I am new to Istio and I was trying to configure the cluster so that all outbound external requests are blocked. To do that, I added the below configuration to Istio Operator
meshConfig:
accessLogFile: /dev/stdout
defaultConfig:
proxyMetadata: {}
enablePrometheusMerge: true
outboundTrafficPolicy:
mode: REGISTRY_ONLY
and restarted the pods. But, still the application pods are able to make calls external to the cluster.
This is how the listeners look like. I did not find BlackholeCluster here. May I request some help in debugging and fixing this issue.
ADDRESS PORT MATCH DESTINATION
10.100.0.10 53 ALL Cluster: outbound|53||kube-dns.kube-system.svc.cluster.local
0.0.0.0 80 App: HTTP Route: 80
0.0.0.0 80 ALL PassthroughCluster
10.100.0.1 443 ALL Cluster: outbound|443||kubernetes.default.svc.cluster.local
10.100.151.0 443 ALL Cluster: outbound|443||istio-egressgateway.istio-system.svc.cluster.local
10.100.221.124 443 ALL Cluster: outbound|443||istio-ingressgateway.istio-system.svc.cluster.local
10.100.38.175 443 ALL Cluster: outbound|443||istiod.istio-system.svc.cluster.local
10.100.38.175 853 App: HTTP Route: istiod.istio-system.svc.cluster.local:853
10.100.38.175 853 ALL Cluster: outbound|853||istiod.istio-system.svc.cluster.local
0.0.0.0 3000 App: HTTP Route: 3000
0.0.0.0 3000 ALL PassthroughCluster
0.0.0.0 5984 App: HTTP Route: 5984
0.0.0.0 5984 ALL Cluster: outbound|5984||temp-storage-couchdb.sbn-temp-storage.svc.cluster.local
10.100.11.103 5984 App: HTTP Route: temp-storage-svc-couchdb.sbn-temp-storage.svc.cluster.local:5984
10.100.11.103 5984 ALL Cluster: outbound|5984||temp-storage-svc-couchdb.sbn-temp-storage.svc.cluster.local
0.0.0.0 8080 App: HTTP Route: 8080
0.0.0.0 8080 ALL PassthroughCluster
0.0.0.0 9090 App: HTTP Route: 9090
0.0.0.0 9090 ALL PassthroughCluster
0.0.0.0 9411 App: HTTP Route: 9411
0.0.0.0 9411 ALL PassthroughCluster
0.0.0.0 14250 App: HTTP Route: 14250
0.0.0.0 14250 ALL Cluster: outbound|14250||jaeger-collector-headless.istio-system.svc.cluster.local
10.100.246.206 14250 App: HTTP Route: jaeger-collector.istio-system.svc.cluster.local:14250
10.100.246.206 14250 ALL Cluster: outbound|14250||jaeger-collector.istio-system.svc.cluster.local
10.100.246.206 14267 App: HTTP Route: jaeger-collector.istio-system.svc.cluster.local:14267
10.100.246.206 14267 ALL Cluster: outbound|14267||jaeger-collector.istio-system.svc.cluster.local
10.100.246.206 14268 App: HTTP Route: jaeger-collector.istio-system.svc.cluster.local:14268
10.100.246.206 14268 ALL Cluster: outbound|14268||jaeger-collector.istio-system.svc.cluster.local
0.0.0.0 15001 ALL PassthroughCluster
0.0.0.0 15006 Trans: tls; App: HTTP TLS; Addr: 0.0.0.0/0 Inline Route: /*
0.0.0.0 15006 App: HTTP; Addr: 0.0.0.0/0 Inline Route: /*
0.0.0.0 15006 App: Istio HTTP Plain Inline Route: /*
0.0.0.0 15006 ALL Inline Route: /*
0.0.0.0 15006 Trans: tls; App: TCP TLS; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4
0.0.0.0 15006 Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4
0.0.0.0 15010 App: HTTP Route: 15010
0.0.0.0 15010 ALL PassthroughCluster
10.100.38.175 15012 ALL Cluster: outbound|15012||istiod.istio-system.svc.cluster.local
0.0.0.0 15014 App: HTTP Route: 15014
0.0.0.0 15014 ALL PassthroughCluster
0.0.0.0 15021 ALL Inline Route: /healthz/ready*
10.100.221.124 15021 App: HTTP Route: istio-ingressgateway.istio-system.svc.cluster.local:15021
10.100.221.124 15021 ALL Cluster: outbound|15021||istio-ingressgateway.istio-system.svc.cluster.local
0.0.0.0 15090 ALL Inline Route: /stats/prometheus*
10.100.151.0 15443 ALL Cluster: outbound|15443||istio-egressgateway.istio-system.svc.cluster.local
10.100.221.124 15443 ALL Cluster: outbound|15443||istio-ingressgateway.istio-system.svc.cluster.local
10.100.71.202 16686 App: HTTP Route: jaeger-query.istio-system.svc.cluster.local:16686
10.100.71.202 16686 ALL Cluster: outbound|16686||jaeger-query.istio-system.svc.cluster.local
0.0.0.0 20001 App: HTTP Route: 20001
0.0.0.0 20001 ALL PassthroughCluster
10.100.221.124 31400 ALL Cluster: outbound|31400||istio-ingressgateway.istio-system.svc.cluster.local