Howdy! I’m new to Istio yet I’m tasked to evaluate Istio for possible adoption for my organization (a little sacred but also exited :-).
So I’m trying to understand how Envoy hijacks the traffic to perform service routing. I understand the init container “istio-init” uses istio-iptables.sh to accomplish this by using iptables tool to add netfilter rule for port forward (aka traffic hijack to the Envoy sidecar).
My question is: what is the scope of this netfilter rule for a particular pod? Is it just at the pod level, or is it at the host/node level? In other words, does the rule reside only in the pod, or in the host?
Because it only affects the traffic for the particular pod, it makes sense to be contained inside the pod; Yet my knowledge of docker (the container our Kube cluster is using) container is that any stuff in Linux kernel is shared by all containers on the host.And netfilter is in the kernel.
kube’s ClusterIP service is also implemented in a similar way, but definitely at the host level by kube-proxy. I believe there the reason that a process in kube-proxy container can affect host netfilter is that the kube-proxy is running under privileged mode ( securityContext:privileged set to true) and with HostNetwork property set, whereas Envoy container doesn’t have the privilege setting.
If the Envoy port forward rule is indeed at the host level, then the netfilter rule has to be qualified by the POD IP, right?
Thanks!