Hi all!
I’m studying how to integrate a VM inside my istio mesh. I don’t undestand if it will install an envoy proxy on the vm and how it protects the communication between pods and vm.
If I have a service inside the vm on the port 8080 I need to protect the VM with a firewall rule also? Are the pods only able to communicate with the service?
If I call the service from another VM I’m able to make requests against it?
@mcastro Istio currently supports VM security by installing an Envoy proxy and Istio agent on VM, and configuring that all traffic is intercepted by the Envoy proxy. Both VM-to-VM traffic and pod-to-VM traffic are supported. And you can apply any Istio policies on VMs, just as how it works for k8s pods.
@liminwang is there any documentation for configuring Istio policies on VMs? so far, I have not been able to find documentation on this other than Isito documentation for adding a vm to your service mesh. Thank you
There is no separate documentation for Istio policies for VMs. WorkloadEntry/WorkloadGroup is the equivalent to pod/deployment. All the existing policies work the same way for VMs as for k8s pods. For example, you can use label selector to select a group of VMs (WorkloadEntry) and apply policies to them.
It seems to me most of the VM support is geared towards running workloads on the VM and then accessing it from the k8s/istio.
Is there a way to do the reverse: proxy incoming traffic from the VM into istio?
I could setup nginx and reverse proxy requests to services on the cluster, but there’s a matter of TLS termination, I will have to control it on VM or deal with passthrough. What I want to do is use my Gateways, VirtualServices, etc, except receive traffic not from the main istio-ingressgateway, but from VM. I.e outside → VM → cluster.