I have istio 1.1.3 with mtls and service-registry on a kubespray k8 cluster. I want to secure all outgoing traffic, hence I create service-entries for each external service that my services want to talk to.
I would like to use istio-proxy logs to see the blocked communication attempts for all sort of traffic.
If i curl from within container to a (blocked) http://google.com i see 404 NR in istio-proxy logs. Also curl receives 404. As expected
If i change call to use https, and curl (still blocked) https://google.com, i see the following curl error (35) Unknown SSL protocol error in connection to google.com:443 and nothing shows up in istio-proxy logs (why nothing?)
How can i see all connection attempts in istio-proxy? I have a pretty convoluted bunch of services that do covert-ops outgoing calls and i need to figure out what hostnames/ips/ports they are trying to hit.
Mixer logs are only showing me the communication to the defined service-entries. How do i see the ones that istio is denying?
Based on your problem statement, have you considered using an egress gateway instead of multiple service entries? I think that approach might be better for what you describe.
To learn more, you can take a look at the blog post from @vadimeisenbergibm on secure control of egress traffic: https://preliminary.istio.io/blog/2019/egress-traffic-control-in-istio-part-1/
Part 2 is still WIP but it includes links to the related tasks you need to complete. You can take a look either at PR 4232 or the rendered content. @mstrz I hope you find the information useful.
Thank you @rcaballeromx ! I have looked at the egress already, i was going to do a 1-2-3 (increasing complexity) approach via:
just get service entries to work. (works, but i dont see blocked non-http requests which is painful)
allow my java apps to use configured keystores/truststores to do connections, and let istio treat them as TLS passthrough on the way out thru egress (will i see the blocked tls calls then?)
purge all keystores from the java apps and apply the mtls on egress via tls origination
I would be happy, for the time being, with “1” (if it provided logging. But it doesnt).
Will “2” or “3” give me the blocked tls calls logged?