ServiceEntry vs Service and Endpoints

Question

What are the key benefits of using ServiceEntry when I can simply create Service(and if this service is a set of external IPs then define Endpoints instead of selector). In which cases I can't rely on Service?

whaaaaaat? `ServicEntry` = `Service` + `Endpoints`? That just makes absolutely no sense. — suren, May 17 '20 at 15:46
@suren, my question is about reasons why ServiceEntry != Service + Endpoints, because this is what I can't understand — Belenot, May 17 '20 at 16:07
because these are two completely different objects. You use `ServiceEntry` to specify with which external endpoints you can talk to from the mesh, while a `Service` are iptable rules for internal traffic flow. Incomparable. — suren, May 17 '20 at 16:10
@suren, but with Service+Endpoints I can specify external endpoints too... And there is no problem to talk with such Service from mesh — Belenot, May 17 '20 at 16:17
yes, but `ServiceEntry` is about permissions. If you have strict outbound policy (REGISTRY_ONLY), you need to have `ServiceEntry` to reach the endpoint. It's more like a permission. — suren, May 17 '20 at 18:06
@suren, are you checked this? Because I have an `Service` without selector with name **httpbin**. and manually created `Endpoints` with ips that belong to *httpbin.org*. When I curl such service from istio-proxied app container I getting response 200 and success logs in istio-proxy. Also outbound policy is `REGISTR_ONLY`. — Belenot, May 18 '20 at 04:16
httpbin is an internal service. `ServiceEntry` is for external endpoints. Try creating any container (say debian), and do `apt-get update`. It will fail unless you create a `ServiceEntry` and open `*.debian.org`. — suren, May 18 '20 at 10:41

score 4 · Answer 1 · answered May 18 '20 at 09:55

I would say key benefits are mentioned in the documentation, you can configure the traffic route, define retry, timeouts, fault injection etc.

A service entry describes the properties of a service (DNS name, VIPs, ports, protocols, endpoints). These services could be external to the mesh (e.g., web APIs) or mesh-internal services that are not part of the platform’s service registry (e.g., a set of VMs talking to services in Kubernetes).

You use a service entry to add an entry to the service registry that Istio maintains internally. After you add the service entry, the Envoy proxies can send traffic to the service as if it was a service in your mesh. Configuring service entries allows you to manage traffic for services running outside of the mesh, including the following tasks:

Redirect and forward traffic for external destinations, such as APIs consumed from the web, or traffic to services in legacy infrastructure.
Define retry, timeout, and fault injection policies for external destinations.
Run a mesh service in a Virtual Machine (VM) by adding VMs to your mesh.
Logically add services from a different cluster to the mesh to configure a multicluster Istio mesh on Kubernetes.

You don’t need to add a service entry for every external service that you want your mesh services to use. By default, Istio configures the Envoy proxies to passthrough requests to unknown services. However, you can’t use Istio features to control the traffic to destinations that aren’t registered in the mesh.

The following example mesh-external service entry adds the ext-svc.example.com external dependency to Istio’s service registry:

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: svc-entry
spec:
  hosts:
  - ext-svc.example.com
  ports:
  - number: 443
    name: https
    protocol: HTTPS
  location: MESH_EXTERNAL
  resolution: DNS

You specify the external resource using the hosts field. You can qualify it fully or use a wildcard prefixed domain name.

You can configure virtual services and destination rules to control traffic to a service entry in a more granular way, in the same way you configure traffic for any other service in the mesh. For example, the following destination rule configures the traffic route to use mutual TLS to secure the connection to the ext-svc.example.com external service that we configured using the service entry:

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: ext-res-dr
spec:
  host: ext-svc.example.com
  trafficPolicy:
    tls:
      mode: MUTUAL
      clientCertificate: /etc/certs/myclientcert.pem
      privateKey: /etc/certs/client_private_key.pem
      caCertificates: /etc/certs/rootcacerts.pem

See the Service Entry reference for more possible configuration options.

score 0 · Answer 2 · answered Jan 28 '21 at 04:37

0

As long, as I worked with Istio, I realized that the most benefit of ServiceEntry from Service+Endpoints is that I can specify labels on endpoints in ServceEntry and build subsets upon it.

answered Jan 28 '21 at 04:37

Belenot

248
1
3
10

Alexz · Answer 3 · 2021-06-06T18:45:23.017

ServiceEntry is the API object used to define services in Istio with a set of endpoints. ServiceEntry can describe a service deployed across several clusters, services outside of the service mesh(e.g., 3rd party web APIs) or mesh-internal services that are not part of the platform’s service registry (e.g., a set of VMs talking to services in Kubernetes).

ServiceEntry endpoints can be IP addresses or DNS names. Each endpoint can be individually labeled and tagged with a network, locality, and weight and allows ServiceEntrys to describe various network topologies.

In comparison with K8s Services, in particular, Service type ExternalName you won't have Istio features(retry, timeout, fault injection policies, traffic control/load balancing with egress gateway, etc) to properly control the traffic to destinations that aren’t registered in the mesh.

Istio integration with Kubernetes uses the K8s SDK to watch the API server for service creation and service endpoint update events. By using this data, Istio creates a ServiceEntry object(Kubernetes CRDs), and this ServiceEntry is used to update Istio internal model and generate updated configuration for the data plane(Envoy), specifically, ServiceEntrys create Envoy clusters and populate their endpoints.

Relevant excerpts from the official Istio docs:

To populate its own service registry, Istio connects to a service discovery system. For example, if you’ve installed Istio on a Kubernetes cluster, then Istio automatically detects the services and endpoints in that cluster. Istio maintains an internal service registry containing the set of services, and their corresponding service endpoints, running in a service mesh. Istio uses the service registry to generate Envoy configuration.

Istio does not provide service discovery, although most services are automatically added to the registry by Pilot adapters that reflect the discovered services of the underlying platform (Kubernetes, Consul, plain DNS). Additional services can also be registered manually using a ServiceEntry configuration.

ServiceEntry vs Service and Endpoints

3 Answers3