Istio - what for all these ports are opened on LoadBalancer?

2
votes

I looking on my ELB created by Istio, and I see all these open ports:

  • 80 (TCP) forwarding to 31380 (TCP)
  • 443 (TCP) forwarding to 31390 (TCP)
  • 853 (TCP) forwarding to 31107 (TCP)
  • 8060 (TCP) forwarding to 32130 (TCP)
  • 15011 (TCP) forwarding to 31942 (TCP)
  • 15030 (TCP) forwarding to 31438 (TCP)
  • 15031 (TCP) forwarding to 30695 (TCP)
  • 31400 (TCP) forwarding to 31400 (TCP)

All these ports are exposed to the Internet. Besides first two, what is the purpose of all the other exposed ports? Is there any way (via Istio configuration) to control what is exposed?

2
istio

2 Answers

6
votes

You can see the ports spec here: https://github.com/istio/istio/blob/master/install/kubernetes/helm/istio/values-istio-gateways.yaml#L65 ports: ## You can add custom gateway ports - port: 80 targetPort: 80 name: http2 # nodePort: 31380 - port: 443 name: https # nodePort: 31390 - port: 31400 name: tcp # nodePort: 31400 # Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect # to pilot/citadel if global.meshExpansion settings are enabled. - port: 15011 targetPort: 15011 name: tcp-pilot-grpc-tls - port: 8060 targetPort: 8060 name: tcp-citadel-grpc-tls # Addon ports for kiali are enabled in gateway - but will only redirect if # the gateway configuration for the various components are enabled. - port: 15029 - targetPort: 15029 # Telemetry-related ports are enabled in gateway - but will only redirect if # the gateway configuration for the various components are enabled. - port: 15030 targetPort: 15030 name: http2-prometheus - port: 15031 targetPort: 15031 name: http2-grafana - port: 15032 targetPort: 15032 name: http2-tracing

These ports expose various components of Istio outside the cluster, for example for connecting VMs or other clusters with Istio, or for exposing Istio dashboard outside the cluster.

You can control this exposure by helm installation options https://preliminary.istio.io/docs/reference/config/installation-options/#gateways-options, all the options named gateways.istio-ingressgateway.ports.

For example, to limit the exposed ports to 80 and 443 only, run:

helm template install/kubernetes/helm/istio --name istio --namespace istio-system -x charts/gateways/templates/service.yaml --set gateways.istio-ingressgateway.ports[0].port=80 --set gateways.istio-ingressgateway.ports[0].name=http2 --set gateways.istio-ingressgateway.ports[0].targetPort=80 --set gateways.istio-ingressgateway.ports[1].port=443 --set gateways.istio-ingressgateway.ports[1].name=https > $HOME/istio.yaml

Inspect the generated $HOME/istio.yaml and verify that only the ports 80 and 443 are exposed for istio-ingressgateway service.

0
votes

This might be a late response, but I’ll share my findings anyway.

For Istio v1.4, you cannot use the --set commands (see below example) to limit exposed ports.

istioctl manifest apply \
--set gateways.istio-ingressgateway.ports[0].port=80 \
--set gateways.istio-ingressgateway.ports[0].name=http2 \
--set gateways.istio-ingressgateway.ports[0].targetPort=80

These ports are auto exposed by an Istio’s profile (e.g. default, demo) that enables the gateway component.

The only way that worked me is to use the IstioControlPlane API to override the Istio profile’s settings. Source: https://istio.io/v1.4/docs/setup/install/istioctl/#customize-istio-settings-using-the-helm-api

Here is a config that utilizes IstioControlPlane to limit exposed port of istio-ingressgateway to ports 80 and 443 as well as to disable prometheus.

apiVersion: install.istio.io/v1alpha2
kind: IstioControlPlane
spec:
  values:
    gateways:
      istio-ingressgateway:
        ports:
          - name: http2
            port: 80
            targetPort: 80
          - name: https
            port: 443
    prometheus:
      enabled: false
  1. Save the above manifest to a yaml file (eg. istio-config.yaml)
  2. Deploy changes: istioctl manifest apply -f istio-config.yaml