How to make istio-ingress working with metallb on a bare metal k8s cluster

Hey everyone,

I deployed a production-ready k8s cluster on 3 virtual machines (1 master and 2 workers) using kubespray.
I followed the steps on the site on how to install istio using the following cmd lines:

curl -L https://istio.io/downloadIstio | sh -
cd istio-1.*
export PATH=$PWD/bin:$PATH
istioctl install --set profile=demo -y
kubectl label namespace default istio-injection=enabled

Then, I followed the metallb site steps on how to install and configure metallb. Steps:

  1. kubectl get configmap kube-proxy -n kube-system -o yaml |
    sed -e “s/strictARP: false/strictARP: true/” |
    kubectl apply -f - -n kube-system
  2. kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.13.7/config/manifests/metallb-native.yaml
kubectl apply -f - <<EOF
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
  name: first-pool
  namespace: metallb-system
spec:
  addresses:
  - x.x.x.x-x.x.x.x
---
apiVersion: metallb.io/v1beta1
kind: L2Advertisement
metadata:
  name: example
  namespace: metallb-system
spec:
  ipAddressPools:
  - first-pool
EOF
kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: httpbin-gateway
spec:
  selector:
    istio: ingressgateway # use Istio default gateway implementation
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: httpbin
spec:
  hosts:
  - "*"
  gateways:
  - httpbin-gateway
  http:
  - match:
    - uri:
        prefix: /headers
    route:
    - destination:
        port:
          number: 8000
        host: httpbin
EOF

Now I got an external IP address for istio but I am not able to access it. It gives me:

This site can’t be reached192.168.8.25 refused to connect.
Try:

Checking the connection
Checking the proxy and the firewall
ERR_CONNECTION_REFUSED

This looks like a networking issue to me, before you try to check this with Istio. I will recommend to expose httpbin service directly via metallb and see if you can reach it. At least that will make the troubleshooting scope limited.