLogFile=/dev/stdout
ENDSNIP
snip_deploy_istio_egress_gateway_1() {
kubectl get pod -l istio=egressgateway -n istio-system
@ -99,6 +111,27 @@ EOF
snip_egress_gateway_for_http_traffic_4() {
kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: cnn-egress-gateway
annotations:
networking.istio.io/service-type: ClusterIP
spec:
gatewayClassName: istio
listeners:
- name: http
hostname: edition.cnn.com
port: 80
protocol: HTTP
allowedRoutes:
namespaces:
from: Same
EOF
}
snip_egress_gateway_for_http_traffic_5() {
kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
@ -134,11 +167,47 @@ spec:
EOF
}
snip_egress_gateway_for_http_traffic_5() {
snip_egress_gateway_for_http_traffic_6() {
kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: direct-cnn-to-egress-gateway
spec:
parentRefs:
- kind: ServiceEntry
group: networking.istio.io
name: cnn
hostnames:
- edition.cnn.com
rules:
- backendRefs:
- name: cnn-egress-gateway-istio
port: 80
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: forward-cnn-from-egress-gateway
spec:
parentRefs:
- name: cnn-egress-gateway
hostnames:
- edition.cnn.com
rules:
- backendRefs:
- kind: Hostname
group: networking.istio.io
name: edition.cnn.com
port: 80
EOF
}
snip_egress_gateway_for_http_traffic_7() {
kubectl exec "$SOURCE_POD" -c sleep -- curl -sSL -o /dev/null -D - http://edition.cnn.com/politics
}
! read -r -d '' snip_egress_gateway_for_http_traffic_5_out <<\ENDSNIP
! read -r -d '' snip_egress_gateway_for_http_traffic_7_out <<\ENDSNIP
...
HTTP/1.1 301 Moved Permanently
...
@ -150,21 +219,36 @@ Content-Type: text/html; charset=utf-8
...
ENDSNIP
snip_egress_gateway_for_http_traffic_6() {
snip_egress_gateway_for_http_traffic_8() {
kubectl logs -l istio=egressgateway -c istio-proxy -n istio-system | tail
}
! read -r -d '' snip_egress_gateway_for_http_traffic_7 <<\ENDSNIP
! read -r -d '' snip_egress_gateway_for_http_traffic_9 <<\ENDSNIP
[2019-09-03T20:57:49.103Z] "GET /politics HTTP/2" 301 - "-" "-" 0 0 90 89 "10.244.2.10" "curl/7.64.0" "ea379962-9b5c-4431-ab66-f01994f5a5a5" "edition.cnn.com" "151.101.65.67:80" outbound|80||edition.cnn.com - 10.244.1.5:80 10.244.2.10:50482 edition.cnn.com -
ENDSNIP
snip_egress_gateway_for_http_traffic_10() {
kubectl logs -l istio.io/gateway-name=cnn-egress-gateway -c istio-proxy | tail
}
! read -r -d '' snip_egress_gateway_for_http_traffic_11 <<\ENDSNIP
[2024-01-09T15:35:47.283Z] "GET /politics HTTP/1.1" 301 - via_upstream - "-" 0 0 2 2 "172.30.239.55" "curl/7.87.0-DEV" "6c01d65f-a157-97cd-8782-320a40026901" "edition.cnn.com" "151.101.195.5:80" outbound|80||edition.cnn.com 172.30.239.16:55636 172.30.239.16:80 172.30.239.55:59224 - default.forward-cnn-from-egress-gateway.0
ENDSNIP
snip_cleanup_http_gateway_1() {
kubectl delete gateway istio-egressgateway
kubectl delete serviceentry cnn
kubectl delete gateway istio-egressgateway
kubectl delete virtualservice direct-cnn-through-egress-gateway
kubectl delete destinationrule egressgateway-for-cnn
}
snip_cleanup_http_gateway_2() {
kubectl delete serviceentry cnn
kubectl delete gtw cnn-egress-gateway
kubectl delete httproute direct-cnn-to-egress-gateway
kubectl delete httproute forward-cnn-from-egress-gateway
}
snip_egress_gateway_for_https_traffic_1() {
kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
@ -260,24 +344,87 @@ EOF
}
snip_egress_gateway_for_https_traffic_4() {
kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: cnn-egress-gateway
annotations:
networking.istio.io/service-type: ClusterIP
spec:
gatewayClassName: istio
listeners:
- name: tls
hostname: edition.cnn.com
port: 443
protocol: TLS
tls:
mode: Passthrough
allowedRoutes:
namespaces:
from: Same
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TLSRoute
metadata:
name: direct-cnn-to-egress-gateway
spec:
parentRefs:
- kind: ServiceEntry
group: networking.istio.io
name: cnn
hostnames:
- edition.cnn.com
rules:
- backendRefs:
- name: cnn-egress-gateway-istio
port: 443
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TLSRoute
metadata:
name: forward-cnn-from-egress-gateway
spec:
parentRefs:
- name: cnn-egress-gateway
hostnames:
- edition.cnn.com
rules:
- backendRefs:
- kind: Hostname
group: networking.istio.io
name: edition.cnn.com
port: 443
EOF
}
snip_egress_gateway_for_https_traffic_5() {
kubectl exec "$SOURCE_POD" -c sleep -- curl -sSL -o /dev/null -D - https://edition.cnn.com/politics
}
! read -r -d '' snip_egress_gateway_for_https_traffic_4_out <<\ENDSNIP
! read -r -d '' snip_egress_gateway_for_https_traffic_5_out <<\ENDSNIP
...
HTTP/2 200
Content-Type: text/html; charset=utf-8
...
ENDSNIP
snip_egress_gateway_for_https_traffic_5() {
snip_egress_gateway_for_https_traffic_6() {
kubectl logs -l istio=egressgateway -n istio-system
}
! read -r -d '' snip_egress_gateway_for_https_traffic_6 <<\ENDSNIP
! read -r -d '' snip_egress_gateway_for_https_traffic_7 <<\ENDSNIP
[2019-01-02T11:46:46.981Z] "- - -" 0 - 627 1879689 44 - "-" "-" "-" "-" "151.101.129.67:443" outbound|443||edition.cnn.com 172.30.109.80:41122 172.30.109.80:443 172.30.109.112:59970 edition.cnn.com
ENDSNIP
snip_egress_gateway_for_https_traffic_8() {
kubectl logs -l istio.io/gateway-name=cnn-egress-gateway -c istio-proxy | tail
}
! read -r -d '' snip_egress_gateway_for_https_traffic_9 <<\ENDSNIP
[2024-01-11T21:09:42.835Z] "- - -" 0 - - - "-" 839 2504306 231 - "-" "-" "-" "-" "151.101.195.5:443" outbound|443||edition.cnn.com 172.30.239.8:34470 172.30.239.8:443 172.30.239.15:43956 edition.cnn.com -
ENDSNIP
snip_cleanup_https_gateway_1() {
kubectl delete serviceentry cnn
kubectl delete gateway istio-egressgateway
@ -285,6 +432,13 @@ kubectl delete virtualservice direct-cnn-through-egress-gateway
kubectl delete destinationrule egressgateway-for-cnn
}
snip_cleanup_https_gateway_2() {
kubectl delete serviceentry cnn
kubectl delete gtw cnn-egress-gateway
kubectl delete tlsroute direct-cnn-to-egress-gateway
kubectl delete tlsroute forward-cnn-from-egress-gateway
}
snip_apply_kubernetes_network_policies_1() {
kubectl create namespace test-egress
}
@ -315,10 +469,15 @@ kubectl label namespace istio-system istio=system
}
snip_apply_kubernetes_network_policies_6() {
kubectl label ns kube-system kube-system=true
kubectl label namespace istio-system istio=system
kubectl label namespace default gateway=true
}
snip_apply_kubernetes_network_policies_7() {
kubectl label ns kube-system kube-system=true
}
snip_apply_kubernetes_network_policies_8() {
cat <<EOF | kubectl apply -n test-egress -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
@ -343,11 +502,40 @@ spec:
EOF
}
snip_apply_kubernetes_network_policies_8() {
snip_apply_kubernetes_network_policies_9() {
cat <<EOF | kubectl apply -n test-egress -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-egress-to-istio-system-and-kube-dns
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
kube-system: "true"
ports:
- protocol: UDP
port: 53
- to:
- namespaceSelector:
matchLabels:
istio: system
- to:
- namespaceSelector:
matchLabels:
gateway: "true"
EOF
}
snip_apply_kubernetes_network_policies_10() {
kubectl exec "$(kubectl get pod -n test-egress -l app=sleep -o jsonpath={.items..metadata.name})" -n test-egress -c sleep -- curl -v -sS https://edition.cnn.com/politics
}
! read -r -d '' snip_apply_kubernetes_network_policies_8_out <<\ENDSNIP
! read -r -d '' snip_apply_kubernetes_network_policies_10_out <<\ENDSNIP
Hostname was NOT found in DNS cache
Trying 151.101.65.67...
Trying 2a04:4e42:200::323...
@ -361,24 +549,24 @@ Immediate connect fail for 2a04:4e42::323: Cannot assign requested address
connect to 151.101.65.67 port 443 failed: Connection timed out
ENDSNIP
snip_apply_kubernetes_network_policies_9() {
snip_apply_kubernetes_network_policies_11() {
kubectl label namespace test-egress istio-injection=enabled
}
snip_apply_kubernetes_network_policies_10() {
snip_apply_kubernetes_network_policies_12() {
kubectl delete deployment sleep -n test-egress
kubectl apply -f samples/sleep/sleep.yaml -n test-egress
}
snip_apply_kubernetes_network_policies_11() {
snip_apply_kubernetes_network_policies_13() {
kubectl get pod "$(kubectl get pod -n test-egress -l app=sleep -o jsonpath={.items..metadata.name})" -n test-egress -o jsonpath='{.spec.containers[*].name}'
}
! read -r -d '' snip_apply_kubernetes_network_policies_11_out <<\ENDSNIP
! read -r -d '' snip_apply_kubernetes_network_policies_13_out <<\ENDSNIP
sleep istio-proxy
ENDSNIP
snip_apply_kubernetes_network_policies_12() {
snip_apply_kubernetes_network_policies_14() {
kubectl apply -n test-egress -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
@ -391,22 +579,38 @@ spec:
EOF
}
snip_apply_kubernetes_network_policies_13() {
snip_apply_kubernetes_network_policies_15() {
kubectl get pod "$(kubectl get pod -n test-egress -l app=sleep -o jsonpath={.items..metadata.name})" -n test-egress -o jsonpath='{.spec.containers[*].name}'
}
! read -r -d '' snip_apply_kubernetes_network_policies_15_out <<\ENDSNIP
sleep istio-proxy
ENDSNIP
snip_apply_kubernetes_network_policies_16() {
kubectl exec "$(kubectl get pod -n test-egress -l app=sleep -o jsonpath={.items..metadata.name})" -n test-egress -c sleep -- curl -sS -o /dev/null -w "%{http_code}\n" https://edition.cnn.com/politics
}
! read -r -d '' snip_apply_kubernetes_network_policies_13_out <<\ENDSNIP
! read -r -d '' snip_apply_kubernetes_network_policies_16_out <<\ENDSNIP
200
ENDSNIP
snip_apply_kubernetes_network_policies_14() {
snip_apply_kubernetes_network_policies_17() {
kubectl logs -l istio=egressgateway -n istio-system
}
! read -r -d '' snip_apply_kubernetes_network_policies_15 <<\ENDSNIP
! read -r -d '' snip_apply_kubernetes_network_policies_18 <<\ENDSNIP
[2020-03-06T18:12:33.101Z] "- - -" 0 - "-" "-" 906 1352475 35 - "-" "-" "-" "-" "151.101.193.67:443" outbound|443||edition.cnn.com 172.30.223.53:39460 172.30.223.53:443 172.30.223.58:38138 edition.cnn.com -
ENDSNIP
snip_apply_kubernetes_network_policies_19() {
kubectl logs -l istio.io/gateway-name=cnn-egress-gateway -c istio-proxy | tail
}
! read -r -d '' snip_apply_kubernetes_network_policies_20 <<\ENDSNIP
[2024-01-12T19:54:01.821Z] "- - -" 0 - - - "-" 839 2504837 46 - "-" "-" "-" "-" "151.101.67.5:443" outbound|443||edition.cnn.com 172.30.239.60:49850 172.30.239.60:443 172.30.239.21:36512 edition.cnn.com -
ENDSNIP
snip_cleanup_network_policies_1() {
kubectl delete -f samples/sleep/sleep.yaml -n test-egress
kubectl delete destinationrule egressgateway-for-cnn -n test-egress
@ -416,6 +620,15 @@ kubectl label namespace istio-system istio-
kubectl delete namespace test-egress
}
snip_cleanup_network_policies_2() {
kubectl delete -f samples/sleep/sleep.yaml -n test-egress
kubectl delete networkpolicy allow-egress-to-istio-system-and-kube-dns -n test-egress
kubectl label namespace kube-system kube-system-
kubectl label namespace istio-system istio-
kubectl label namespace default gateway-
kubectl delete namespace test-egress
}
snip_troubleshooting_1() {
kubectl exec -i -n istio-system "$(kubectl get pod -l istio=egressgateway -n istio-system -o jsonpath='{.items[0].metadata.name}')" -- cat /etc/certs/cert-chain.pem | openssl x509 -text -noout | grep 'Subject Alternative Name' -A 1
}

121
content/en/docs/tasks/traffic-management/egress/egress-gateway/test.sh
View File

@ -21,6 +21,8 @@ set -e
set -u
set -o pipefail
GATEWAY_API="${GATEWAY_API:-false}"
source "tests/util/samples.sh"
# Make sure default namespace is injected
@ -36,23 +38,37 @@ snip_egress_gateway_for_http_traffic_1
# Verify curl to cnn
_verify_contains snip_egress_gateway_for_http_traffic_2 "HTTP/2 200"
# Create Gateway
snip_egress_gateway_for_http_traffic_3
_wait_for_istio gateway default istio-egressgateway
_wait_for_istio destinationrule default egressgateway-for-cnn
# Create Gateway and Routes
if [ "$GATEWAY_API" == "true" ]; then
snip_egress_gateway_for_http_traffic_4
snip_egress_gateway_for_http_traffic_6
_wait_for_gateway default cnn-egress-gateway
sleep 30 # TODO: remove this delay once we can reliably detect route rules have propogated
else
snip_egress_gateway_for_http_traffic_3
_wait_for_istio gateway default istio-egressgateway
_wait_for_istio destinationrule default egressgateway-for-cnn
# Create VS
snip_egress_gateway_for_http_traffic_4
_wait_for_istio virtualservice default direct-cnn-through-egress-gateway
snip_egress_gateway_for_http_traffic_5
_wait_for_istio virtualservice default direct-cnn-through-egress-gateway
fi
# Verify successful curl
_verify_contains snip_egress_gateway_for_http_traffic_5 "HTTP/2 200"
_verify_contains snip_egress_gateway_for_http_traffic_7 "HTTP/2 200"
# Verify routing through gateway
_verify_contains snip_egress_gateway_for_http_traffic_6 "GET /politics HTTP/2"
if [ "$GATEWAY_API" == "true" ]; then
_verify_contains snip_egress_gateway_for_http_traffic_10 "outbound|80||edition.cnn.com"
else
_verify_contains snip_egress_gateway_for_http_traffic_8 "outbound|80||edition.cnn.com"
fi
# cleanup http task
snip_cleanup_http_gateway_1
if [ "$GATEWAY_API" == "true" ]; then
snip_cleanup_http_gateway_2
else
snip_cleanup_http_gateway_1
fi
# ServiceEntry for HTTPS
snip_egress_gateway_for_https_traffic_1
@ -60,20 +76,34 @@ snip_egress_gateway_for_https_traffic_1
# Try and verify curl
_verify_contains snip_egress_gateway_for_https_traffic_2 "HTTP/2 200"
# Gateway Passthrough dr and vs
snip_egress_gateway_for_https_traffic_3
_wait_for_istio gateway default istio-egressgateway
_wait_for_istio destinationrule default egressgateway-for-cnn
_wait_for_istio virtualservice default direct-cnn-through-egress-gateway
# Gateway Passthrough and routes
if [ "$GATEWAY_API" == "true" ]; then
snip_egress_gateway_for_https_traffic_4
_wait_for_gateway default cnn-egress-gateway
sleep 30 # TODO: remove this delay once we can reliably detect route rules have propogated
else
snip_egress_gateway_for_https_traffic_3
_wait_for_istio gateway default istio-egressgateway
_wait_for_istio destinationrule default egressgateway-for-cnn
_wait_for_istio virtualservice default direct-cnn-through-egress-gateway
fi
# Verify successful curl
_verify_contains snip_egress_gateway_for_https_traffic_4 "HTTP/2 200"
_verify_contains snip_egress_gateway_for_https_traffic_5 "HTTP/2 200"
# Verify gateway routing
_verify_contains snip_egress_gateway_for_https_traffic_5 "outbound|443||edition.cnn.com"
if [ "$GATEWAY_API" == "true" ]; then
_verify_contains snip_egress_gateway_for_https_traffic_8 "outbound|443||edition.cnn.com"
else
_verify_contains snip_egress_gateway_for_https_traffic_6 "outbound|443||edition.cnn.com"
fi
# cleanup https
snip_cleanup_https_gateway_1
#if [ "$GATEWAY_API" == "true" ]; then
# snip_cleanup_https_gateway_2
#else
# snip_cleanup_https_gateway_1
#fi
### Kubernetes netowkring policy test
@ -87,39 +117,58 @@ snip_apply_kubernetes_network_policies_2
_verify_contains snip_apply_kubernetes_network_policies_4 "200"
# label
snip_apply_kubernetes_network_policies_5
snip_apply_kubernetes_network_policies_6
# Apply kubernetes network policy
if [ "$GATEWAY_API" == "true" ]; then
snip_apply_kubernetes_network_policies_6
else
snip_apply_kubernetes_network_policies_5
fi
snip_apply_kubernetes_network_policies_7
# Apply kubernetes network policy
if [ "$GATEWAY_API" == "true" ]; then
snip_apply_kubernetes_network_policies_9
else
snip_apply_kubernetes_network_policies_8
fi
# Verify failure
#_verify_contains snip_apply_kubernetes_network_policies_8 "port 443 failed: Connection timed out"
#_verify_contains snip_apply_kubernetes_network_policies_10 "port 443 failed: Connection timed out"
# TODO: ^^^ this check fails as the test cluster doesn't have a network plugin
# installed which can enforce network policies.
# Enable sidecar injection
snip_apply_kubernetes_network_policies_9
snip_apply_kubernetes_network_policies_11
# Delete older sleep and reapply
snip_apply_kubernetes_network_policies_10
snip_apply_kubernetes_network_policies_12
_wait_for_deployment test-egress sleep
# verify containers
_verify_contains snip_apply_kubernetes_network_policies_11 "sleep istio-proxy"
if [ "$GATEWAY_API" == "true" ]; then
# verify containers
_verify_contains snip_apply_kubernetes_network_policies_15 "sleep istio-proxy"
else
# verify containers
_verify_contains snip_apply_kubernetes_network_policies_13 "sleep istio-proxy"
# configure DR
snip_apply_kubernetes_network_policies_12
_wait_for_istio destinationrule test-egress egressgateway-for-cnn
# configure DR
snip_apply_kubernetes_network_policies_14
_wait_for_istio destinationrule test-egress egressgateway-for-cnn
fi
# Verify 200 response
_verify_contains snip_apply_kubernetes_network_policies_13 "200"
_verify_contains snip_apply_kubernetes_network_policies_16 "200"
# Verify routing through gateway
_verify_contains snip_apply_kubernetes_network_policies_14 "outbound|443||edition.cnn.com"
if [ "$GATEWAY_API" == "true" ]; then
_verify_contains snip_apply_kubernetes_network_policies_19 "outbound|443||edition.cnn.com"
else
_verify_contains snip_apply_kubernetes_network_policies_17 "outbound|443||edition.cnn.com"
fi
# @cleanup
snip_cleanup_http_gateway_1
snip_cleanup_https_gateway_1
snip_cleanup_network_policies_1
snip_cleanup_1
if [ "$GATEWAY_API" != "true" ]; then
snip_cleanup_http_gateway_1
snip_cleanup_https_gateway_1
snip_cleanup_network_policies_1
snip_cleanup_1
fi