This topic shows you how to resolve the issue where the pods of a Kubernetes cluster on the data plane cannot access the IP address of the Server Load Balancer (SLB) instance that is configured in an ingress gateway.

Problem description

A Kubernetes cluster is added to your Alibaba Cloud Service Mesh (ASM) instance. An SLB instance whose externalTrafficPolicy parameter is set to Local is configured in an ingress gateway for the ASM instance. When the pods of the Kubernetes cluster access the IP address of the SLB instance that is configured in the ingress gateway, the following issue occurs:
  • Pods on specific nodes of the Kubernetes cluster cannot access the IP address of the SLB instance.

Causes

If the SLB instance whose externalTrafficPolicy parameter is set to Local is specified for the ingress gateway service of the Kubernetes cluster, only the backend pods where the service is deployed can access the IP address of the SLB instance. This is because the IP address of the SLB instance is regarded as an external IP address of the service and is used to access the ingress gateway from outside the Kubernetes cluster. If the nodes and pods in the Kubernetes cluster cannot directly access the IP address of the SLB instance, the system does not route requests to the SLB instance. Instead, the requests are forwarded by kube-proxy in iptables or IP Virtual Server (IPVS) mode.

If no backend pods of the service are deployed on the nodes of the Kubernetes cluster or the nodes where the pods that send requests reside, the IP address of the SLB instance cannot be accessed. If the backend pods of the service are deployed, the IP address of the SLB instance can be accessed. For more information, see Why kube-proxy add external-lb's address to node local iptables rule?.

Solutions

  • You can use the IP address of the Kubernetes cluster or the name of the ingress gateway service to access the IP address of the SLB instance within the Kubernetes cluster. The name of the ingress gateway service is istio-ingressgateway.istio-system.
    Note We recommend that you use this solution.
  • If you do not require source IP addresses, you can use the following solution:
    Change the value of the externalTrafficPolicy parameter of the ingress gateway to Cluster. In this case, you cannot obtain source IP addresses when you access the IP address of the SLB instance. For more information, see Modify an ingress gateway service.
    apiVersion: istio.alibabacloud.com/v1beta1
    kind: IstioGateway
    metadata:
      name: ingressgateway
      namespace: istio-system
      ....
    spec:
      externalTrafficPolicy: Cluster
    ....
  • If you use elastic network interfaces (ENIs) of Terway or your clusters are in inclusive ENI mode, you can use the following solution: This solution allows you to access the IP address of the SLB instance within the Kubernetes cluster without losing source IP addresses.
    Change the value of the externalTrafficPolicy parameter of the ingress gateway to Cluster and add an annotation, such as serviceAnnotations: service.beta.kubernetes.io/backend-type: "eni", to directly connect to ENIs. For more information, see Modify an ingress gateway service.
    apiVersion: istio.alibabacloud.com/v1beta1
    kind: IstioGateway
    metadata:
      name: ingressgateway
      namespace: istio-system
      ....
    spec:
      externalTrafficPolicy: Cluster
      maxReplicas: 5
      minReplicas: 2
      ports:
        - name: status-port
          port: 15020
          targetPort: 15020
        - name: http2
          port: 80
          targetPort: 80
        - name: https
          port: 443
          targetPort: 443
        - name: tls
          port: 15443
          targetPort: 15443
      replicaCount: 2
      resources:
        limits:
          cpu: '2'
          memory: 2G
        requests:
          cpu: 200m
          memory: 256Mi
      runAsRoot: false
      serviceAnnotations:
        service.beta.kubernetes.io/backend-type: eni
      serviceType: LoadBalancer