GCP Stackdriver & outboundTrafficPolicy

Hi everyone,

I have a k8s cluster 1.12 deployed on GCP, with istio 1.2.2 installed.
I have a PHP application deployed, working fine, and I added the integration of Stackdriver, using the php logging client.
It works fine when global.outboundTrafficPolicy.mode is set to ALLOW_ANY so I manage to send correctly my logs to Stackdriver.
But if I switch global.outboundTrafficPolicy.mode to REGISTRY_ONLY, then it does not work anymore.
I added the following ServiceEntry, but even with that, it still doesn’t work.

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
  name: googleapis
    - "googleapis. com"
    - "*.googleapis. com"
    - "google. com"
    - "*.google. com"
    - number: 80
      name: http
      protocol: HTTP
    - number: 443
      name: https
      protocol: HTTPS

Anyone knows how to fix this?
I have tested with a different service, a simple one where I just do a curl on it, and it works as expected.
So I can imagine that GCP Stackdriver has something under the hood which is a calling a domain which I’m not able to figure out or something like that…
Note: I had to spaces in the hosts since I’m not allowed to add more than 2 links…

Hi, are you using this Stackdriver client? https://github.com/googleapis/google-cloud-php-logging

Your hunch sounds right, that the client is calling a domain or IP not listed there. Looking at the logging client’s source code, I see external calls to *.googleapis.com and *.google.com only, so I see your issue.

I don’t see this anywhere in the PHP client, but you might need to add the Google Metadata Server IP to your ServiceEntry, like this https://github.com/GoogleCloudPlatform/microservices-demo/blob/f575b76f33b550b9f0f402ee814d5e17d385f210/release/istio-manifests.yaml#L80

And also add *.google.internal ?

Also, is the sidecar proxy logging any errors / reporting which domains it’s accessing? Thanks!

Thank you very much meganokeefe!
Adding the GCE metadata server IP and *.google.internal fixed it!

1 Like