istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/content/en/blog/2018/aws-nlb/index.md

4.0 KiB
Raw Blame History

title description publishdate last_update subtitle attribution keywords target_release
Configuring Istio Ingress with AWS NLB Describes how to configure Istio ingress with a network load balancer on AWS. 2018-04-20 2019-01-16 Ingress AWS Network Load Balancer Julien SENON
ingress
traffic-management
aws
1.0

{{< tip >}} This post was updated on January 16, 2019 to include some usage warnings. {{< /tip >}}

This post provides instructions to use and configure ingress Istio with AWS Network Load Balancer.

Network load balancer (NLB) could be used instead of classical load balancer. You can see the comparison between different AWS loadbalancer for more explanation.

Prerequisites

The following instructions require a Kubernetes 1.9.0 or newer cluster.

{{< warning >}} Usage of AWS nlb on Kubernetes is an Alpha feature and not recommended for production clusters.

Usage of AWS nlb does not support the creation of two or more Kubernetes clusters running Istio in the same zone as a result of Kubernetes Bug #69264. {{< /warning >}}

IAM policy

You need to apply policy on the master role in order to be able to provision network load balancer.

  1. In AWS iam console click on policies and click on create a new one:

    {{< image width="80%" link="./createpolicystart.png" caption="Create a new policy" >}}

  2. Select json:

    {{< image width="80%" link="./createpolicyjson.png" caption="Select json" >}}

  3. Copy/paste text below:

    {{< text json >}} { "Version": "2012-10-17", "Statement": [ { "Sid": "kopsK8sNLBMasterPermsRestrictive", "Effect": "Allow", "Action": [ "ec2:DescribeVpcs", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", "elasticloadbalancing:DeleteListener", "elasticloadbalancing:DeleteTargetGroup", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], "Resource": [ "" ] }, { "Effect": "Allow", "Action": [ "ec2:DescribeVpcs", "ec2:DescribeRegions" ], "Resource": "" } ] } {{< /text >}}

  4. Click review policy, fill all fields and click create policy:

    {{< image width="80%" link="./create_policy.png" caption="Validate policy" >}}

  5. Click on roles, select you master role nodes, and click attach policy:

    {{< image link="./roles_summary.png" caption="Attach policy" >}}

  6. Your policy is now attach to your master node.

Generate the Istio manifest

To use an AWS nlb load balancer, it is necessary to add an AWS specific annotation to the Istio installation. These instructions explain how to add the annotation.

Save this as the file override.yaml:

{{< text yaml >}} gateways: istio-ingressgateway: serviceAnnotations: service.beta.kubernetes.io/aws-load-balancer-type: "nlb" {{< /text >}}

Generate a manifest with Helm:

{{< text bash >}} $ helm template install/kubernetes/helm/istio --namespace istio -f override.yaml > $HOME/istio.yaml {{< /text >}}