By default, all external access is allowed, but it shouldn't


#1

Hi,

As per the documentation here:

https://istio.io/docs/tasks/traffic-management/egress/

By default, Istio-enabled services are unable to access URLs outside of the cluster because the pod uses iptables to transparently redirect all outbound traffic to the sidecar proxy, which only handles intra-cluster destinations.

However, this is not the case with a clean installation using 1.1.0-rc0. Is this a regression or a new feature that allows all external traffic by default?

Clearly my Pods’ sidecars don’t provide value for the -i flag:

Init Containers:
  istio-init:
    Container ID:  docker://2f31939cd6a436b46e02c75c4c9a481f7c64a45383e2322ecedcf18dff370beb
    Image:         docker.io/istio/proxy_init:1.1.0-rc.0
    Image ID:      docker-pullable://istio/proxy_init@sha256:67f698c143b05464b66fdfcbf07f8d9485e13bdf246137a175d23cee5e0d9965
    Port:          <none>
    Host Port:     <none>
    Args:
      -p
      15001
      -u
      1337
      -m
      REDIRECT
      -i

      -x

      -b

      -d
      15020

#2

This is an expected change in 1.1. You can switch back to the old behavior though. See this documentation: https://preliminary.istio.io/docs/tasks/traffic-management/egress/#envoy-passthrough-to-external-services and this PR: https://github.com/istio/istio/issues/11739


#3

Thanks so much for the pointer.

Let me validate this with my use case.