istio: TCP Gateway/Virtual Service Not Working

I have a test pod in the “coolio” namespace

The pod is loaded with a netshoot image, and runs bash

I manually enter the following iperf service command to open up a TCP listener on port 9999

I can run another pod in my cluster and connect to the iperf service

iperf-svc is a ClusterIP service

In order to allow an iperf client from outside the cluster to connect, I am using an istio virtual service

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: iperf-svc
spec:
  hosts:
  - "*"
  gateways:
  - iperf-gateway
  tcp:
  - match:
    - port: 9999
    route:
    - destination:
        host: iperf-svc.coolio.svc.cluster.local
        port:
           number: 9999

and an istio gateway

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: iperf-gateway
spec:
  selector:
    run: netshoot-s
  servers:
  - port:
      number: 9999
      name: iperf-svc
      protocol: TCP
    hosts:
    - "*"

However I can’t seem to connect to the service from outside the cluster

I think I have properly configured the virtualservice and the gateway.

Note I have used the selector run=netshoot-s

because this is alabel on the service pod

I may have something wrong in my virtual service or gateway, yet the configurations seem consistent with the istio documentation.

Please help

About this issue

Original URL
State: closed
Created 4 years ago
Comments: 19 (6 by maintainers)

Most upvoted comments

I solved this: modeled after tcp-echo, and dug till i figured out how to modify the istio operator’s ingress gateway controller to recognize the additional port.

[dsargrad@ghana netshoot]$ cat iperf-gw-vs-dr.yaml

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: netshoot-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
#      number: 31400
      number: 9999
      name: tcp
      protocol: TCP
    hosts:
    - "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: netshoot-destination
spec:
  host: netshoot
  subsets:
  - name: v1
    labels:
      version: v1
  - name: v2
    labels:
      version: v2
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: netshoot
spec:
  hosts:
  - "*"
  gateways:
  - netshoot-gateway
  tcp:
  - match:
#    - port: 31400
    - port: 9999
    route:
    - destination:
        host: netshoot
        port:
          number: 9000
        subset: v1

[dsargrad@ghana netshoot]$ cat iperf-svc.yaml
apiVersion: v1
kind: Service
metadata:
  name: netshoot
  labels:
    app: netshoot
spec:
  ports:
  - name: tcp
    port: 9000
  # Port 9002 is omitted intentionally for testing the pass through filter chain.
  selector:
    app: netshoot

[dsargrad@ghana netshoot]$ cat iperf-netshoot-dep.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
        name: netshoot
#        labels:
#           app: i-am-netshoot
#           app: tcp-echo
spec:
        replicas: 1
        selector:
           matchLabels:
#              app: i-am-netshoot
              app: netshoot
              version: v1
        template:
           metadata:
              labels:
                 app: netshoot
                 version: v1
           spec:
                containers:
                -       image: nicolaka/netshoot
                        name: netshoot
                        ports:
                        -       containerPort: 9000

In addition to this, I reinstalled the istio, with an updated profile, and integration controller

istioctl manifest apply --set installPackagePath=PWD/operator/charts --set profile=PWD/operator/profiles/netshoot.yaml

netshoot.yaml was seeded from demo.yaml, and the following was added:

Also the ingress chart was modified as follows:

davesargrad on Apr 28, 2020

😦 This is still not working; discouraging. I’m crawling through the istio documentation to see if there is any clue.

davesargrad on Apr 27, 2020