istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/content/blog/2018/aws-nlb/index.md

3.7 KiB
Raw Blame History

title description publishdate subtitle attribution weight keywords
Configuring Istio Ingress with AWS NLB Describes how to configure Istio ingress with a network load balancer on AWS 2018-04-20 Ingress AWS Network Load Balancer Julien SENON 89
ingress
traffic-management
aws

This post provides instructions to use and configure ingress Istio with AWS Network Load Balancer.

Network load balancer (NLB) could be used instead of classical load balancer. You can see the comparison between different AWS loadbalancer for more explanation.

Prerequisites

The following instructions require a Kubernetes 1.9.0 or newer cluster.

{{< warning_icon >}} Usage of AWS nlb on Kubernetes is an Alpha feature and not recommended for production clusters.

IAM Policy

You need to apply policy on the master role in order to be able to provision network load balancer.

  1. In AWS iam console click on policies and click on create a new one:

    {{< image width="80%" ratio="60%" link="./createpolicystart.png" caption="Create a new policy"

    }}

  2. Select json:

    {{< image width="80%" ratio="60%" link="./createpolicyjson.png" caption="Select json"

    }}

  3. Copy/paste text below:

    {{< text json >}} { "Version": "2012-10-17", "Statement": [ { "Sid": "kopsK8sNLBMasterPermsRestrictive", "Effect": "Allow", "Action": [ "ec2:DescribeVpcs", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", "elasticloadbalancing:DeleteListener", "elasticloadbalancing:DeleteTargetGroup", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], "Resource": [ "" ] }, { "Effect": "Allow", "Action": [ "ec2:DescribeVpcs", "ec2:DescribeRegions" ], "Resource": "" } ] } {{< /text >}}

  4. Click review policy, fill all fields and click create policy:

    {{< image width="80%" ratio="60%" link="./create_policy.png" caption="Validate policy" >}}

  5. Click on roles, select you master role nodes, and click attach policy:

    {{< image width="100%" ratio="35%" link="./roles_summary.png" caption="Attach policy"

    }}

  6. Your policy is now attach to your master node.

Rewrite Istio Ingress Service

You need to rewrite ingress service with the following:

{{< text yaml >}} apiVersion: v1 kind: Service metadata: name: istio-ingress namespace: istio-system labels: istio: ingress annotations: service.beta.kubernetes.io/aws-load-balancer-type: "nlb" spec: externalTrafficPolicy: Local ports:

  • port: 80 protocol: TCP targetPort: 80 name: http
  • port: 443 protocol: TCP targetPort: 443 name: https selector: istio: ingress type: LoadBalancer {{< /text >}}