Hi,
ISTIO-CNI updates the IPTABLES (to route all outbound traffic through istio-proxy port 15001) along with pod network setup. We have initcontainers that make outbound calls, So initContainers outbound traffic are routed to port 15001 and get dropped.
If the outbound traffic is destined to particular set of CIDRs, we can workaround by excluding through annotation "traffic.sidecar.istio.io/excludeOutboundIPRanges: ". else initcontainer fails and blocking the pod to be up.
@tiswanso is this a known issue? Any workarounds/fixes planned?
I am not clear on the request. Is the request to have traffic for the init container to not be redirected until the app pod is up? If so there is a issue open already tracking that request. It would be considered a new feature.
If the problem is that the traffic is still blocked to even after adding the include or exclude annotations then that would be an issue we need to understand better. There is a PR in flight 14171 trying to fix an issue when the CIDRs are set via Helm values
Yes, this is essentially by design. The excludeOutboundIPRanges is a work-around; NOTE: in CNI we need to implement the excludeOutboundPorts annotation support that was just added.
The work-in-progress to address this is having envoy started by the CNI so that by the time any initContainers are started by k8s, the proxy is setup and ready. See https://github.com/istio/cni/pull/102
BTW the CNI issue that was raised is: https://github.com/istio/cni/issues/77 but I just closed it and it should be reopened on the Istio repo if there is still a strong need.
Thanks a lot @tiswanso @john-a-joyce for your response…
We are fine with using the annotation workaround as long it is recommended and the only option.
https://github.com/istio/cni/pull/102 has been closed as some different approach is being used. Can any one let us know the different approach that has been tried for this issue?
Has there been any update to this issue? I’ve just raised another one on Github in relation to Istio dropping traffic from initContainers when using the CNI plugin - here.
Given how common initContainers are, I’m surprised there isn’t more discussion of this, if it is true that Istio breaks network connectivity for them.