Istio Ingress Control

Istio implements the Kubernetes ingress resource to expose a service and make it accessible from outside the cluster.

Note

The general recommendation is to use Istio gateway, and virtual service resources to allow a more complete control over the traffic. That content is covered in the traffic management section.

Ingress

The Kubernetes ingress resource has a set of rules to match the incoming HTTP traffic to route the request to a back-end service. Each rule matches a DNS name and a set of paths to forward the traffic to a back-end service.

The ingress resource has the following fields on the YAML manifest.

rules

List of rules to match against incoming HTTP traffic.

host

List of host names to match the HTTP traffic. The host can be set to a specific DNS name, wildcards such as *.example.com are supported, and it can be defined as '*' to match all hostnames.

paths

List of URL paths that are matched against HTTP requests.

pathType
  • The value Exact matches the provided path as is.

  • The value Prefix matches the provided path if it begins with the specified prefix.

backend

Specifies the service that receives the traffic.

The following code listing is an example of an ingress resource manifest.

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
  annotations:
    kubernetes.io/ingress.class: istio  # (1)
spec:
  rules:  # (2)
  - host: dashboard.192.168.59.20.nip.io  # (3)
    http:
      paths:  # (4)
      - path: /
        pathType: Prefix  # (5)
        backend:  # (6)
          service:
            name: kubernetes-dashboard
            port:
              number: 80
  1. Specifies that Istio handles this ingress resource.

  2. Set of rules to be applied against incoming HTTP traffic.

  3. DNS host name where the ingress serves traffic.

  4. List of paths to match HTTP traffic.

  5. Type of match that should be applied to the path.

  6. Back-end service name and port number.

Ingress Class

The annotation is required to tell the Istio gateway controller that it should handle this ingress resource, otherwise is ignored.

metadata:
  annotations:
    kubernetes.io/ingress.class: istio

Note

The kubernetes.io/ingress.class annotation was deprecated in Kubernetes 1.22+. However, Istio does not support the ingressClassName field unless you also modify the Istio ingress class.

---
apiVersion: networking.k8s.io/v1beta1
kind: IngressClass
metadata:
  name: istio
spec:
  controller: istio.io/ingress-controller
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: my-ingress
spec:
  ingressClassName: istio
  ...output omitted...

​​​​

Andrés Hernández
Curriculum Developer
Curriculum Developer of the GLS DevOps practice at Red Hat