I was under the impression that outbound requests from a workload would be captured by the sidecar proxy by default, even if the outbound traffic policy is
ALLOW_ANY, and that those requests would be visible in telemetry gathered from the proxy, e.g.
istio_requests_total. That doesn’t seem to be the case though, and from further digging around in the docs, it seems I may need a custom
Sidecar resource to apply a non-default configuration for those workloads.
For context, I do have
ServiceEntry resources defined for all of the external services the workload in question consumes, I just don’t have the global outbound traffic policy set to
REGISTRY_ONLY. I was hoping I could still observe metrics without needing to change that policy, but if that’s not supported, it’s not a huge deal, I’m just hoping to get a summary of the minimim viable configuration needed to accomplish my aim here.
So my assumption is that I need to create a
Sidecar resource in the workload’s namespace, and in there define the egress on port 443 for the HTTPS hosts that are requested from the workload, something like this:
apiVersion: networking.istio.io/v1alpha3 kind: Sidecar metadata: name: default namespace: test spec: workloadSelector: labels: app: myapp egress: - port: number: 443 protocol: HTTP name: http hosts: - "./api.example.com" - "./api.someservice.com"
The assumption here is that I have
ServiceEntry's defined for the two hosts there. Is that correct? Do I even need to define anything but
hosts for the egreess? I’m also assuming this configuration only overrides things that are explicitly defined, but otherwise uses the global sidecar config.
Hope someone can point me in the right direction, thanks!