Reputation: 1873
Why iptables rule setup in initContainer `istio-init` works in application container?
I am reading the doc of istio. It says:
istio-init This init container is used to setup the iptables rules so that inbound/outbound traffic will go through the sidecar proxy.
In my understanding, initContainer and application container are separated except that they share same network namespace. So why would iptables setup in initContainer still persist in application container?
Upvotes: 3
Views: 1921
Answers (2)
Reputation: 8830
As I mentioned in the comments, Iptables rules are briefly described here.
There is also a Iptables Schematic:
Upvotes: 2
Reputation: 17771
A single network namespace shares a (virtual) network adapter between all the process namespaces (which means the other containers the pod will start). This is where changes are persisted.
Iptables configures rules that are set in a network namespace configure that shared adapter, so changes to networking in an init container persist when the application containers and sidecars start later in the same network namespace, and use the same adapter.
Upvotes: 1
Related Questions
- Cannot allow external traffic through ISTIO
- expose Istio-gateway on port 80
- iptables in kuberntes init container does't work
- Kubernetes + Istio Ingress Gateway port
- why does istio gives ISTIO-403 forbidden error
- Why my environment is not suitable for istio ingress agteway?
- Why is my ISTIO policy configuration not applied?
- Istio to allow all egress traffic
- Istio allowing all outbound traffic
- Egress Istio rule won't work