Istio-在LoadBalancer上打开所有这些端口的原因是什么?

本文介绍了Istio-在LoadBalancer上打开所有这些端口的原因是什么?的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我查看由Istio创建的ELB，然后看到所有这些打开的端口:

I looking on my ELB created by Istio, and I see all these open ports:

将80(TCP)转发到31380(TCP)
443(TCP)转发到31390(TCP)
853(TCP)转发到31107(TCP)
从8060(TCP)转发到32130(TCP)
15011(TCP)转发到31942(TCP)
将15030(TCP)转发到31438(TCP)
将15031(TCP)转发到30695(TCP)
将31400(TCP)转发到31400(TCP)

所有这些端口都暴露给Internet.除了前两个，所有其他暴露端口的目的是什么?有什么方法(通过Istio配置)来控制公开的内容?

All these ports are exposed to the Internet. Besides first two, what is the purpose of all the other exposed ports? Is there any way (via Istio configuration) to control what is exposed?

推荐答案

您可以在此处查看端口规范: https://github.com/istio/istio/blob/master/install/kubernetes/helm/istio/values-istio-gateways. yaml#L65 ports: ## You can add custom gateway ports - port: 80 targetPort: 80 name: http2 # nodePort: 31380 - port: 443 name: https # nodePort: 31390 - port: 31400 name: tcp # nodePort: 31400 # Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect # to pilot/citadel if global.meshExpansion settings are enabled. - port: 15011 targetPort: 15011 name: tcp-pilot-grpc-tls - port: 8060 targetPort: 8060 name: tcp-citadel-grpc-tls # Addon ports for kiali are enabled in gateway - but will only redirect if # the gateway configuration for the various components are enabled. - port: 15029 - targetPort: 15029 # Telemetry-related ports are enabled in gateway - but will only redirect if # the gateway configuration for the various components are enabled. - port: 15030 targetPort: 15030 name: http2-prometheus - port: 15031 targetPort: 15031 name: http2-grafana - port: 15032 targetPort: 15032 name: http2-tracing

You can see the ports spec here: https://github.com/istio/istio/blob/master/install/kubernetes/helm/istio/values-istio-gateways.yaml#L65 ports: ## You can add custom gateway ports - port: 80 targetPort: 80 name: http2 # nodePort: 31380 - port: 443 name: https # nodePort: 31390 - port: 31400 name: tcp # nodePort: 31400 # Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect # to pilot/citadel if global.meshExpansion settings are enabled. - port: 15011 targetPort: 15011 name: tcp-pilot-grpc-tls - port: 8060 targetPort: 8060 name: tcp-citadel-grpc-tls # Addon ports for kiali are enabled in gateway - but will only redirect if # the gateway configuration for the various components are enabled. - port: 15029 - targetPort: 15029 # Telemetry-related ports are enabled in gateway - but will only redirect if # the gateway configuration for the various components are enabled. - port: 15030 targetPort: 15030 name: http2-prometheus - port: 15031 targetPort: 15031 name: http2-grafana - port: 15032 targetPort: 15032 name: http2-tracing

这些端口在群集外部公开Istio的各种组件，例如用于将VM或其他群集与Istio连接，或在群集外部公开Istio仪表板.

These ports expose various components of Istio outside the cluster, for example for connecting VMs or other clusters with Istio, or for exposing Istio dashboard outside the cluster.

您可以通过头盔安装选项 https: //preliminary.istio.io/docs/reference/config/installation-options/#gateways-options ，所有名为gateways.istio-ingressgateway.ports的选项.

You can control this exposure by helm installation options https://preliminary.istio.io/docs/reference/config/installation-options/#gateways-options, all the options named gateways.istio-ingressgateway.ports.

例如，要将暴露的端口限制为仅80和443，请运行:

For example, to limit the exposed ports to 80 and 443 only, run:

helm template install/kubernetes/helm/istio --name istio --namespace istio-system -x charts/gateways/templates/service.yaml --set gateways.istio-ingressgateway.ports[0].port=80 --set gateways.istio-ingressgateway.ports[0].name=http2 --set gateways.istio-ingressgateway.ports[0].targetPort=80 --set gateways.istio-ingressgateway.ports[1].port=443 --set gateways.istio-ingressgateway.ports[1].name=https > $HOME/istio.yaml

检查生成的$HOME/istio.yaml，并确认只有端口80和443公开用于istio-ingressgateway服务.

Inspect the generated $HOME/istio.yaml and verify that only the ports 80 and 443 are exposed for istio-ingressgateway service.

这篇关于Istio-在LoadBalancer上打开所有这些端口的原因是什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！