Istio 1.5: Outbound traffic sent to Inbound listener

I have a setup which worked in 1.4 but stopped working after upgrading to 1.5.

The setup involves a container in a pod with Istio injection enabled. This container is running a DinD image (docker in docker), in which I can run docker builds or spin up docker containers. For the sake of explanation, lets call this container inside of a container the “nested” container.

In 1.4, I saw no issues with any HTTP requests coming from the “nested” container, and was able to hit services outside of the mesh, say, google.com

In 1.5, however, the traffic hangs and times out. A log entry in the envoy sidecar shows “inboundPassthroughClusterIpv4”, which implies to me that the traffic is getting sent to the inbound listener rather than the outbound listener. I have noticed that this issue occurs when I use the default bridge network for the nested container - If I was to use the host network, HTTP requests work as expected.

Obviously having these nested virtual networks can be rather dangerous, so i’m happy to use the docker host network as my solution, but this has left me intrigued as to what is causing this behaviour on a lower level. Could anyone help me understand what’s going on here? Thanks!

EDIT:
Some logs may be useful, here’s an envoy access log when using the host network:
[2020-07-27T17:45:07.538Z] "- - -" 0 - "-" 552 4377 12 - "-" "-" "-" "-" "66.102.1.113:443" PassthroughCluster 10.36.70.86:59528 66.102.1.113:443 10.36.70.86:59526 google.com "-"

And this is from making the same request when using the bridge network, which times out:
[2020-07-27T17:44:52.875Z] "- - -" 0 UF,URX "-" 0 0 9999 - "-" "-" "-" "-" "64.233.166.138:443" InboundPassthroughClusterIpv4 - 64.233.166.138:443 172.17.0.2:56488 - "-"

2 Likes