[GKE] Easiest way to allow external services

Hello, I would appreciate your help with allowing external services on the managed Istio (v1.0) on Google Kubernetes Engine. Problem is that it’s not possible by reconfiguration of parameter global.proxy.includeIPRanges in the sidecar Configmap because it’s overwritten on the managed Istio.

Reason I need this is that my application is accessing a great amount of the external services which is not possible to configure by creating ServiceEntries.

Do you have any ideas?

a workaround I did in my lab environment was to create a service entry / destination rule to enable access to a squid proxy. it requires using an explicit proxy configuration, but it does give you a bypass of any http/https policies.

curl -x http://[squid proxy]:3128 https://api.example.com/v1/hello_world

I have not tried with Istio 1.0, but in theory it should work.

We’ve setup proxy as a temporary workaround. However, this won’t work as a long-term solution because of the big amount of transfered data. The proxy is now bottleneck of the system.

After playing around, I’ve found this solution working. I created ServiceEntry (shown below) with no resolution with all public IP ranges. Does anyone know if this is good idea? Cannot this solution impact the performace?

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: all-traffic
  labels:
    app: all-traffic
    group: istio
    networking: istio
spec:
  hosts:
  - example.com # this is ignored according to docs
  addresses:
  - 1.0.0.0/8
  - 2.0.0.0/7
  - 4.0.0.0/6
  - 8.0.0.0/7
  - 11.0.0.0/8
  - 12.0.0.0/6
  - 16.0.0.0/4
  - 32.0.0.0/3
  - 64.0.0.0/3
  - 96.0.0.0/4
  - 112.0.0.0/5
  - 120.0.0.0/6
  - 124.0.0.0/7
  - 126.0.0.0/8
  - 128.0.0.0/3
  - 160.0.0.0/5
  - 168.0.0.0/8
  - 169.0.0.0/9
  - 169.128.0.0/10
  - 169.192.0.0/11
  - 169.224.0.0/12
  - 169.240.0.0/13
  - 169.248.0.0/14
  - 169.252.0.0/15
  - 169.255.0.0/16
  - 170.0.0.0/7
  - 173.0.0.0/8
  - 174.0.0.0/7
  - 176.0.0.0/6
  - 180.0.0.0/5
  - 188.0.0.0/6
  - 192.0.3.0/24
  - 192.0.4.0/22
  - 192.0.8.0/21
  - 192.0.16.0/20
  - 192.0.32.0/19
  - 192.0.64.0/18
  - 192.0.128.0/17
  - 192.1.0.0/16
  - 192.2.0.0/15
  - 192.4.0.0/14
  - 192.8.0.0/13
  - 192.16.0.0/12
  - 192.32.0.0/11
  - 192.64.0.0/12
  - 192.80.0.0/13
  - 192.88.0.0/18
  - 192.88.64.0/19
  - 192.88.96.0/23
  - 192.88.98.0/24
  - 192.88.100.0/22
  - 192.88.104.0/21
  - 192.88.112.0/20
  - 192.88.128.0/17
  - 192.89.0.0/16
  - 192.90.0.0/15
  - 192.92.0.0/14
  - 192.96.0.0/11
  - 192.128.0.0/11
  - 192.168.0.0/12
  - 192.169.0.0/16
  - 192.170.0.0/15
  - 192.172.0.0/14
  - 192.176.0.0/14
  - 192.180.0.0/12
  - 192.196.0.0/13
  - 192.200.0.0/13
  - 192.208.0.0/12
  - 192.224.0.0/11
  - 193.0.0.0/8
  - 194.0.0.0/7
  - 196.0.0.0/7
  - 198.0.0.0/12
  - 198.16.0.0/15
  - 198.20.0.0/14
  - 198.24.0.0/13
  - 198.32.0.0/12
  - 198.48.0.0/15
  - 198.50.0.0/16
  - 198.51.0.0/18
  - 198.51.64.0/19
  - 198.51.96.0/22
  - 198.51.101.0/24
  - 198.51.102.0/23
  - 198.51.104.0/21
  - 198.51.112.0/20
  - 198.51.128.0/17
  - 198.52.0.0/14
  - 198.56.0.0/13
  - 198.64.0.0/10
  - 198.128.0.0/9
  - 199.0.0.0/8
  - 200.0.0.0/7
  - 202.0.0.0/8
  - 203.0.0.0/18
  - 203.0.64.0/19
  - 203.0.96.0/20
  - 203.0.112.0/24
  - 203.0.114.0/23
  - 203.0.116.0/22
  - 203.0.120.0/21
  - 203.0.128.0/17
  - 203.1.0.0/16
  - 203.2.0.0/15
  - 203.4.0.0/14
  - 203.8.0.0/13
  - 203.16.0.0/12
  - 203.32.0.0/11
  - 203.64.0.0/10
  - 203.128.0.0/9
  - 204.0.0.0/6
  - 208.0.0.0/4  
  ports:
  - name: http
    number: 80
    protocol: tcp
  - name: https
    number: 443
    protocol: tcp
  location: MESH_EXTERNAL
  resolution: NONE
1 Like