I’m trying to understand how Istio handles incoming traffic.
So, we have an Istio IngressGateway:
$ kk -n istio-system get svc istio-ingressgateway
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingressgateway LoadBalancer 172.20.71.13 af0***572.eu-west-2.elb.amazonaws.com 15021:32005/TCP,80:32180/TCP,443:30582/TCP,31400:30061/TCP,15443:31357/TCP 4d5h
It has a Listener on port 80 which sends traffic to a WorkerNode port 32180.
On the WorkerNode from the 32180 port via IPTABLES chains, a packet is sent to the 10.22.49.183:8080, which is a Docker container with Envoy which is an istio-ingressgateway-7cbb78c4bc-dggwc pod.
Finally, it has a Route created via a VirtualService:
$ istioctl -n istio-system proxy-config route istio-ingressgateway-7cbb78c4bc-dggwc
NOTE: This output only contains routes loaded via RDS.
NAME DOMAINS MATCH VIRTUAL SERVICE
http.80 * /test-uri* test-virtualservice.test-namespace
But if I’m checking its /etc/istio/proxy/envoy-rev0.json file in the container - there is nothing about the /test-uri URI or port 80.
So - where is this configured inside of the Envoy’s container/istio-ingressgateway’s Pod?
How the traffic is routed to a Kubernetes Service test-virtualservice.test-namespace?
There are no iptables rules in the container’s namespace.