CODEWITHSUNDEEP
kubernetesistioenvoyproxy
Qasim Sarfraz
Qasim Sarfraz

Reputation: 6462

Do I need a istio sidecar proxy at client end for routing rules to be applied?

I have couple of services named svc A and svc B with request flow as follows:

svc A --> svc B

I have injected sidecar with svc B and then added the routing rules via VirtualServices object as: 

---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: b
  namespace: default
spec:
  hosts:
  - b.default.svc.cluster.local
  http:
  - route:
    - destination:
        host: b.default.svc.cluster.local
    fault:
      abort:
        percentage:
          value: 100
        httpStatus: 403

These rules are only applied when svc A has a sidecar istio proxy. Which makes me think if we need to have istio proxy on the client side as well? I was expecting that the service for which I added rules should only have the sidecar. I can't think of any technical requirement to have it along side svc B.

Upvotes: 0

Views: 991

Answers (3)

DUDANF
DUDANF

Reputation: 3000

First go ahead and run:

gcloud container clusters describe [Your-Pod-Name] | grep -e clusterIpv4Cidr -e servicesIpv4Cidr

This will give you two IP addresses. Add these into your deployment yaml like shown below (REPLACING THE IP ADDRESSES WITH YOURS) 

apiVersion: v1
kind: Pod
metadata:
  name: [Your-Pod-Name]
  annotations:
    sidecar.istio.io/inject: "true"
    traffic.sidecar.istio.io/includeOutboundIPRanges: 10.32.0.0/14,10.35.240.0/20

This allows internet connection to your services.

Upvotes: 0

mt165
mt165

Reputation: 268

Yes, Service A needs a sidecar. It's confusing I admit, but the way to think of the VirtualService resource is "where do I find the backends I want to talk to and what service should they appear to provide me?" A's sidecar is its helper which does things on its behalf like load-balancing, and in your case fault injection (Service B is reliable; it's Service A that wants it to seem unreliable).

The comments that A and B both need sidecars in order to communicate at all aren't correct (unless you want mTLS), but if you want the mesh to provide additional services to A, then A needs a sidecar.

Upvotes: 2

P Ekambaram
P Ekambaram

Reputation: 17689

yes, you should inject sidecar proxy in service A as well. then only the two services can communicate with each other through proxies

Upvotes: 1

Related Questions