In my Istio installation, the outboundTrafficPolicy is set to ALLOW_ANY at mesh level. My goal is to control egress traffic only for specific namespaces without using egress gateways. So setting the Sidecar crd in few namespaces with outboundTrafficPolicy set to REGISTRY_ONLY blocks all external calls. Now when I add a ServiceEntry for example to access google.com, Sidecar still wont permit the external call.
Am I missing something?
apiVersion: networking.istio.io/v1alpha3 kind: Sidecar metadata: name: default namespace: testegress spec: outboundTrafficPolicy: mode: REGISTRY_ONLY egress: - hosts: - "test1/*"
apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: external-svc-https spec: hosts: - google.com - www.google.com location: MESH_EXTERNAL ports: - number: 443 name: https protocol: TLS resolution: DNS