Reputation: 115
Configure Istio Sidecar to allow trafic to external hosts
I have a sidecar that only allows egress traffic on the namespace it is being deployed. This limits also external calls. Is there a way to add an external host to the sidecar, something like:
apiVersion: "networking.istio.io/v1beta1",
kind: "Sidecar",
metadata:{
name: "egress-sidecar",
namespace: "namespace",
},
spec:{
workloadSelector:{
labels:{
app: 'target_app'
}
},
egress:[
{
hosts:[
"namespace/*",
"google.com/*" # <--- something like this, this does not work
]
}
],
outboundTrafficPolicy:{
mode: "REGISTRY_ONLY"
}
}
Upvotes: 0
Views: 323
Answers (1)
Reputation: 335
Ik think you'll need at least a ServiceEntry (https://istio.io/latest/docs/reference/config/networking/service-entry/) for the external service (e.g. www.google.com) and then you can refer to it in the egress section of your Sidecar definition. Depending in which namespace you register the mentioned ServicEntry you can define the following in the hosts section under the egress section of your Sidecar definition :
*/www.google.com (ServiceEntry anywhere in the Service Mesh)
./www.google.com (ServiceEntry in the same namespace as your Sidecar definition)
(https://istio.io/latest/docs/reference/config/networking/sidecar/#IstioEgressListener)
Upvotes: 4
Related Questions
- Cannot allow external traffic through ISTIO
- "connection refused" error in main application until istio-sidecar starts
- istio: route traffic between sidecar-enabled pods and non-sidecar-enabled pods
- How to restrict pod egress traffic only to external
- ISTIO Egress gateway Flow
- Istio - Connect to an external ip
- How to expose redis to outside with istio sidecar?
- How do I create an internal gateway using Istio?
- Injecting Istio sidecar concurrently with the pod
- Application container unable to access network before sidecar ready