I've created a private GKE cluster with Istio through the Cloud Console UI. The cluster is set up with VPC Peering to be able to reach another private GKE cluster in another Google Cloud Project.
I've created a Deployment (called website
) with a Service in Kubernetes in the staging
namespace. My goal is to expose this service to the outside world with Istio, using the Envoy proxy. I've created the necessary VirtualService
and Gateway
to do so, following this guide.
When running "kubectl exec ..." to access a pod in the private cluster, I can successfully connect to the internal IP address of the website
service, and see the output of that service with "curl".
I have set up a NAT Gateway so pods in the private cluster can connect to the Internet. I confirmed this by curl
-ing various non-Google web pages from within the website
pod.
However, I can't connect to the website
service from the outside, using the External IP
of the istio-ingressgateway
service, as the guide above mentions. Instead, curl
-ing that External IP
leads to a timeout.
I've put the full YAML config for all related resources in a private Gist, here: https://gist.github.com/marceldegraaf/0f36ca817a8dba45ac97bf6b310ca282
I'm wondering if I'm missing something in my config here, or if my use case is actually impossible?
External IP
of theistio-ingressgateway
is bound to a forwarding rule in Cloud Load Balancer, with the GKE nodes as the Target Pool. I've added a Firewall Rule to explicitly allow all incoming traffic on TCP:80 for the entire network, but even then mycurl
to theExternal IP
results in a timeout. Any idea what I'm missing? – Marcel de Graafistio-ingressgateway
I see no requests coming in when trying to access theExternal IP
from outside. I do see requests in the logs ofistio-ingressgateway
when I try tocurl
it from inside the cluster. – Marcel de Graaf