our calls to external services are getting blocked, but i don’t know what host or port are they calling.
Is there any log that says what calls were blocked on what host and port?
Have you tried using the logs adapter to collect all outgoing requests from the pod:
You can add a match condition using
source labels, for example, to select the outgoing requests from the pod. Blocking means missing routing information, in this case I believe, so you can also use 404 to find these routes.
This is how i do it.
I first exec into the istio-proxy in a pod that I want. Then I run the curl to set the istio-proxy logging to trace, which is very verbose. Then exit the pod and grep the logs for default_words, this will show you info about whats getting out and whats getting blocked.
kubectl exec -it -c istio-proxy datashare-api-ff9395b1-7fdcdfcbbf-rv46w
curl -XPOST http://localhost:15000/logging?level=trace
kubectl logs -c istio-proxy datashare-api-ff9395b1-7fdcdfcbbf-rv46w | grep default_words
default_words is probably coming from mixer’s API https://github.com/istio/api/blob/6b8d1849e7f44ef523b4442af69b57ddc960d38b/mixer/v1/mixer.proto#L256
Using trace-level information from proxy allows you to peek into communication from proxy to mixer, which has all the necessary information, although in an encoded form.