Openshift Istio ServiceEntry

Hello,

My context config is:

  • OpenShift 3.11.88
  • Istio 1.1.15 (istio.io)
  • global.outboundTrafficPolicy.mode=ALLOW_ANY

I am trying to create and test a ServiceEntry, I used the example on istio.io :

kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: httpbin-ext
spec:
  hosts:
  - httpbin.org
  ports:
  - number: 80
    name: http
    protocol: HTTP
  resolution: DNS
  location: MESH_EXTERNAL
EOF

when I try the curl command from a sleep pod in the same namespace (istio injected) as the ServiceEntry :

kubectl exec -it $SOURCE_POD -c sleep -- curl http://httpbin.org/headers

I get no response; it seems that the ServiceEntry is not reachable.

When I try the same config on Kubernetes (not openshift), everything works like a charm.

Thinking about the OpenShift routes/router, is there any requirement to make this external call work?

Do you have any ideas, please?

Thank you in advance.
Cheers.

So, I just tried on OpenShift 4.2 and Istio 1.4 beta1 and it works out of the box. The ServiceEntry is not even necessary because the global policy is set to ALLOW_ANY.

Make sure there’s no NetworkPolicy blocking your external calls.

That said, I’d recommend using Maistra on OpenShift. It is an Istio distribution that works out of the box on OpenShift: https://maistra.io.

1 Like

I found that the NetworkPolicy is what is blocking access to the external service,

thank you very much.

1 Like