概述入口网关集中处理外部流量与TLS终止, 通过SNI与多主机匹配将请求路由到不同服务。统一证书与策略管理提升安全与可运维性。关键实践与参数Gateway主机与端口: 按域名声明并启用TLS凭据挂载: `credentialName` 引用K8s Secret证书路由策略: 按 `hosts` 与 `match` 路径分发可观测: 在网关处采集访问日志与指标示例/配置/实现apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: ingress-gw
spec:
selector:
istio: ingressgateway
servers:
- port: { number: 443, name: https, protocol: HTTPS }
hosts: ["example.com", "api.example.com"]
tls:
mode: SIMPLE
credentialName: ingress-cert
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: vs-web
spec:
hosts: ["example.com"]
gateways: ["ingress-gw"]
http:
- match: [{ uri: { prefix: "/" } }]
route:
- destination: { host: web.svc.cluster.local, port: { number: 80 } }
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: vs-api
spec:
hosts: ["api.example.com"]
gateways: ["ingress-gw"]
http:
- match: [{ uri: { prefix: "/v1" } }]
route:
- destination: { host: api.svc.cluster.local, port: { number: 80 } }
验证SNI与证书: 使用域名访问, 证书链与主机名匹配正确路由正确性: `curl --resolve` 指定不同域名, 响应来自对应服务观测数据: 在网关查看请求计数与状态码分布策略变更: 修改路由与证书后行为符合预期注意事项证书定期轮换与权限控制主机列表需精确匹配, 避免通配导致风险与WAF与CDN策略协同, 保持头部与TLS一致网关副本与资源需根据流量容量规划
发表评论 取消回复