Istio enabled pods and egress connections

We are using Istio 1.2.0 and K8s 1.14 . We have deployed a small utility that checks for egress connectivity from a pod to outside services. WillItConnect. When the Will-It-Connect pod is enabled with Istio side car, any connectivity check to any outside host/port always comes back true, means being able to connect, even if we give a bogus port. For eg: if we put google.com and port 8777 the tool would say that you would be able to connect to that host and port, even though that is not true. Once we remove the Istio side car, then the tool returns the correct result. I checked the tool source code and all it is doing is trying to make a socket connection on the given host/port :

public static boolean checkConnection(String host, int port) {
    logHost(host, port);
    Socket socket = new Socket();
    try {
        SocketAddress addr = new InetSocketAddress(
                Inet4Address.getByName(host), port);
        socket.connect(addr, 3000);
        boolean connected = socket.isConnected();
        socket.close();
        if (connected) {
            return true;
        }
    } catch (IOException e) { }
    return false;
}

So, does the Envoy proxy captures the request and returns a false status back to the application or what else could be going on ? Any insight into this would be really helpful.

In the default install of Istio, we use iptables to redirect TCP connections to the local Istio Proxy (Envoy). So, your tool will get a positive result because it successfully connects to the local proxy. However, connecting to the local proxy is not an indication that there is a successful connection on the upstream side. If your tool tried to send or receive data over the connection to a bogus host/port it would presumably fail.

Thanks a lot @spikecurtis, that explains it !!!

@spikecurtis Is there a way we can get more fine grained control where in we get to stay what gets forwarded to the local proxy and what not gets forwarded.

The istio-init container is responsible for setting up this forwarding, and it can be configured with a couple command line flags, including -o which takes a list of ports not to forward to the proxy.

You’ll have to modify the istio-sidecar-injector ConfigMap to customize the command line flags passed to the istio-init container.

1 Like