In my Istio installation, the outboundTrafficPolicy is set to ALLOW_ANY at mesh level. My goal is to control egress traffic only for specific namespaces without using egress gateways. So setting the Sidecar crd in few namespaces with outboundTrafficPolicy set to REGISTRY_ONLY blocks all external calls. Now when I add a ServiceEntry for example to access google.com, Sidecar still wont permit the external call.
Am I missing something?
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: default
namespace: testegress
spec:
outboundTrafficPolicy:
mode: REGISTRY_ONLY
egress:
- hosts:
- "test1/*"
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: external-svc-https
spec:
hosts:
- google.com
- www.google.com
location: MESH_EXTERNAL
ports:
- number: 443
name: https
protocol: TLS
resolution: DNS