I am trying to understand how the sidecar traffic interception model works with istio-init creating a bunch of iptables rules.
- Istio 1.9.2 on AWS EKS installed using istioctl install --verify
- I am SSH’ed directly on a worker node as root, and running iptables commands in the namespace of specific containers.
- My default namespace is labeled istio-injection=enabled
What I understand: When listing the iptables rules applied to my container, I correctly see the iptables rules:
$ docker ps | grep my-test-pod ... $ docker top 69da64cc59cf UID PID PPID C STIME TTY TIME CMD root 15107 15077 0 16:37 pts/0 00:00:00 /bin/sh $ sudo nsenter -n --target 15107 iptables -t nat -S -P PREROUTING ACCEPT -P INPUT ACCEPT ... -A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15001
Which specifically shows that all the outgoing container traffic is routed to the Envoy proxy running in istio-proxy sidecar and listening on port 15001.
Question: The two containers (my-test-container and istio-proxy) share the same network namespace. Consequently, the istio-proxy container also has an iptables rule redirecting all outbound traffic… to itself on port 15001. Then, how come traffic ever manages to go out? Is there some kind of iptables magic happening that I am missing?