Hi,
I’ve applied Istio 1.1.7 with MeshPolicy in PERMISSIVE mode.
I’m trying to configure a DestinationRule for serviceA in namespaceA to only applied on clients on namespaceA.
I have another client on namespaceB that connects to serviceA, I’ve expected that this traffic will be clear, but unfortunately it’s encrypted.
Am I doing something wrong? Is it by design?
apiVersion: “networking.istio.io/v1alpha3 ”
BTW - When applied the same rule on namespaceB, ONLY traffic from clientB to serviceA was encrypted.
A DestinationRule is exported to all namespaces unless you set the exportTo field to .
Thanks @frankbu for your answer, it worked.
@idan_frimark separate from exportTo, the destination rule lookup path is basically:
client namespace
service namespace
istio-system
Hmm, I guess this isn’t documented anywhere except in the code:
// if no private/public rule matched in the calling proxy's namespace,
// check the target service's namespace for public rules
if service.Attributes.Namespace != "" && ps.namespaceExportedDestRules[service.Attributes.Namespace] != nil {
if host, ok := MostSpecificHostMatch(service.Hostname,
ps.namespaceExportedDestRules[service.Attributes.Namespace].hosts); ok {
return ps.namespaceExportedDestRules[service.Attributes.Namespace].destRule[host].config
}
}
// if no public/private rule in calling proxy's namespace matched, and no public rule in the
// target service's namespace matched, search for any public destination rule in the config root namespace
// NOTE: This does mean that we are effectively ignoring private dest rules in the config root namespace
if ps.namespaceExportedDestRules[ps.Env.Mesh.RootNamespace] != nil {
if host, ok := MostSpecificHostMatch(service.Hostname,
ps.namespaceExportedDestRules[ps.Env.Mesh.RootNamespace].hosts); ok {
return ps.namespaceExportedDestRules[ps.Env.Mesh.RootNamespace].destRule[host].config
}
}
return nil
OK, now I understand. Thank you!