Hi,
I am trying to understand the exportTo feature of VirtualService (DestinationRule, and ServiceEntry) in relation to Sidecar egress traffic filtering.
Scenario:
- namespace1 has sleep1 and httpbin1 services and respective VirtualService sleep1-vs and httpbin1-vs
- namespace2 has sleep2 and httpbin2 services.
- default namespace has sleepd and httpbind services.
My questions are:
-
What really happens when I create a Sidecar resource for namespace2 with egress host as -
egress:
- hosts:
- ./*
- namespace1/httpbin1.namespace1.svc.cluster.local
- default/httpbind.default.svc.cluster.local
Based on the docs, I understand that the proxy-config adds outbound traffic, so when I do:
istioctl proxy-config clusters sleep-749ddf8bc5-5s749 -n namespace2
I can see those entries added as EDS entry to the Envoy Proxy.
Also, I was able to curl from namespace2 for namespace1:httpbin service successfully.
curl httpbin.namespace1.svc.cluster.local:8000/headers -i -
And now, when I remove namespace1/httpbin1.namespace1.svc.cluster.local from Sidecar’s egress entry
egress:
- hosts:
- ./*
## removed namespace1/httpbin1.namespace1.svc.cluster.local
- default/httpbind.default.svc.cluster.local
and updated the VirtualService sleep1-vs with exportTo option to indicate all-namespaces with “*”
spec:
exportTo:
- '*'
gateways:
- httpbin-gateway
I was expecting to be able to curl from namespace2 for namespace1:httpbin service. But was not successful.
Any thoughts?