Ingress gateways of Alibaba Cloud Service Mesh (ASM) instances serve as traffic entries of business. To prevent business unavailability, ingress gateways must be available. This topic describes how to improve availability for the ingress gateway service of an ASM instance.
Prerequisites
- An ASM instance is created. For more information, see Create an ASM instance.
- A Container Service for Kubernetes (ACK) cluster or a serverless Kubernetes cluster is created. For more information, see Create a managed Kubernetes cluster or Create an ASK cluster.
- The ACK cluster is added to the ASM instance. For more information, see Add a cluster to an ASM instance.
Improve availability for the ingress gateway service deployed in an ACK cluster
- Set the podAntiAffinity parameter to assign the pods of the ingress gateway to different nodes.
apiVersion: istio.alibabacloud.com/v1beta1 kind: IstioGateway metadata: name: ingressgateway-1 namespace: istio-system spec: clusterIds: - "c954ee9df88f64f229591f0ea4c61****" cpu: targetAverageUtilization: 80 externalTrafficPolicy: Local maxReplicas: 4 minReplicas: 2 ports: - name: status-port port: 15020 targetPort: 15020 - name: http2 port: 80 targetPort: 80 - name: https port: 443 targetPort: 80 - name: tls port: 15443 targetPort: 15443 replicaCount: 1 resources: limits: cpu: '2' memory: 2G requests: cpu: 200m memory: 256Mi sds: enabled: true resources: requests: cpu: 100m memory: 128Mi limits: cpu: 2000m memory: 1024Mi serviceType: LoadBalancer affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - podAffinityTerm: labelSelector: matchExpressions: - key: app operator: In values: - istio-ingressgateway-1 topologyKey: kubernetes.io/hostname weight: 100 rollingMaxSurge: "100%" rollingMaxUnavailable: "25%"
- preferredDuringSchedulingIgnoredDuringExecution: enables soft pod affinity. This specifies that you can schedule pods even if the pods do not meet the specified requirements.
- matchExpressions: the policy used to assign pods. Set the key parameter to app, the operator parameter to In, and the values parameter to istio-ingressgateway-1. This specifies that the pods of the ingress gateway cannot be deployed on the same
nodes where a pod labeled with
app=istio-ingressgateway-1
is deployed. As a result, each node can contain only one pod labeled withapp=istio-ingressgateway-1
. - topologyKey: the dimension for which the pod anti-affinity policy takes effect.
In this example, the value is set to
kubernetes.io/hostname
, which indicates that the pod anti-affinity policy takes effect on nodes.
- Set the podAntiAffinity parameter to assign the pods of the ingress gateway to different
zones.
apiVersion: istio.alibabacloud.com/v1beta1 kind: IstioGateway metadata: name: ingressgateway-1 namespace: istio-system spec: clusterIds: - "c954ee9df88f64f229591f0ea4c61****" cpu: targetAverageUtilization: 80 externalTrafficPolicy: Local maxReplicas: 4 minReplicas: 2 ports: - name: status-port port: 15020 targetPort: 15020 - name: http2 port: 80 targetPort: 80 - name: https port: 443 targetPort: 80 - name: tls port: 15443 targetPort: 15443 replicaCount: 1 resources: limits: cpu: '2' memory: 2G requests: cpu: 200m memory: 256Mi sds: enabled: true resources: requests: cpu: 100m memory: 128Mi limits: cpu: 2000m memory: 1024Mi serviceType: LoadBalancer affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - podAffinityTerm: labelSelector: matchExpressions: - key: app operator: In values: - istio-ingressgateway-1 topologyKey: topology.kubernetes.io/zone weight: 100 rollingMaxSurge: "100%" rollingMaxUnavailable: "25%"
- preferredDuringSchedulingIgnoredDuringExecution: enables soft pod affinity. This specifies that you can schedule pods even if the pods do not meet the specified requirements.
- matchExpressions: the policy used to assign pods. Set the key parameter to app, the operator parameter to In, and the values parameter to istio-ingressgateway-1. This specifies that the pods of the ingress gateway cannot be deployed in the same
zones where a pod labeled with
app=istio-ingressgateway-1
is deployed. As a result, each zone can contain only one pod labeled withapp=istio-ingressgateway-1
. - topologyKey: the dimension for which the pod anti-affinity policy takes effect.
In this example, this parameter is set to
topology.kubernetes.io/zone
, which indicates that the pod anti-affinity policy takes effect on zones.
Improve availability for the ingress gateway service deployed in a serverless Kubernetes cluster
Serverless Kubernetes clusters do not support the pod anti-affinity policy. To improve availability for the ingress gateway service deployed in a serverless Kubernetes cluster, you can create Elastic Container Instance (ECI) pods in the cluster and assign the pods to different zones.