Reputation: 2834
How does port-forward avoid mtls
I have istio set up with mtls globally enabled. I have verifed it by bashing into a pot without an envoy sidecar, and running a curl command on http, which failed. Then run a curl on HTTPS using the Istio certs, which worked.
When I port-forward to a service, eq kubectl port-forward svc/my-svc 8080:80 I am able to access my app by going to http://localhost:8080
I would expect that this wouldn't work, since mtls is being enforced.
How does this port-forward with kubernetes work? Does it go directly to the node, thereby by-passing the sidecar?
Upvotes: 1
Views: 506
Answers (1)
Reputation: 584
I found out that Istio is working in parallel with standard Kubernetes network services and does not affect traffic in case of port-forwarding.
Istio network service will create iptables rule exactly the same as kubectl port-forward or any other standard command do.
Unfortunately, I did not find any official documentation with an explanation of how it works.
Upvotes: 2
Related Questions
- How does kubectl port-forward create a connection?
- How can I Port Forward to an istio VirtualService?
- Istio ingressgateway 503 upstream errors when only allow mTLS traffic
- How to debug mTLS communication with istio in kubernetes?
- How to disable mtls on Instio?
- Why there are two different ways to enable mTLS in istio?
- Exposing virtual service with istio and mTLS globally enabled
- Accessing service using istio ingress gives 503 error when mTLS is enabled
- How can I access my service's through exposed NodePort when I enable mtls with Istio?
- Why does istio-ingressgateway expose port 31400?