By default, all external access is allowed, but it shouldn't

emedina · March 13, 2019, 5:36pm

Hi,

As per the documentation here:

https://istio.io/docs/tasks/traffic-management/egress/

By default, Istio-enabled services are unable to access URLs outside of the cluster because the pod uses iptables to transparently redirect all outbound traffic to the sidecar proxy, which only handles intra-cluster destinations.

However, this is not the case with a clean installation using 1.1.0-rc0. Is this a regression or a new feature that allows all external traffic by default?

Clearly my Pods’ sidecars don’t provide value for the -i flag:

Init Containers:
  istio-init:
    Container ID:  docker://2f31939cd6a436b46e02c75c4c9a481f7c64a45383e2322ecedcf18dff370beb
    Image:         docker.io/istio/proxy_init:1.1.0-rc.0
    Image ID:      docker-pullable://istio/proxy_init@sha256:67f698c143b05464b66fdfcbf07f8d9485e13bdf246137a175d23cee5e0d9965
    Port:          <none>
    Host Port:     <none>
    Args:
      -p
      15001
      -u
      1337
      -m
      REDIRECT
      -i

      -x

      -b

      -d
      15020

dwradcliffe · March 13, 2019, 5:59pm

This is an expected change in 1.1. You can switch back to the old behavior though. See this documentation: https://preliminary.istio.io/docs/tasks/traffic-management/egress/#envoy-passthrough-to-external-services and this PR: https://github.com/istio/istio/issues/11739

emedina · March 13, 2019, 6:15pm

Thanks so much for the pointer.

Let me validate this with my use case.

Topic		Replies	Views
Outbound traffic to exernal service (SOLVED) Networking	11	2234	April 19, 2019
Can't hit anything external in 1.1.1	1	1125	March 30, 2019
External access https not passing through istio-proxy Networking	0	478	March 13, 2020
[GKE] Easiest way to allow external services Networking	3	5722	April 18, 2019
Configuring the sidecar: outgoing traffic and virtual services Networking	0	674	January 15, 2019

By default, all external access is allowed, but it shouldn't

Related Topics