What should be the correct behaviour of the Sidecar CRD when we have both egress configurations and outboundTrafficPolicy set as ALLOW_ANY. What I’ve noticed is that the moment you set outboundTrafficPolicy as ALLOW_ANY, then the egress restrictions have no effect. All cluster internal services and any external service gets allowed regardless of what hosts you are configuring in the egress configurations.
Take the below example. If we comment the outboundTrafficPolicy then the config works as expected. It allows access the cluster services (service1 and service2 in default namespace) configured as well as the external service for which we already have a service entry created also is allowed. After applying the policy, sidecar doesn’t allow access to any other cluster internal or external host/service to be connected. Which is the expected behaviour.
However, if I delete my ServiceEntry and set the outboundTrafficPolicy as ALLOW_ANY, then also it should allow only the hosts configured in the egress config, but it allows access to all cluster services as well as any external service.
apiVersion:
networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: emp-wrkload-sidecar
namespace: default
spec:
workloadSelector:
labels:
app: emp
ingress:
- port:
number: 8080
protocol: HTTP
name: http
defaultEndpoint: 127.0.0.1:8080
egress:
- port:
number: 8080
protocol: HTTP
name: http
hosts:
- default/service1.default.svc.cluster.local
- default/service2.default.svc.cluster.local
- */some-external-service.com
#outboundTrafficPolicy:
# mode: ALLOW_ANY
Are you saying enabling ALLOW_ANY
and setting egress config should limit where applications can call? ALLOW_ANY
overrides all other outbound policies. I dont understand how else it should work?
Yes, you are right. I misunderstood the outboundTrafficPolicy and istio registry. This is the expected behaviour.