Hi all!
I’m studying how to integrate a VM inside my istio mesh. I don’t undestand if it will install an envoy proxy on the vm and how it protects the communication between pods and vm.
If I have a service inside the vm on the port 8080 I need to protect the VM with a firewall rule also? Are the pods only able to communicate with the service?
If I call the service from another VM I’m able to make requests against it?
@mcastro, I would like to chat to understand more.
@mcastro Istio currently supports VM security by installing an Envoy proxy and Istio agent on VM, and configuring that all traffic is intercepted by the Envoy proxy. Both VM-to-VM traffic and pod-to-VM traffic are supported. And you can apply any Istio policies on VMs, just as how it works for k8s pods.
@liminwang is there any documentation for configuring Istio policies on VMs? so far, I have not been able to find documentation on this other than Isito documentation for adding a vm to your service mesh. Thank you
There is no separate documentation for Istio policies for VMs. WorkloadEntry/WorkloadGroup is the equivalent to pod/deployment. All the existing policies work the same way for VMs as for k8s pods. For example, you can use label selector to select a group of VMs (WorkloadEntry) and apply policies to them.
check if the solo.io video https://www.youtube.com/watch?v=W32duZtHh2w&ab_channel=solo.io helps you
It seems to me most of the VM support is geared towards running workloads on the VM and then accessing it from the k8s/istio.
Is there a way to do the reverse: proxy incoming traffic from the VM into istio?
I could setup nginx and reverse proxy requests to services on the cluster, but there’s a matter of TLS termination, I will have to control it on VM or deal with passthrough. What I want to do is use my Gateways, VirtualServices, etc, except receive traffic not from the main istio-ingressgateway, but from VM. I.e outside → VM → cluster.
@rauan were you able to implement the above architecture?