Improve availability for the ingress gateway service of an ASM instance - Alibaba Cloud Service Mesh

Ingress gateways of Service Mesh (ASM) instances serve as traffic entries of business. To prevent business unavailability, ingress gateways must be available. This topic describes how to improve availability for the ingress gateway service of an ASM instance.

Prerequisites

An ASM instance is created. For more information, see Create an ASM instance.
A Container Service for Kubernetes (ACK) cluster or a ACK Serverless cluster is created. For more information, see Create an ACK managed cluster or Create an ACK Serverless cluster.
The cluster is added to the ASM instance. For more information, see Add a cluster to an ASM instance.

Improve availability for the ingress gateway service deployed in an ACK cluster

You can use a YAML file to create and configure an ingress gateway for an ASM instance. When you create an ingress gateway and deploy it in an ACK cluster, you can configure a pod anti-affinity policy in the YAML file of the ingress gateway to assign the pods of the ingress gateway to different nodes or zones. This improves the availability of the ingress gateway.

Set the podAntiAffinity parameter to assign the pods of the ingress gateway to different nodes.

apiVersion: istio.alibabacloud.com/v1beta1
kind: IstioGateway
metadata:   
  name: ingressgateway-1
  namespace: istio-system
spec:  
  clusterIds:
    - "c954ee9df88f64f229591f0ea4c61****"
  cpu: 
    targetAverageUtilization: 80
  externalTrafficPolicy: Local
  maxReplicas: 4
  minReplicas: 2  
  ports:  
  - name: status-port
    port: 15020    
    targetPort: 15020  
  - name: http2    
    port: 80    
    targetPort: 80  
  - name: https    
    port: 443    
    targetPort: 80
  - name: tls    
    port: 15443    
    targetPort: 15443  
  replicaCount: 1  
  resources:
    limits:
      cpu: '2'
      memory: 2G
    requests:
      cpu: 200m
      memory: 256Mi
  sds:
    enabled: true
    resources:
      requests:
        cpu: 100m
        memory: 128Mi
      limits:
        cpu: 2000m
        memory: 1024Mi
  serviceType: LoadBalancer  
  affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - podAffinityTerm:
              labelSelector:
                matchExpressions:
                - key: app
                  operator: In
                  values:
                  - istio-ingressgateway-1
              topologyKey: kubernetes.io/hostname
            weight: 100 
  rollingMaxSurge: "100%"
  rollingMaxUnavailable: "25%"

preferredDuringSchedulingIgnoredDuringExecution: enables soft pod affinity. This specifies that you can schedule pods even if the pods do not meet the specified requirements.
matchExpressions: the policy used to assign pods. Set the key parameter to app, the operator parameter to In, and the values parameter to istio-ingressgateway-1. This specifies that the pods of the ingress gateway cannot be deployed on the same nodes where a pod labeled with app=istio-ingressgateway-1 is deployed. As a result, each node can contain only one pod labeled with app=istio-ingressgateway-1.
topologyKey: the dimension for which the pod anti-affinity policy takes effect.
In this example, the value is set to kubernetes.io/hostname, which indicates that the pod anti-affinity policy takes effect on nodes.

Set the podAntiAffinity parameter to assign the pods of the ingress gateway to different zones.

apiVersion: istio.alibabacloud.com/v1beta1
kind: IstioGateway
metadata:   
  name: ingressgateway-1
  namespace: istio-system
spec:  
  clusterIds:
    - "c954ee9df88f64f229591f0ea4c61****"
  cpu: 
    targetAverageUtilization: 80
  externalTrafficPolicy: Local
  maxReplicas: 4
  minReplicas: 2  
  ports:  
  - name: status-port
    port: 15020    
    targetPort: 15020  
  - name: http2    
    port: 80    
    targetPort: 80  
  - name: https    
    port: 443    
    targetPort: 80
  - name: tls    
    port: 15443    
    targetPort: 15443  
  replicaCount: 1  
  resources:
    limits:
      cpu: '2'
      memory: 2G
    requests:
      cpu: 200m
      memory: 256Mi
  sds:
    enabled: true
    resources:
      requests:
        cpu: 100m
        memory: 128Mi
      limits:
        cpu: 2000m
        memory: 1024Mi
  serviceType: LoadBalancer  
  affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - podAffinityTerm:
              labelSelector:
                matchExpressions:
                - key: app
                  operator: In
                  values:
                  - istio-ingressgateway-1
              topologyKey: topology.kubernetes.io/zone
            weight: 100 
  rollingMaxSurge: "100%"
  rollingMaxUnavailable: "25%"

preferredDuringSchedulingIgnoredDuringExecution: enables soft pod affinity. This specifies that you can schedule pods even if the pods do not meet the specified requirements.
matchExpressions: the policy used to assign pods. Set the key parameter to app, the operator parameter to In, and the values parameter to istio-ingressgateway-1. This specifies that the pods of the ingress gateway cannot be deployed in the same zones where a pod labeled with app=istio-ingressgateway-1 is deployed. As a result, each zone can contain only one pod labeled with app=istio-ingressgateway-1.
topologyKey: the dimension for which the pod anti-affinity policy takes effect.
In this example, this parameter is set to topology.kubernetes.io/zone, which indicates that the pod anti-affinity policy takes effect on zones.

Improve availability for the ingress gateway service deployed in a ACK Serverless cluster

Serverless Kubernetes clusters do not support the pod anti-affinity policy. To improve availability for the ingress gateway service deployed in a ACK Serverless cluster, you can create Elastic Container Instance (ECI) pods in the cluster and assign the pods to different zones.

Configure multiple zones in your ACK Serverless cluster. For more information, see Create ECIs across zones.

Set the podAnnotations parameter for an ingress gateway deployed in the ACK Serverless cluster to associate zones with this ingress gateway.

apiVersion: istio.alibabacloud.com/v1beta1
kind: IstioGateway
metadata:   
  name: ingressgateway
  namespace: istio-system
spec:  
  clusterIds:
    - "c954ee9df88f64f229591f0ea4c61****"
  cpu: 
    targetAverageUtilization: 80
  externalTrafficPolicy: Local
  maxReplicas: 4
  minReplicas: 2  
  ports:  
  - name: status-port
    port: 15020    
    targetPort: 15020  
  - name: http2    
    port: 80    
    targetPort: 80  
  - name: https    
    port: 443    
    targetPort: 80
  - name: tls    
    port: 15443    
    targetPort: 15443  
  replicaCount: 1  
  resources:
    limits:
      cpu: '2'
      memory: 2G
    requests:
      cpu: 200m
      memory: 256Mi
  sds:
    enabled: true
    resources:
      requests:
        cpu: 100m
        memory: 128Mi
      limits:
        cpu: 2000m
        memory: 1024Mi
  serviceType: LoadBalancer  
  podAnnotations:
    k8s.aliyun.com/eci-vswitch: "vsw-bp1b07j0miob3khtn****,vsw-bp12b85hh323se8ft****"
    k8s.aliyun.com/eci-schedule-strategy: "VSwitchRandom"
  rollingMaxSurge: "100%"
  rollingMaxUnavailable: "25%"

k8s.aliyun.com/eci-vswitch: the IDs of vSwitches that belong to the virtual private clouds (VPCs) of the zones to be associated.
k8s.aliyun.com/eci-schedule-strategy: the scheduling policy of the ECI pods. In this example, the value is set to vSwitchRandom, which indicates that ECI pods are assigned to zones in random mode.