We are using Istio inside a KOPS cluster running in AWS. Our k8s services would like to talk to AWS services. The Istio (v1.2.2) install is using
--set global.outboundTrafficPolicy.mode=REGISTRY_ONLY since that seems like the most secure option. Below I have crafted some ServiceEntries and it would be helpful to get some feedback on the configuration.
First up is the metadata server. The service is accessed via IP address (so no host name) and it’s on port 80. This is what I have that seems to work:
apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: metadata spec: hosts: - "metadata.amazon.internal" addresses: - 169.254.169.254 ports: - number: 80 name: http protocol: HTTP resolution: STATIC location: MESH_EXTERNAL endpoints: - address: 169.254.169.254
A few points on the above:
resolution: STATICis used due to hardcoded IP address.
"metadata.amazon.internal"is 100% fake and hopefully doesn’t matter. Required though due to Istio validation.
endpoints:is used due to
STATICresolution, I think?
OK, next up, wildcard for AWS services:
apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: amazonaws spec: hosts: - '*.amazonaws.com' ports: - number: 443 name: https protocol: TLS location: MESH_EXTERNAL --- apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: amazonaws spec: hosts: - '*.amazonaws.com' tls: - match: - port: 443 sni_hosts: - '*.amazonaws.com' route: - destination: host: '*.amazonaws.com' port: number: 443
For the above, I pretty much followed this. Open questions I have on this:
- A lot of
ServiceEntryexamples are missing
resolutioneven though it’s documented as required. What is used when it isn’t specified?
- Why is the
ServiceEntryappears to work even after deleting the
Lastly, not entirely sure if my team wants to allow wildcard to all AWS services. If we don’t do wildcard, my assumption is that this is all I need for each service (no
apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: dynamodb spec: hosts: - dynamodb.us-east-1.amazonaws.com ports: - number: 443 name: https protocol: TLS resolution: DNS location: MESH_EXTERNAL
Sorry for the wall of text, my biggest concern is just to get some feedback on this configuration and make sure I’m heading down the right path. Cheers and thanks!