Ingress gateways of Alibaba Cloud Service Mesh (ASM) instances serve as traffic entries of business. To prevent business unavailability, ingress gateways must be available. This topic describes how to improve availability for the ingress gateway service of an ASM instance.

Prerequisites

Improve availability for the ingress gateway service deployed in an ACK cluster

You can use a YAML file to create and configure an ingress gateway for an ASM instance. When you create an ingress gateway and deploy it in an ACK cluster, you can configure a pod anti-affinity policy in the YAML file of the ingress gateway to assign the pods of the ingress gateway to different nodes or zones. This improves the availability of the ingress gateway.
  • Set the podAntiAffinity parameter to assign the pods of the ingress gateway to different nodes.
    apiVersion: istio.alibabacloud.com/v1beta1
    kind: IstioGateway
    metadata:   
      name: ingressgateway-1
      namespace: istio-system
    spec:  
      clusterIds:
        - "c954ee9df88f64f229591f0ea4c61****"
      cpu: 
        targetAverageUtilization: 80
      externalTrafficPolicy: Local
      maxReplicas: 4
      minReplicas: 2  
      ports:  
      - name: status-port
        port: 15020    
        targetPort: 15020  
      - name: http2    
        port: 80    
        targetPort: 80  
      - name: https    
        port: 443    
        targetPort: 80
      - name: tls    
        port: 15443    
        targetPort: 15443  
      replicaCount: 1  
      resources:
        limits:
          cpu: '2'
          memory: 2G
        requests:
          cpu: 200m
          memory: 256Mi
      sds:
        enabled: true
        resources:
          requests:
            cpu: 100m
            memory: 128Mi
          limits:
            cpu: 2000m
            memory: 1024Mi
      serviceType: LoadBalancer  
      affinity:
            podAntiAffinity:
              preferredDuringSchedulingIgnoredDuringExecution:
              - podAffinityTerm:
                  labelSelector:
                    matchExpressions:
                    - key: app
                      operator: In
                      values:
                      - istio-ingressgateway-1
                  topologyKey: kubernetes.io/hostname
                weight: 100 
      rollingMaxSurge: "100%"
      rollingMaxUnavailable: "25%"
    • preferredDuringSchedulingIgnoredDuringExecution: enables soft pod affinity. This specifies that you can schedule pods even if the pods do not meet the specified requirements.
    • matchExpressions: the policy used to assign pods. Set the key parameter to app, the operator parameter to In, and the values parameter to istio-ingressgateway-1. This specifies that the pods of the ingress gateway cannot be deployed on the same nodes where a pod labeled with app=istio-ingressgateway-1 is deployed. As a result, each node can contain only one pod labeled with app=istio-ingressgateway-1.
    • topologyKey: the dimension for which the pod anti-affinity policy takes effect.

      In this example, the value is set to kubernetes.io/hostname, which indicates that the pod anti-affinity policy takes effect on nodes.

  • Set the podAntiAffinity parameter to assign the pods of the ingress gateway to different zones.
    apiVersion: istio.alibabacloud.com/v1beta1
    kind: IstioGateway
    metadata:   
      name: ingressgateway-1
      namespace: istio-system
    spec:  
      clusterIds:
        - "c954ee9df88f64f229591f0ea4c61****"
      cpu: 
        targetAverageUtilization: 80
      externalTrafficPolicy: Local
      maxReplicas: 4
      minReplicas: 2  
      ports:  
      - name: status-port
        port: 15020    
        targetPort: 15020  
      - name: http2    
        port: 80    
        targetPort: 80  
      - name: https    
        port: 443    
        targetPort: 80
      - name: tls    
        port: 15443    
        targetPort: 15443  
      replicaCount: 1  
      resources:
        limits:
          cpu: '2'
          memory: 2G
        requests:
          cpu: 200m
          memory: 256Mi
      sds:
        enabled: true
        resources:
          requests:
            cpu: 100m
            memory: 128Mi
          limits:
            cpu: 2000m
            memory: 1024Mi
      serviceType: LoadBalancer  
      affinity:
            podAntiAffinity:
              preferredDuringSchedulingIgnoredDuringExecution:
              - podAffinityTerm:
                  labelSelector:
                    matchExpressions:
                    - key: app
                      operator: In
                      values:
                      - istio-ingressgateway-1
                  topologyKey: topology.kubernetes.io/zone
                weight: 100 
      rollingMaxSurge: "100%"
      rollingMaxUnavailable: "25%"
    • preferredDuringSchedulingIgnoredDuringExecution: enables soft pod affinity. This specifies that you can schedule pods even if the pods do not meet the specified requirements.
    • matchExpressions: the policy used to assign pods. Set the key parameter to app, the operator parameter to In, and the values parameter to istio-ingressgateway-1. This specifies that the pods of the ingress gateway cannot be deployed in the same zones where a pod labeled with app=istio-ingressgateway-1 is deployed. As a result, each zone can contain only one pod labeled with app=istio-ingressgateway-1.
    • topologyKey: the dimension for which the pod anti-affinity policy takes effect.

      In this example, this parameter is set to topology.kubernetes.io/zone, which indicates that the pod anti-affinity policy takes effect on zones.

Improve availability for the ingress gateway service deployed in a serverless Kubernetes cluster

Serverless Kubernetes clusters do not support the pod anti-affinity policy. To improve availability for the ingress gateway service deployed in a serverless Kubernetes cluster, you can create Elastic Container Instance (ECI) pods in the cluster and assign the pods to different zones.

  1. Configure multiple zones in your serverless Kubernetes cluster. For more information, see Create ECIs across zones.
  2. Set the podAnnotations parameter for an ingress gateway deployed in the serverless Kubernetes cluster to associate zones with this ingress gateway.
    apiVersion: istio.alibabacloud.com/v1beta1
    kind: IstioGateway
    metadata:   
      name: ingressgateway
      namespace: istio-system
    spec:  
      clusterIds:
        - "c954ee9df88f64f229591f0ea4c61****"
      cpu: 
        targetAverageUtilization: 80
      externalTrafficPolicy: Local
      maxReplicas: 4
      minReplicas: 2  
      ports:  
      - name: status-port
        port: 15020    
        targetPort: 15020  
      - name: http2    
        port: 80    
        targetPort: 80  
      - name: https    
        port: 443    
        targetPort: 80
      - name: tls    
        port: 15443    
        targetPort: 15443  
      replicaCount: 1  
      resources:
        limits:
          cpu: '2'
          memory: 2G
        requests:
          cpu: 200m
          memory: 256Mi
      sds:
        enabled: true
        resources:
          requests:
            cpu: 100m
            memory: 128Mi
          limits:
            cpu: 2000m
            memory: 1024Mi
      serviceType: LoadBalancer  
      podAnnotations:
        k8s.aliyun.com/eci-vswitch: "vsw-bp1b07j0miob3khtn****,vsw-bp12b85hh323se8ft****"
        k8s.aliyun.com/eci-schedule-strategy: "VSwitchRandom"
      rollingMaxSurge: "100%"
      rollingMaxUnavailable: "25%"
    • k8s.aliyun.com/eci-vswitch: the IDs of vSwitches that belong to the virtual private clouds (VPCs) of the zones to be associated.
    • k8s.aliyun.com/eci-schedule-strategy: the scheduling policy of the ECI pods. In this example, the value is set to vSwitchRandom, which indicates that ECI pods are assigned to zones in random mode.