I was under the impression that outbound requests from a workload would be captured by the sidecar proxy by default, even if the outbound traffic policy is ALLOW_ANY, and that those requests would be visible in telemetry gathered from the proxy, e.g. istio_requests_total. That doesn’t seem to be the case though, and from further digging around in the docs, it seems I may need a custom Sidecar resource to apply a non-default configuration for those workloads.
For context, I do have ServiceEntry resources defined for all of the external services the workload in question consumes, I just don’t have the global outbound traffic policy set to REGISTRY_ONLY. I was hoping I could still observe metrics without needing to change that policy, but if that’s not supported, it’s not a huge deal, I’m just hoping to get a summary of the minimim viable configuration needed to accomplish my aim here.
So my assumption is that I need to create a Sidecar resource in the workload’s namespace, and in there define the egress on port 443 for the HTTPS hosts that are requested from the workload, something like this:
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: default
namespace: test
spec:
workloadSelector:
labels:
app: myapp
egress:
- port:
number: 443
protocol: HTTP
name: http
hosts:
- "./api.example.com"
- "./api.someservice.com"
The assumption here is that I have ServiceEntry's defined for the two hosts there. Is that correct? Do I even need to define anything but hosts for the egreess? I’m also assuming this configuration only overrides things that are explicitly defined, but otherwise uses the global sidecar config.
Hope someone can point me in the right direction, thanks!