How to see what calls to external host was blocked?

#1

Hi,
our calls to external services are getting blocked, but i don’t know what host or port are they calling.
Is there any log that says what calls were blocked on what host and port?

0 Likes

#2

Hi,

Have you tried using the logs adapter to collect all outgoing requests from the pod:

You can add a match condition using source labels, for example, to select the outgoing requests from the pod. Blocking means missing routing information, in this case I believe, so you can also use 404 to find these routes.

–kuat

0 Likes

#3

This is how i do it.

I first exec into the istio-proxy in a pod that I want. Then I run the curl to set the istio-proxy logging to trace, which is very verbose. Then exit the pod and grep the logs for default_words, this will show you info about whats getting out and whats getting blocked.

kubectl exec -it -c istio-proxy datashare-api-ff9395b1-7fdcdfcbbf-rv46w

curl -XPOST http://localhost:15000/logging?level=trace

kubectl logs -c istio-proxy datashare-api-ff9395b1-7fdcdfcbbf-rv46w | grep default_words

0 Likes

#4

default_words is probably coming from mixer’s API https://github.com/istio/api/blob/6b8d1849e7f44ef523b4442af69b57ddc960d38b/mixer/v1/mixer.proto#L256

Using trace-level information from proxy allows you to peek into communication from proxy to mixer, which has all the necessary information, although in an encoded form.

0 Likes