CODEWITHSUNDEEP
kubernetesistiokubernetes-podenvoyproxysidecar
Linda
Linda

Reputation: 88

Istio (Envoy-proxy sidecar) is blocking http traffic on port 8088

My application(App2 Namespace=yarn): has the following ports open:8088:31097/TCP,19888:32150/TCP,8042:32604/TCP Without Istio being installed all the pods in my Kubernetes cluster in (Namespace =yarn) are able to connect to this service on port curl http://App2.Yarn.svc.cluster.local:8088/ succeeds with a webpage.

After I enable istio-injection and redeploy my application. Sidecar is added and now all my other pods in the cluster in same namespace=yarn (istio-injected) are unable to make the curl command at port 8088. No other change was done other than adding istio. Here is the sidecar config from Kubernetes Dashboard. Can you please help me find out what is happening?

proxy
sidecar
--domain
$(POD_NAMESPACE).svc.cluster.local
--configPath
/etc/istio/proxy
--binaryPath
/usr/local/bin/envoy
--serviceCluster
hadoop.$(POD_NAMESPACE)
--drainDuration
45s
--parentShutdownDuration
1m0s
--discoveryAddress
istio-pilot.istio-system:15010
--zipkinAddress
zipkin.istio-system:9411
--proxyLogLevel=warning
--proxyComponentLogLevel=misc:error
--connectTimeout
10s
--proxyAdminPort
15000
--concurrency
2
--controlPlaneAuthPolicy
NONE
--dnsRefreshRate
300s
--statusPort
15020
--applicationPorts
8088,7077,6066,8080
--trust-domain=cluster.local

(Both the services (App1 and App2) are deployed in the same namespace with Istio-Injection Enabled. If I login to the pod (App2-0) which is supposed to host this service on 8088, even there I am unable to make the curl call successfully which is totally bizzare to me.)

Upvotes: 0

Views: 1057

Answers (1)

Piotr Malec
Piotr Malec

Reputation: 3647

This is happening because this is how istio service mesh works. Each service that is injected with envoy proxy is added to service mesh registry. Deploying applications in istio injected namespace will benefit from automatic service discovery.

For a connectivity between a istio injected service and a service that is not injected We can use ServiceEntry object to tell istio that we want to connect to that service. This will add that service to istio service mesh registry. However services added with ServiceEntry will not be able to use certain envoy features.

More information can be found on istio documentation about ServiceEntry.

Hope it helps.

Upvotes: 0

Related Questions