我查看了 Istio 创建的 ELB,我看到了所有这些开放端口:
所有这些端口都暴露在 Internet 上。除了前两个,所有其他暴露的端口的目的是什么?有没有办法(通过 Istio 配置)来控制公开的内容?
您可以在此处查看端口规范:https : //github.com/istio/istio/blob/master/install/kubernetes/helm/istio/values-istio-gateways.yaml#L65
ports:
## You can add custom gateway ports
- port: 80
targetPort: 80
name: http2
# nodePort: 31380
- port: 443
name: https
# nodePort: 31390
- port: 31400
name: tcp
# nodePort: 31400
# Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect
# to pilot/citadel if global.meshExpansion settings are enabled.
- port: 15011
targetPort: 15011
name: tcp-pilot-grpc-tls
- port: 8060
targetPort: 8060
name: tcp-citadel-grpc-tls
# Addon ports for kiali are enabled in gateway - but will only redirect if
# the gateway configuration for the various components are enabled.
- port: 15029
- targetPort: 15029
# Telemetry-related ports are enabled in gateway - but will only redirect if
# the gateway configuration for the various components are enabled.
- port: 15030
targetPort: 15030
name: http2-prometheus
- port: 15031
targetPort: 15031
name: http2-grafana
- port: 15032
targetPort: 15032
name: http2-tracing
这些端口将 Istio 的各种组件暴露在集群外,例如用于将虚拟机或其他集群与 Istio 连接,或将 Istio 仪表板暴露在集群外。
您可以通过 helm 安装选项https://preliminary.istio.io/docs/reference/config/installation-options/#gateways-options控制这种暴露 ,所有选项都命名为gateways.istio-ingressgateway.ports.
例如,要将暴露的端口限制为仅 80 和 443,请运行:
helm template install/kubernetes/helm/istio --name istio --namespace istio-system -x charts/gateways/templates/service.yaml --set gateways.istio-ingressgateway.ports[0].port=80 --set gateways.istio-ingressgateway.ports[0].name=http2 --set gateways.istio-ingressgateway.ports[0].targetPort=80 --set gateways.istio-ingressgateway.ports[1].port=443 --set gateways.istio-ingressgateway.ports[1].name=https > $HOME/istio.yaml
检查生成的$HOME/istio.yaml并验证只有端口 80 和 443 公开以供istio-ingressgateway服务。
| 归档时间: |
|
| 查看次数: |
737 次 |
| 最近记录: |