Integrating VMs into Istio Service Mesh: WorkloadEntry, WorkloadGroup, and Smart DNS
This article explains how Istio versions 1.6‑1.8 enable virtual machine integration into a service mesh using WorkloadEntry and WorkloadGroup for automatic registration, and introduces the smart DNS sidecar proxy that allows seamless hostname‑based access to mesh services from VMs.
WorkloadEntry
WorkloadEntry describes non‑Pod endpoints, allowing VMs to join the mesh as first‑class citizens and enabling mutual TLS configuration.
apiVersion: networking.istio.io/v1alpha3
kind: WorkloadEntry
metadata:
name: vm1
namespace: ns1
spec:
address: 1.1.1.1
labels:
app: foo
instance-id: vm-78ad2
class: vm
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: svc1
namespace: ns1
spec:
hosts:
- svc1.internal.com
ports:
- number: 80
name: http
protocol: HTTP
resolution: STATIC
workloadSelector:
labels:
app: fooThis creates a WorkloadEntry with labels and an address, and a ServiceEntry that selects endpoints with the matching label, allowing the VM to be treated like a Pod.
VM Auto‑Registration
WorkloadGroup is used for automatic registration of WorkloadEntry resources, which is useful when VM services need to scale automatically.
Enable auto‑registration when installing istiod:
$ istioctl install --set values.pilot.env.PILOT_ENABLE_WORKLOAD_ENTRY_AUTOREGISTRATION=trueDeploy an east‑west gateway so that the VM sidecar can communicate with istiod.
Create a WorkloadGroup:
apiVersion: networking.istio.io/v1alpha3
kind: WorkloadGroup
metadata:
name: python-http
namespace: vm
spec:
metadata:
annotations: {}
labels:
app: python-http
template:
ports: {}
serviceAccount: my-vmWhen each VM starts the python-http instance, a WorkloadEntry is automatically created with the VM's IP and metadata. A corresponding ServiceEntry can then select this WorkloadEntry, enabling other mesh services to reach the VM via the ServiceEntry hosts.
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: vm-workload-svc
namespace: vm
spec:
hosts:
- vmservice.example.com
location: MESH_INTERNAL
ports:
- number: 80
name: http
protocol: HTTP
targetPort: 9090
resolution: STATIC
workloadSelector:
labels:
app: python-httpSmart DNS
Even with VM auto‑registration, hostname‑based access to mesh services is not possible without a DNS solution. Istio 1.8 introduces a DNS proxy sidecar that caches endpoints from the mesh and ServiceEntry resources. Iptables rules redirect DNS queries to the sidecar; if the name is cached, the sidecar returns the result, otherwise it forwards the request to the system DNS.
Smart DNS is disabled by default and can be enabled during Istio installation:
--set meshConfig.defaultConfig.proxyMetadata.ISTIO_META_DNS_CAPTURE=trueSummary
When a VM connects to the Istio control plane through an east‑west gateway, Istio creates the appropriate WorkloadEntry resources, enabling the VM sidecar to resolve all mesh services via the smart DNS proxy. Consequently, services running on VMs can access Kubernetes services such as httpbin.default.svc.cluster.local using standard hostnames.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.