0

I have 4 micro-service.

Only service-1 has two deployments behind it, so there has two pods behind service-1. You can call it blue green deployment.

Other three services has one deployment and one pod.

If I want to sent external traffic to server-1/pod-v2 then I can control it via subset into destination rules. Service-2's pod can call service-1's pods via service name.

How can I configure istio for service-2/pod can only call service-1/pod-v2 via service name and other service will only call service-1/pod-v1 via service name ?

Service Architecture

Anton Menshov
  • 2,266
  • 14
  • 34
  • 55
Yeahia Md Abid
  • 184
  • 1
  • 11
  • Which version of Kubernetes and Istio did you use and how did you set up the cluster? Did you use bare metal installation or some cloud providor? It is important to reproduce your problem. What exactly did you try? – Mikołaj Głodziak Dec 01 '21 at 12:44
  • I am using EKS with Kubernetes version 1.18 and istio version 1.8.1. I want to try if there has two pods under a service-1 with a different version then other pods (from other services) can call server-1 pod's individually. Like if server-1 has pod-v1 and pod-v2 then service-2's pod will only send request to server-1/pod-v2 by http://service-1.prod.svc.cluster.local – Yeahia Md Abid Dec 01 '21 at 15:17
  • You are using deprecated versions of Kubernetes and Istio. Is is possible to update both of them? – Mikołaj Głodziak Dec 03 '21 at 13:31
  • It is possible for istio, maybe not for Kubernetes. Can you tell me If I update those, it will bring the problem's solution? – Yeahia Md Abid Dec 04 '21 at 17:40
  • No, but then I will be able to reproduce the situation if your problem persists on the supported versions of istio / kubernetes. So please update your versions and let me know. – Mikołaj Głodziak Dec 06 '21 at 14:28
  • I have solved the problem in another way. I can't control a specific pod outbound traffic but I can control a pod inbound traffic. I am searching for a better solution for it. – Yeahia Md Abid Dec 06 '21 at 21:10
  • Please, post your current solution as an answer. – Mikołaj Głodziak Dec 06 '21 at 21:48

1 Answers1

2

This is not the way that I want to solve this problem. Basically I controlled incoming traffic of a pod, but I want to control outbound traffic of a pod. However, I post my hacky solution here.

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: handle-internal-traffic
  namespace: demo
spec:
  hosts:
    - "service-1"
  gateways:
    - mesh
  http:
    - match:
        - sourceLabels:
            version: v1
          uri:
            exact: /
      route:
        - destination:
            host: service-1
            subset: v1
    - match:
      - uri:
          exact: /api
      rewrite:
        uri: "/"
      route:
        - destination:
            host: service-1
            subset: v2
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: service-1
  namespace: demo
spec:
  host: service-1.demo.svc.cluster.local
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
  subsets:
  - name: v1
    labels:
      version: v1
  - name: v2
    labels:
      version: v2

Just filter the labels while a request came from other pods by mesh network.

Yeahia Md Abid
  • 184
  • 1
  • 11