GCP Stackdriver & outboundTrafficPolicy

igoooor · July 3, 2019, 2:31pm

Hi everyone,

I have a k8s cluster 1.12 deployed on GCP, with istio 1.2.2 installed.
I have a PHP application deployed, working fine, and I added the integration of Stackdriver, using the php logging client.
It works fine when global.outboundTrafficPolicy.mode is set to ALLOW_ANY so I manage to send correctly my logs to Stackdriver.
But if I switch global.outboundTrafficPolicy.mode to REGISTRY_ONLY, then it does not work anymore.
I added the following ServiceEntry, but even with that, it still doesn’t work.

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: googleapis
spec:
  hosts:
    - "googleapis. com"
    - "*.googleapis. com"
    - "google. com"
    - "*.google. com"
  ports:
    - number: 80
      name: http
      protocol: HTTP
    - number: 443
      name: https
      protocol: HTTPS

Anyone knows how to fix this?
I have tested with a different service, a simple one where I just do a curl on it, and it works as expected.
So I can imagine that GCP Stackdriver has something under the hood which is a calling a domain which I’m not able to figure out or something like that…
Note: I had to spaces in the hosts since I’m not allowed to add more than 2 links…

meganokeefe · July 3, 2019, 3:45pm

Hi, are you using this Stackdriver client? https://github.com/googleapis/google-cloud-php-logging

Your hunch sounds right, that the client is calling a domain or IP not listed there. Looking at the logging client’s source code, I see external calls to *.googleapis.com and *.google.com only, so I see your issue.

I don’t see this anywhere in the PHP client, but you might need to add the Google Metadata Server IP to your ServiceEntry, like this https://github.com/GoogleCloudPlatform/microservices-demo/blob/f575b76f33b550b9f0f402ee814d5e17d385f210/release/istio-manifests.yaml#L80

And also add *.google.internal ?

Also, is the sidecar proxy logging any errors / reporting which domains it’s accessing? Thanks!

igoooor · July 5, 2019, 11:13am

Thank you very much meganokeefe!
Adding the GCE metadata server IP and *.google.internal fixed it!

Topic		Replies	Views
Istio outbound https traffic troubleshooting Networking	2	340	July 18, 2022
Google Global Load Balancer with open source Istio on GKE Networking	4	3127	June 8, 2021
Istio outboundTrafficPolicy REGISTRY_ONLY not working	0	769	September 11, 2020
[GKE] Easiest way to allow external services Networking	3	5703	April 18, 2019
Can't hit anything external in 1.1.1	1	1108	March 30, 2019

GCP Stackdriver & outboundTrafficPolicy

Related Topics