Hi,
is it somehow possible to create service entries pointing to IP addresses reachable over the host network only? Or to create an egress gateway for such destinations?
I didn’t find any description for this in the documentation and a naive attempt like this seems to not work at all. No access to the host network.
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
namespace: istio-system
name: svc1
spec:
hosts:
- svc1.wherever.intra # Is this used at all. I could write mickey-mouse here, no difference?
addresses:
- 10.1.0.40/32
- 10.1.0.41/32
- 10.1.0.42/32
ports:
- number: 1234
name: tcp
protocol: TCP
location: MESH_EXTERNAL
resolution: STATIC
endpoints:
- address: 10.1.0.40
- address: 10.1.0.41
- address: 10.1.0.42
I want to prevent ordinary pods from using the host network directly. Instead of this, there should be few defined services to access the network resources outside of Kubernetes.
For example:
apiVersion: v1
kind: Pod
metadata:
...
spec:
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
...
Such a pod has access to the local network and can consume services from the LAN.
But I would prefer communication through istio-sidecar and egress or service entry.
(Using Istio: 1.10.2)
Any help would be appreciated,
Michael