Hi everyone
I am trying to understand how ISTIO_OUTPUT works. but found it very complicated.
see rules:
rule1 → rule9 . from top to bottom
see process:
ps -eo pid,uid,gid,comm
PID UID GID COMMAND
1 1337 1337 pilot-agent
21 1337 1337 envoy
44 1337 1337 bash
54 1337 1337 ps
First, rule 5 and rule 6 are useless
rule5:
rule2: ISTIO_IN_REDIRECT all – * lo 0.0.0.0/0 !127.0.0.1 owner UID match 1337
rule3: RETURN all – * lo 0.0.0.0/0 0.0.0.0/0 ! owner UID match 1337
rule5: ISTIO_IN_REDIRECT all – * lo 0.0.0.0/0 !127.0.0.1 owner GID match 1337
because of rule 3. pilot-agent return
so, this rule matches only envoy → podIP. which equals rule2
rule6:
rule3: RETURN all – * lo 0.0.0.0/0 0.0.0.0/0 ! owner UID match 1337
rul6: RETURN all – * lo 0.0.0.0/0 0.0.0.0/0 ! owner GID match 1337
because of rule 3, app-> local and return
so, this rule can not match any.
Second, why so many rules?
in summary, we see:
`
envoy:
0. as 127.0.0.6 -> return
1. podIP -> inbound
2. 127.0.0.1 -> return
3. outside -> return
envoy group process other than envoy. which is pilot-agent:
1. podIP -> return
2. 127.0.0.1 -> return
3. outside -> return
app process:
1. podIP -> return
2. 127.0.0.1 -> return
3. outside -> outbound
`
in summary:
1. app -> outside, go outbound
2. envoy(non 127.0.0.6) -> podIP,go inbound
3. others -> return
so can it be simpler?
or is there something I am missing?
thanks, everyone