I’m trying to understand how Istio handles incoming traffic.
So, we have an Istio IngressGateway:
$ kk -n istio-system get svc istio-ingressgateway NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE istio-ingressgateway LoadBalancer 172.20.71.13 af0***572.eu-west-2.elb.amazonaws.com 15021:32005/TCP,80:32180/TCP,443:30582/TCP,31400:30061/TCP,15443:31357/TCP 4d5h
It has a Listener on port 80 which sends traffic to a WorkerNode port 32180.
On the WorkerNode from the 32180 port via IPTABLES chains, a packet is sent to the 10.22.49.183:8080, which is a Docker container with Envoy which is an
Finally, it has a Route created via a VirtualService:
$ istioctl -n istio-system proxy-config route istio-ingressgateway-7cbb78c4bc-dggwc NOTE: This output only contains routes loaded via RDS. NAME DOMAINS MATCH VIRTUAL SERVICE http.80 * /test-uri* test-virtualservice.test-namespace
But if I’m checking its
/etc/istio/proxy/envoy-rev0.json file in the container - there is nothing about the
/test-uri URI or port 80.
So - where is this configured inside of the Envoy’s container/istio-ingressgateway’s Pod?
How the traffic is routed to a Kubernetes Service
There are no iptables rules in the container’s namespace.