Bypassing envoy when calling localhost inside a pod

Jacinto_Barbeira · September 16, 2019, 1:48pm

Hi

I’m trying to deploy a rather non container friendly application server (AS). One of the steps into getting it running is using a CLI to configure the AS that tries to connect to it on TCP localhost:1202 using SSL (it’s java based and is using a predefined set of keystores - .jks - for credentials).

Now, if I run the deployment without istio injection, it works like a charm. When I add the istio proxy sidecar to the pod, it starts giving me a connectivity error.

I’m looking at the logs from istio-proxy, and I see it is capturing the traffic on localhost and connecting back to it self via the pod IP.

Is there a way to avoid traffic aimed at “localhost” to be captured by the envoy proxy?

Has anyone come across this type of scenario?

Thanks.

ed.snible · September 17, 2019, 2:06pm

You can exclude port 1202 from being captured by the Envoy Proxy. In your Deployment add

    metadata:
      annotations:
        traffic.sidecar.istio.io/excludeInboundPorts: 1202

See https://istio.io/docs/reference/config/annotations/ for a list of annotations supported by Envoy.

Topic		Replies	Views
Istio (Envoy-proxy sidecar) is blocking http traffic on port 8088 Networking	20	10213	June 4, 2020
Istio enabled pods and egress connections Networking	4	818	July 1, 2019
How to use sidecar proxies for routing inbound traffic to multiple containers in a pod Config	0	996	January 20, 2023
Does kubectl port-forward svc bypass Istio's proxy? Networking	1	988	November 14, 2022
Stil looking for a way to avoid Envoy capturing requests when using direct IP	3	556	June 17, 2020

Bypassing envoy when calling localhost inside a pod

Related Topics