Can't hit anything external in 1.1.1

I’m testing out 1.1.1 and I’m stuck at something that should be very basic. I can’t hit anything external. From any pod inside the mesh I can’t apt-get update because deb.debian.org returns a 404. So does www.google.com. However from a pod that does not have an Envoy proxy I am able to apt-get update and curl www.google.com with a 200 response.

I have not changed the default value of:

outboundTrafficPolicy:
    mode: ALLOW_ALL

So I should be able to hit anything right? How do I debug this? I don’t know where to begin looking. The ALLOW_ALL setting is already there. Where else is this behavior configurable?


Istio 1.1.1
Kubernetes 1.10-gke

See the warning here: https://istio.io/docs/tasks/traffic-management/egress/#envoy-passthrough-to-external-services

"For example, if you don’t register an HTTP service or define a service entry for port 8000 within the mesh, the sidecar proxy will forward requests to any external service on that port. However, if you later create an HTTP service inside the mesh on port 8000 or define a service entry for any host on port 8000, Istio will block all external access to port 8000; Istio will fall back to a blocking-by-default behavior for that port.

Some ports, for example port 80, have HTTP services inside Istio by default. Because of this caveat, you cannot use this approach for services using those ports.
"

This is something that we are actively working on fixing and hopefully can have supported in the near future (1.1.x).

1 Like