Greeting all,
We’re currently running Istio version 1.7.6 and I’m trying to figure out the correct way to make the istio-gateway service listen only on the https
port (=443), or at least not listen on port 80. I’ve tried adding
components:
ingressGateways:
- name: istio-ingressgateway
enabled: true
k8s:
service:
type: LoadBalancer
ports:
- name: https
port: 443
targetPort: 8443
to the IstioOperator
setup but that causes the error
warn ads ADS:LDS: ACK ERROR router~10.244.5.10~istio-ingressgateway-65ffd7bdcf-h4bbq.istio-system~istio-system.svc.cluster.local-1883 Internal:Error adding/updating listener(s) 0.0.0.0_80: cannot bind '0.0.0.0:80': Permission denied
warning envoy config gRPC config for type.googleapis.com/envoy.config.listener.v3.Listener rejected: Error adding/updating listener(s) 0.0.0.0_80: cannot bind '0.0.0.0:80': Permission denied
which, presumably, is because the gateway is now running as non-root. I think this is because setting ports
in the istio operator file also affects the istio-ingressgateway deployment, not just the public service. So I’m taking this to mean that I’m not really on the right track by manipulating the ports directly in this way. Is there some other, better, way to make the public service only listen on the https
port?
/rycee