[Question] Istio requirements - pod must belong to at least one service



I have a question about Istio requirements:

A pod must belong to at least one Kubernetes service even if the pod does NOT expose any port.

Why is this a requirement?
What if I have a workload that consumes events from a queue and makes requests to a service in the mesh? My workload wouldn’t expose any containerPorts, but I want it to be part of the mesh in order to benefit from traffic routing and monitoring for the outbound traffic.



I have tested this use-case and I found that the requirement is not really enforced. From what I could tell, in this situation the proxy container does not set up any inbound listener but sets up the outbound listeners just fine. (This is on istio 1.1.0)



@gotwarlost Thank you for your answer. I did it too and it worked. I was more interested about the reasoning behind this requirement - if this could lead to future issues.



There are a few features that currently require Services. The ones I know of are Sidecar and EnvoyFilter workloadSelector, and Locality LB. The first two we have a change out to remove that requirement, so that will no longer be the case soon.

There may be other features that depend on it that I am not aware of though.

1 Like