Istio enabled pods and egress connections

asadique · June 28, 2019, 11:43pm

We are using Istio 1.2.0 and K8s 1.14 . We have deployed a small utility that checks for egress connectivity from a pod to outside services. WillItConnect. When the Will-It-Connect pod is enabled with Istio side car, any connectivity check to any outside host/port always comes back true, means being able to connect, even if we give a bogus port. For eg: if we put google.com and port 8777 the tool would say that you would be able to connect to that host and port, even though that is not true. Once we remove the Istio side car, then the tool returns the correct result. I checked the tool source code and all it is doing is trying to make a socket connection on the given host/port :

public static boolean checkConnection(String host, int port) {
    logHost(host, port);
    Socket socket = new Socket();
    try {
        SocketAddress addr = new InetSocketAddress(
                Inet4Address.getByName(host), port);
        socket.connect(addr, 3000);
        boolean connected = socket.isConnected();
        socket.close();
        if (connected) {
            return true;
        }
    } catch (IOException e) { }
    return false;
}

So, does the Envoy proxy captures the request and returns a false status back to the application or what else could be going on ? Any insight into this would be really helpful.

spikecurtis · July 1, 2019, 3:58pm

In the default install of Istio, we use iptables to redirect TCP connections to the local Istio Proxy (Envoy). So, your tool will get a positive result because it successfully connects to the local proxy. However, connecting to the local proxy is not an indication that there is a successful connection on the upstream side. If your tool tried to send or receive data over the connection to a bogus host/port it would presumably fail.

asadique · July 1, 2019, 4:05pm

Thanks a lot @spikecurtis, that explains it !!!

asadique · July 1, 2019, 4:10pm

@spikecurtis Is there a way we can get more fine grained control where in we get to stay what gets forwarded to the local proxy and what not gets forwarded.

spikecurtis · July 1, 2019, 5:45pm

The istio-init container is responsible for setting up this forwarding, and it can be configured with a couple command line flags, including -o which takes a list of ports not to forward to the proxy.

github.com

istio/istio/blob/fca218e2ed13963835ad35c0869cdad56bba36c7/tools/packaging/common/istio-iptables.sh

#!/bin/bash
#
# Copyright 2017, 2018 Istio Authors. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#    http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
################################################################################
#
# Initialization script responsible for setting up port forwarding for Istio sidecar.

This file has been truncated. show original

You’ll have to modify the istio-sidecar-injector ConfigMap to customize the command line flags passed to the istio-init container.

Topic		Replies	Views
Bypassing envoy when calling localhost inside a pod Networking	1	2332	September 17, 2019
Istio (Envoy-proxy sidecar) is blocking http traffic on port 8088 Networking	20	9515	June 4, 2020
Getting false tcp connection from withing container Networking	6	2217	July 20, 2022
Proxy ingress traffic to a specific pod Networking	0	1211	April 21, 2022
Egress TCP traffic not working on new install Networking	1	619	July 30, 2020

Istio enabled pods and egress connections

Related Topics