Red Hat Summit Red Hat Summit지원콘솔개발자평가판 시작연락처

이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Chapter 1. About gateways

Manage ingress and egress traffic at the mesh edge by using gateway injection or the Kubernetes Gateway API to deploy standalone Envoy proxies across sidecar and ambient architectures.

1.1. Understanding gateways
링크 복사

A gateway is a standalone Envoy proxy deployment and an associated Kubernetes service operating at the edge of a service mesh. You can configure a gateway to give fine-grained control over the traffic that enters or leaves the mesh.

In Red Hat OpenShift Service Mesh, you can install gateways by using gateway injection or by using the Gateway API. Red Hat OpenShift Service Mesh supports different gateway configurations based on the deployment mode. You can deploy gateways by using gateway injection and configure them with Istio Gateway and VirtualService resources in sidecar mode or with Kubernetes Gateway API resources in both sidecar and ambient modes.

1.2. About gateway injection
링크 복사

You can install a gateway by applying labels and annotations to Kubernetes Deployment and Service resources, triggering the Istio control plane to inject and configure the gateway proxy.

Gateway injection relies upon the same mechanism as sidecar injection to inject the Envoy proxy into gateway pods. To install a gateway by using gateway injection, you create a Kubernetes Deployment object and an associated Kubernetes Service object in a namespace that is visible to the Istio control plane. When creating the Deployment object, you apply labels and annotations so the Istio control plane injects and configures a proxy to act as a gateway. After installing the gateway, you configure it to control ingress and egress traffic by using the Istio Gateway and VirtualService resources.

1.2.1. Installing a gateway by using gateway injection
링크 복사

Install a gateway by using gateway injection to deploy and configure an Envoy proxy for managing traffic at the edge of the mesh.

Note

You can use this procedure to create ingress or egress gateways.

Prerequisites

  • You have installed the OpenShift Service Mesh Operator version 3.0 or later.
  • You have created an Istio control plane.
  • You have created an IstioCNI resource.

Procedure

  1. Create a namespace that you will use to install the gateway. 

    $ oc create namespace <gateway_namespace>
    Note

    Install the gateway and the Istio control plane in different namespaces.

    You can install the gateway in a dedicated gateway namespace. This approach allows many applications in different namespaces to share the same gateway. Or, you can install the gateway in an application namespace. In this approach, the gateway acts as a dedicated gateway for the application in that namespace.

  2. Create a YAML file named secret-reader.yml that defines the service account, role, and role binding for the gateway deployment, similar to the following example: 

    apiVersion: v1
kind: ServiceAccount
metadata:
  name: secret-reader
  namespace: <gateway_namespace>
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: secret-reader
  namespace: <gateway_namespace>
rules:
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name:  secret-reader
  namespace: <gateway_namespace>
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: secret-reader
subjects:
  - kind: ServiceAccount
    name:  secret-reader

    These settings enable the gateway to read secrets so that it can obtain TLS credentials.

  3. Apply the YAML file by running the following command: 

    $ oc apply -f secret-reader.yml

  4. Create a YAML file named gateway-deployment.yml that defines the Kubernetes Deployment object for the gateway, similar to the following example: 

    apiVersion: apps/v1
kind: Deployment
metadata:
  name: <gateway_name>
  namespace: <gateway_namespace>
spec:
  selector:
    matchLabels:
      istio: <gateway_name>
  template:
    metadata:
      annotations:
        inject.istio.io/templates: gateway
      labels:
        istio: <gateway_name>
        sidecar.istio.io/inject: "true"
    spec:
      containers:
        - name: istio-proxy
          image: auto
          securityContext:
            capabilities:
              drop:
              - ALL
            allowPrivilegeEscalation: false
            privileged: false
            readOnlyRootFilesystem: true
            runAsNonRoot: true
          ports:
          - containerPort: 15090
            protocol: TCP
            name: http-envoy-prom
          resources:
            limits:
              cpu: 2000m
              memory: 1024Mi
            requests:
              cpu: 100m
              memory: 128Mi
      securityContext:
        sysctls:
        - name: net.ipv4.ip_unprivileged_port_start
          value: "0"
      serviceAccountName: secret-reader
    • spec.template.annotations.inject.istio.io/templates indicates that the Istio control plane uses the gateway injection template instead of the default sidecar template.
    • spec.template.labels.istio ensures that you set a unique label for the gateway deployment. Istio Gateway resources require a unique label to select gateway workloads.
    • spec.template.labels.sidecar.istio.io/inject enables gateway injection by setting this label to true. If the name of the Istio resource is not default you must use the istio.io/rev: <istio_revision> label instead, where the revision represents the active revision of the Istio resource.
    • spec.template.spec.containers.image sets the image field to auto so that the image automatically updates each time the pod starts.
    • spec.template.spec.serviceAccountName sets the serviceAccountName to the name of the ServiceAccount created previously.

  5. Apply the YAML file by running the following command: 

    $ oc apply -f gateway-deployment.yml

  6. Verify that the gateway Deployment rollout was successful by running the following command: 

    $ oc rollout status deployment/<gateway_name> -n <gateway_namespace>

    You should see output similar to the following example: 

    Waiting for deployment "<gateway_name>" rollout to finish: 0 of 1 updated replicas are available...
deployment "<gateway_name>" successfully rolled out

  7. Create a YAML file named gateway-service.yml that has the Kubernetes Service object for the gateway. 

    apiVersion: v1
kind: Service
metadata:
  name: <gateway_name>
  namespace: <gateway_namespace>
spec:
  type: ClusterIP
    1 
    
  selector:
    istio: <gateway_name>
    2 
    
  ports:
    - name: status-port
      port: 15021
      protocol: TCP
      targetPort: 15021
    - name: http2
      port: 80
      protocol: TCP
      targetPort: 80
    - name: https
      port: 443
      protocol: TCP
      targetPort: 443
    • spec.type sets the type of the gateway Service object. Setting spec.type to ClusterIP restricts gateway Service access to the internal cluster network. If the gateway has to handle ingress traffic from outside the cluster, set spec.type to LoadBalancer. Or, you can use OpenShift Routes.
    • spec.selector sets the selector to the unique label or set of labels specified in the pod template of the gateway deployment that you created previously.

  8. Apply the YAML file by running the following command: 

    $ oc apply -f gateway-service.yml

  9. Verify that the gateway service is targeting the endpoint of the gateway pods by running the following command: 

    $ oc get endpoints <gateway_name> -n <gateway_namespace>

    You should see output similar to the following example:

    Example output: 

    NAME              ENDPOINTS                             AGE
<gateway_name>    10.131.0.181:8080,10.131.0.181:8443   1m

  10. Optional: Create a YAML file named gateway-hpa.yml that defines a horizontal pod autoscaler for the gateway. The following example sets the minimum replicas to 2 and the maximum replicas to 5 and scales the replicas up when average CPU usage exceeds 80% of the CPU resource limit. The gateway deployment’s pod template specifies this limit. 

    apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: <gateway_name>
  namespace: <gateway_namespace>
spec:
  minReplicas: 2
  maxReplicas: 5
  metrics:
  - resource:
      name: cpu
      target:
        averageUtilization: 80
        type: Utilization
    type: Resource
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: <gateway_name>
    • spec.scaleTargetRef.name specifies the name of the gateway deployment created previously.

  11. Optional: Apply the YAML file by running the following command: 

    $ oc apply -f gateway-hpa.yml

  12. Optional: Create a YAML file named gateway-pdb.yml that defines a pod disruption budget for the gateway. The following example allows gateway pods eviction only when at least 1 healthy gateway pod will remain on the cluster after the eviction: 

    apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: <gateway_name>
  namespace: <gateway_namespace>
spec:
  minAvailable: 1
  selector:
    matchLabels:
      istio: <gateway_name>
    • spec.selector.matchLabels specifies the unique label or set of labels specified in the pod template of the gateway deployment created previously.

  13. Optional: Apply the YAML file by running the following command: 

    $ oc apply -f gateway-pdb.yml
Red Hat logoGithubredditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다. 최신 업데이트를 확인하세요.

Legal Notice

Theme

© 2026 Red Hat맨 위로 이동