Limiting exposed ports of a ingressgateway load balancer

1

I am installing istio with default configuration in an AWS EKS cluster. The corresponding load balancer created for ingressgateway has multiple ports exposed by default like 15443, 15031 etc. How do I limit the exposed ports to just 80 and 443?

2

Hello,

If you’re using istioctl and the default profile, you could:

  1. Generate the IstioOperator corresponding to the profile

    istioctl profile dump default > istio-generate-default.yaml

  2. Update the section spec.values.gateways.istio-egressgateway.ports in the YAML file to reduce the number of ports exposed.

  3. Re apply the YAML

    istioctl manifest apply -f istio-generate-default.yaml

Regards,
Hugo

1 Like
3

Thanks for the solution. Are there no flags that we can pass to istioctl or helm to do so? I am trying to automate installing Istio in my cluster and editing a file would be difficult.

4

Hello,

You can automate it by applying the yaml file.

Regards,
Hugo

5

This might be a late response, but I’ll share my findings anyway.

For Istio v1.4, you cannot use the --set commands (see below example) to limit exposed ports.

istioctl manifest apply \
--set gateways.istio-ingressgateway.ports[0].port=80 \
--set gateways.istio-ingressgateway.ports[0].name=http2 \
--set gateways.istio-ingressgateway.ports[0].targetPort=80

These ports are auto exposed by an Istio’s profile (e.g. default, demo) that enables the ‘gateway’ component.

The only way that worked me is to use the IstioControlPlane API to override the Istio profile’s settings.
Source: https://istio.io/v1.4/docs/setup/install/istioctl/#customize-istio-settings-using-the-helm-api

Here is a config that utilizes IstioControlPlane to limit exposed port of istio-ingressgateway to ports 80 and 443 as well as to disable prometheus.

apiVersion: install.istio.io/v1alpha2
kind: IstioControlPlane
spec:
  values:
    gateways:
      istio-ingressgateway:
        ports:
          - name: http2
            port: 80
            targetPort: 80
          - name: https
            port: 443
    prometheus:
      enabled: false
  1. Save the above manifest to a yaml file (eg. istio-config.yaml)
  2. Deploy changes: istioctl manifest apply -f istio-config.yaml