1 year ago

#377051

test-img

nagyzekkyandras

Istio egress gateway not working properly

I wanted to setup and use istio egress gateway. I followed this link https://preliminary.istio.io/latest/blog/2018/egress-tcp/ and made this manifest:

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: external-oracle
spec:
  hosts:
  - my.oracle.instance.com
  addresses:
  - 192.168.100.50/32
  ports:
  - name: tcp
    number: 1521
    protocol: tcp
  location: MESH_EXTERNAL
---
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: istio-egressgateway
spec:
  selector:
    istio: egressgateway
  servers:
  - hosts:
    - my.oracle.instance.com
    port:
      name: tcp
      number: 1521
      protocol: TCP
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: egressgateway-destination-rule-for-oracle
spec:
  host: istio-egressgateway.istio-system.svc.cluster.local
  subsets:
  - name: external-oracle
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: direct-external-oracle-through-egress-gateway
spec:
  gateways:
  - mesh
  - istio-egressgateway
  hosts:
  - my.oracle.instance.com
  tcp:
  - match:
    - destinationSubnets:
      - 192.168.100.50/32
      gateways:
      - mesh
      port: 1521
    route:
    - destination:
        host: istio-egressgateway.istio-system.svc.cluster.local
        port:
          number: 1521
        subset: external-oracle
  - match:
    - gateways:
      - istio-egressgateway
      port: 1521
    route:
    - destination:
        host: my.oracle.instance.com
        port:
          number: 1521
      weight: 100

And then my application not able to start because a JDBC error.

I started to watch the egress-gateway pod's logs but I not see any sign of traffic. So I googled and found this link: https://istio.io/latest/blog/2018/egress-monitoring-access-control/ to boost my egress-gateway pod logging but this looking a bit deprecated for me.

cat <<EOF | kubectl apply -f -
# Log entry for egress access
apiVersion: "config.istio.io/v1alpha2"
kind: logentry
metadata:
  name: egress-access
  namespace: istio-system
spec:
  severity: '"info"'
  timestamp: request.time
  variables:
    destination: request.host | "unknown"
    path: request.path | "unknown"
    responseCode: response.code | 0
    responseSize: response.size | 0
    reporterUID: context.reporter.uid | "unknown"
    sourcePrincipal: source.principal | "unknown"
  monitored_resource_type: '"UNSPECIFIED"'
---
# Handler for error egress access entries
apiVersion: "config.istio.io/v1alpha2"
kind: stdio
metadata:
  name: egress-error-logger
  namespace: istio-system
spec:
 severity_levels:
   info: 2 # output log level as error
 outputAsJson: true
---
# Rule to handle access to *.cnn.com/politics
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
  name: handle-politics
  namespace: istio-system
spec:
  match: request.host.endsWith("cnn.com") && request.path.startsWith("/politics") && context.reporter.uid.startsWith("kubernetes://istio-egressgateway")
  actions:
  - handler: egress-error-logger.stdio
    instances:
    - egress-access.logentry
---
# Handler for info egress access entries
apiVersion: "config.istio.io/v1alpha2"
kind: stdio
metadata:
  name: egress-access-logger
  namespace: istio-system
spec:
  severity_levels:
    info: 0 # output log level as info
  outputAsJson: true
---
# Rule to handle access to *.com
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
  name: handle-cnn-access
  namespace: istio-system
spec:
  match: request.host.endsWith(".com") && context.reporter.uid.startsWith("kubernetes://istio-egressgateway")
  actions:
  - handler: egress-access-logger.stdio
    instances:
      - egress-access.logentry
EOF
But when I want to apply to this I have this error:
no matches for kind "logentry" in version "config.istio.io/v1alpha2"
no matches for kind "stdio" in version "config.istio.io/v1alpha2"
no matches for kind "rule" in version "config.istio.io/v1alpha2"
no matches for kind "stdio" in version "config.istio.io/v1alpha2"
no matches for kind "rule" in version "config.istio.io/v1alpha2"

There is a new api version of there kind's?

istioctl version

client version: 1.12.0
control plane version: 1.12.0
data plane version: 1.12.0 (28 proxies)

There is a way to make a working istio egress-gateway with a logging (as the istio ingress gateway logging works).

istio

istio-gateway

egress

0 Answers

Your Answer

Accepted video resources