CloudBox is a fully managed cloud service. It integrates the hardware and software of Alibaba Cloud, such as computing, storage, and network resources, into your on-premises data center to meet specific business requirements, including data security, on-premises data processing, and low latency. You can create a CloudBox node pool in an ACK cluster and schedule application pods to CloudBox nodes to use CloudBox resources. After adding the ACK cluster to ASM, ASM will manage both public cloud and CloudBox node pools, providing rich, unified routing, security, and observability capabilities for traffic between applications. This topic describes how to use ASM to manage an ACK cluster with a CloudBox node pool.
Prerequisites
An ACK cluster with a CloudBox node pool has been created. For more information, see Use CloudBox resources in an ACK cluster.
The ACK cluster has been created and added to the ASM instance. For more information, see Create an ASM instance and Add a cluster to an ASM instance.
Step 1: Deploy an ingress gateway
CloudBox node pools have special restrictions for services:
LoadBalancer type services in CloudBox only support mounting CloudBox ECS instances, while LoadBalancer type services in the public cloud only support mounting public cloud ECS instances.
CLB in CloudBox does not support mounting EIP, meaning that a public CLB cannot be created in CloudBox.
Therefore, when you deploy a LoadBalancer type ASM ingress gateway, you need to ensure that the gateway CLB and gateway pod are both in the public cloud zone or CloudBox zone.
ASM gateway supports configuring the CLB zone using the serviceAnnotations field and configuring the gateway pod scheduling policy using the nodeSelector and affinity fields.
In this example, we create an ASM gateway in the CloudBox zone, specify the gateway CLB zone using serviceAnnotations, and specify the gateway pod zone using nodeSelector. The specific YAML is as follows.
apiVersion: istio.alibabacloud.com/v1beta1
kind: IstioGateway
metadata:
name: ingressgateway
namespace: "istio-system"
spec:
clusterIds:
- ${ACK Cluster ID}
externalTrafficPolicy: Local
gatewayType: ingress
ports:
- name: http
port: 80
targetPort: 80
- name: https
port: 443
targetPort: 443
replicaCount: 2
resources:
limits:
cpu: '2'
memory: 2G
requests:
cpu: 200m
memory: 256Mi
serviceType: LoadBalancer
serviceAnnotations:
service.beta.kubernetes.io/alicloud-loadbalancer-address-type: intranet
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-vswitch-id: ${CloudBox resource virtual switch ID}
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-master-zoneid: ${CloudBox resource zone ID}
nodeSelector:
topology.kubernetes.io/zone: ${CloudBox resource zone ID}
rollingMaxSurge: "100%"
rollingMaxUnavailable: "25%"You can save the above YAML in a local file and use ASM's kubeconfig to create the gateway resource, or you can use the ASM console to create the ASM gateway through YAML. For more information, see Example 1: Use KubeAPI to manage an ingress gateway.
Step 2: Deploy applications and configure gateway rules
Since the gateway created in Step 1 is a private gateway, it cannot be accessed directly through the public network. Ensure that your current environment can access the VPC network before executing the test command.
Follow the procedure to deploy the httpbin application and gateway rules in the ACK cluster using CloudBox nodes, and perform test verification.