Exposing GKE services through Anthos Service Mesh with a managed HTTPS load balancer

Istio and GKE

Anthos Service Mesh (ASM)

Use case: Building an ASM on a single GKE cluster

  • every service must be able to have its separate mesh ingress configuration to allow for the most flexible setup
  • HTTPS load balancing must be used for SSL/TLS offloading using GCP managed certificates, global routing, health checking, …
  • TLS encryption must be guaranteed to each service backend
  • a GKE cluster (Kubernetes version 1.20 or 1.21 for this version of ASM). Check out the cluster requirements. Note: I will be using a private GKE cluster for increased security
  • e2-standard-4 GKE nodes or similar (at least 4 vCPUs)
  • one or more k8s services to expose through the mesh
  • Name the k8s services you want to expose according to this naming convention
  • knowledge of Kubernetes objects such as deployments, k8s services, ingress, configmaps and secrets, …
  • basic knowledge of Istio and it’s components such as pilot, ingress gateway, virtual services, …

ASM installation

Installation

./asmcli install --project_id <GCP-project> \
--cluster_name <GKE-cluster> \
--cluster_location <region> \
--
output_dir <path_to_output_dir> \
--enable-all

Validation

./asmcli validate --project_id <GCP-project> \
--cluster_name <GKE-cluster> \
--cluster_location <region> \
--
output_dir <path_to_output_dir>
  • asmv: 1–11–2-asm-17 (version of asm installed)
  • mesh_id: proj-xxxx

Istio configuration

$ ./istioctl version 
client version: 1.11.2-asm.17
control plane version: 1.11.2-asm.17
data plane version: none
$ ./istioctl analyze --all-namespaces
Warning [IST0103] (Pod PODNAME) The pod is missing the Istio proxy. This can often be resolved by restarting or redeploying the workload.
Info [IST0102] (Namespace NAMESPACE) The namespace is not enabled for Istio injection. Run 'kubectl label namespace NAMESPACE istio-injection=enabled' to enable it, or 'kubectl label namespace NAMESPACE istio-injection=disabled' to explicitly mark it as not needing injection.

Istio sidecar proxy injection

kubectl label namespace NAMESPACE istio-injection- istio.io/rev=REVISION --overwrite
istio.io/rev=asm-1112-17
kubectl rollout restart deployment -n NAMESPACE
kubectl label namespace NAMESPACE istio-injection=disabled
$ ./istioctl proxy-status

Exposing services

  • All public SSL/TLS certificates are GCP managed which means no additional services needed
  • Each service has it own Istio ingress-gateway which results in the highest degree of flexibility we can achieve
  • Full observability with monitoring metrics coming from the GLB, the Anthos Service Mesh, the Istio building blocks, GKE and finally the workloads themselves.
  • Increased security with strict SSL/TLS profiles, Cloud Armor security policies, encryption guaranteed all the way down to the Kubernetes services

Ingress gateway

  • a deployment containing the istio-proxy
  • a service that exposes the gateway. In our setup, this will be where the GCP load balancer connects to
  • a serviceaccount, role and rolebinding
  • an optional PodDisruptionBudget and a HorizontalPodAutoScaler
service.yaml

BackendConfig

BackendConfig

NEG ingress

App Protocols

Istio components

Gateway configuration

GCP HTTPS load balancer

Conclusion

--

--

--

Senior Cloud Devops Engineer @vbridgebv. Former college teacher.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Decoupled Drupal Is a Great CMS for Ecosystem Projects

intranetwork

Platformer: Cinemachine Camera Follow

Ramanujan Engine, Airtel’s answer to dealing with business decisions on Millions of records quickly!

Zero to SRE: Day One for Your Junior Engineer

Hiring PHP Developers: Best Practices & Job Description Template

Steps to create a new IAM user profile in Amazon Web Services (AWS) and provision an S3 Bucket

Work towards a Salesforce Administrator certification with this $50 course

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alex De Smet

Alex De Smet

Senior Cloud Devops Engineer @vbridgebv. Former college teacher.

More from Medium

Automate GKE deployments using Cloud Build and Cloud Deploy

GKE Ingress redirect http to https

Understanding HTTP(S) Load Balancer in GCP

Google Cloud Container Native LoadBalancer