Egress filtering tcp destinations by hostname

I’m running istio 1.0.5 and kubernetes 1.11. If anyone knows of any related changes in istio 1.1 please let me know.

I have a situation where I want to explicitly block all traffic and then whitelist destinations per pod. For http/https services this seems fine and I can build ServiceEntry’s that use DNS names for the destinations.

But for tcp based services you cannot use hostnames. This is a bit of a problem in AWS as the IP’s associated with an RDS endpoint like mysql– change over time. I’m curious if anyone knows of any tools that could be used in conjunction with istio that would allow us to whitelist RDS destinations by hostname in a ServiceEntry. Looking at using kubernetes network policies the same problem exists because the network policies only operate on IP addresses.

Any alternate approaches/tools/thoughts welcome.
Thanks. G.

1 Like