I want to see how an istio sidecar may restrict a pod’s connections (I am learning istio through its references) so I am working with the bookinfo example, after installing the example (having a Docker Desktop) - I wrote a simple sidecar resource the restricts the connections of
details services as following:
apiVersion: networking.istio.io/v1beta1 kind: Sidecar metadata: name: bookinfo-ratings-sidecar spec: workloadSelector: labels: app: ratings egress: - hosts: - "./details.default.svc.cluster.local" - "./reviews.default.svc.cluster.local"
when I run the following command
istioctl proxy-config clusters ratings-v1-5f9699cfdf-hb2gd I really see that it includes only details.default.svc.cluster.local , reviews.default.svc.cluster.local (from the bookinfo services) but if I run
kubectl exec ratings-v1-5f9699cfdf-hb2gd -- curl -sS productpage:9080 I get an html result i.e. it doesn’t refuse the connection with productpage as if the sidecar doesn’t exist. What am I missing ? (p.s this The result of sidecar injection was not what I expected didn’t help)