This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Internal LoadBalancer installed by Cloud Service Mesh?

Posted on 09-09-2024 02:35 AM
zaphod72
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hi.

I have a private autopilot cluster deployed in my fleet. I am trying to configure Knative serving but am really confused about deploying an internal load balancer.

All the traffic to my workloads will come from the same network so I want to keep everything in the GKE cluster private.

My cluster was born "in the fleet". So from https://cloud.google.com/kubernetes-engine/enterprise/knative-serving/docs/architecture-overview#com...

Components installed by Cloud Service Mesh running in the istio-system namespace

> Istio Ingress Gateway: Load balancer in the data plane that is responsible for receiving and handling incoming traffic from outside the cluster, including traffic from either external or internal networks.

I don't seem to have this gateway.

This page  tells me I need to create a proxy-only subnet for an internal gateway.

The Set up Knative serving instructions for a private, internal network says to:

> Enable the internal load balancer feature in Cloud Service Mesh. The internal load balancer is an optional feature that you can configure during the installation of Cloud Service Mesh.

I don't know where that optional feature can be configured.  I have installed KNative in the cluster.

A few pages lead to the anthos-service-mesh-packages Github project which has a couple of internal LB implementations - this IstioOperator and a gateway sample.

There are also these instructions.

I'm at a loss - what do I deploy for internal load balancing of my fleet-enabled private autopilot cluster that is going to use Knative serving?

Fleet desc:

 

fleetDefaultMemberConfig:
  mesh:
    management: MANAGEMENT_AUTOMATIC
membershipSpecs:
  projects/<...>/locations/us-central1/memberships/my-knative-cluster:
    mesh:
      management: MANAGEMENT_AUTOMATIC
    origin:
      type: FLEET
membershipStates:
  projects/<...>/locations/us-central1/memberships/my-knative-cluster:
    servicemesh:
      conditions:
      - code: VPCSC_GA_SUPPORTED
        details: This control plane supports VPC-SC GA.
        documentationLink: http://cloud.google.com/service-mesh/docs/managed/vpc-sc
        severity: INFO
      controlPlaneManagement:
        details:
        - code: REVISION_READY
          details: 'Ready: asm-managed'
        implementation: ISTIOD
        state: ACTIVE
      dataPlaneManagement:
        details:
        - code: OK
          details: Service is running.
        state: ACTIVE
    state:
      code: OK
      description: |-
        Revision ready for use: asm-managed.
        All Canonical Services have been reconciled successfully.

 

Cluster desc (unrelated lines removed):

 

addonsConfig:
  dnsCacheConfig:
    enabled: true
  gcePersistentDiskCsiDriverConfig:
    enabled: true
  gcpFilestoreCsiDriverConfig:
    enabled: true
  gcsFuseCsiDriverConfig:
    enabled: true
  gkeBackupAgentConfig: {}
  horizontalPodAutoscaling: {}
  httpLoadBalancing: {}
  kubernetesDashboard:
    disabled: true
  networkPolicyConfig:
    disabled: true
  statefulHaConfig:
    enabled: true
autopilot:
  enabled: true
currentMasterVersion: 1.30.3-gke.1639000
currentNodeCount: 4
currentNodeVersion: 1.30.3-gke.1639000
databaseEncryption:
  currentState: CURRENT_STATE_ENCRYPTED
  keyName: projects/darren-dev-17e3/locations/us-central1/keyRings/gke-keyring/cryptoKeys/gke-key-my-knative-cluster
  state: ENCRYPTED
enterpriseConfig:
  clusterTier: ENTERPRISE
fleet:
  membership: //gkehub.googleapis.com/projects/darren-dev-17e3/locations/us-central1/memberships/my-knative-cluster
  project: darren-dev-17e3
initialClusterVersion: 1.30.3-gke.1639000
name: my-knative-cluster
network: safer-cluster-network
networkConfig:
  datapathProvider: ADVANCED_DATAPATH
  defaultSnatStatus:
    disabled: true
  dnsConfig:
    clusterDns: CLOUD_DNS
    clusterDnsDomain: cluster.local
    clusterDnsScope: CLUSTER_SCOPE
  enableIntraNodeVisibility: true
  gatewayApiConfig:
    channel: CHANNEL_STANDARD
  network: projects/darren-dev-17e3/global/networks/safer-cluster-network
  serviceExternalIpsConfig: {}
  subnetwork: projects/darren-dev-17e3/regions/us-central1/subnetworks/safer-cluster-subnet
...
privateClusterConfig:
  enablePrivateEndpoint: true
  enablePrivateNodes: true
  privateEndpoint: 10.10.10.3
releaseChannel:
  channel: REGULAR
securityPostureConfig:
  mode: DISABLED
  vulnerabilityMode: VULNERABILITY_ENTERPRISE
verticalPodAutoscaling:
  enabled: true
workloadIdentityConfig:
  workloadPool: darren-dev-17e3.svc.id.goog
zone: us-central1

 

 

0 1 251
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
zaphod72
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Also found these instructions - 

 

 
0 Likes
Top Labels in this Space
Top Solution Authors
View all