Hi Team,
I have istio deployed on azure aks using azure cni with calico. I have configured istio ingress and egress gateways with mTLS in the service mesh.
When I add www.googe.com to the egress config my pod and istio-proxy sidecar are able to connect to google. But when i introduce a very basic network policy both containers in the pod (app, istio-proxy) loose connectivity to ww.google.com.
# my-namespace Active 99d istio-injection=enabled
# istio-system Active 99d istio-injection=disabled,istio-operator-managed=Reconcile,operator.istio.io/component=Base,operator.istio.io/managed=Reconcile,operator.istio.io/version=1.5.7
# kube-system Active 99d addonmanager.kubernetes.io/mode=Reconcile,control-plane=true,kubernetes.io/cluster-service=true
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-egress-to-istio-system-and-kube-dns
namespace: my-namespace
spec:
egress:
- ports:
- port: 53
protocol: UDP
to:
- namespaceSelector:
matchLabels:
control-plane: "true"
- to:
- namespaceSelector:
matchLabels:
operator.istio.io/component: "Base"
podSelector: {}
policyTypes:
- Egress
Logs of istio-proxy below:
[2020-12-03T00:30:25.027Z] “HEAD / HTTP/1.1” 503 UF “-” “-” 0 0 1000 - “-” “curl/7.64.0” “dfac6559-416c-44c9-a4ce-ae8c84351ade” “www.google.com” “172.217.25.132:80” PassthroughCluster - 172.217.25.132:80 10.30.0.146:38154 - allow_any
[2020-12-03T00:30:31.957Z] “HEAD / HTTP/1.1” 503 UF “-” “-” 0 0 999 - “-” “curl/7.64.0” “e4b21fbb-5e9f-41be-9baa-4260e2fe0351” “www.google.com” “172.217.25.132:80” PassthroughCluster - 172.217.25.132:80 10.30.0.146:38208 - allow_any
[2020-12-03T00:31:53.756Z] “HEAD / HTTP/1.1” 503 UF “-” “-” 0 0 999 - “-” “curl/7.64.0” “ce1dc3ed-bbaa-44ba-affc-82c99e5bb284” “www.google.com” “216.58.199.68:80” PassthroughCluster - 216.58.199.68:80 10.30.0.146:35470 - allow_any