---
title: Istio Egress Gateway 外部服务访问控制与 TLS 直连配置实战
keywords: Egress Gateway, ServiceEntry, VirtualService, PASSTHROUGH, TLS origination
description: 使用 Istio Egress Gateway 管控外部服务访问,配置 ServiceEntry、Gateway 与双段 VirtualService,实现
TLS 直连与可控出站流量。
categories:
- 文章资讯
- 技术教程
---
ServiceEntry 定义外部主机:
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: external-api
spec:
hosts:
- api.example.com
ports:
- number: 443
name: https
protocol: TLS
resolution: DNS
location: MESH_EXTERNAL
Egress Gateway 定义:
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: istio-egressgateway
namespace: istio-system
spec:
selector:
istio: egressgateway
servers:
- port:
number: 443
name: tls
protocol: TLS
tls:
mode: PASSTHROUGH
hosts:
- api.example.com
VirtualService(从 mesh 指向 Egress Gateway):
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: to-egress-gw
spec:
hosts:
- api.example.com
gateways:
- mesh
tls:
- match:
- sniHosts:
- api.example.com
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
port:
number: 443
VirtualService(在 Egress Gateway 上转发到外部):
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: egress-gw-forward
namespace: istio-system
spec:
hosts:
- api.example.com
gateways:
- istio-egressgateway
tls:
- match:
- sniHosts:
- api.example.com
port: 443
route:
- destination:
host: api.example.com
port:
number: 443
发表评论 取消回复