AWS EKS cluster with Istio sidecar auto inject problem and pod ext. db connection issue

Question

I built a new cluster with Terraform for a AWS EKS, single node group with a single node.

This cluster is using 1.22 and cant seem to get anything to work correctly.

So Istio will install fine, i have installed versions 1.12.1, 1.13.2, 1.13.3 & 1.13.4 and all seem to have the same issue with auto injecting the sidecar.

Error creating: Internal error occurred: failed calling webhook "namespace.sidecar-injector.istio.io": failed to call webhook: Post "https://istiod.istio-system.svc:443/inject?timeout=10s": context deadline exceeded

But there are also other issues with the cluster, even without using Istio. My application is pulled and the pod will build fine but can not connect to the database. This is an external DB to the cluster - no other build (running on Azure) have any issues connecting to the DB

I am not sure if this is the issue with the application not connecting to the ext. DB but the sidecar issue could have something to do with BoundServiceAccountTokenVolume?

There is a warming about it being enabled on all clusters from 1.21 - a little odd as i have another applications with istio, running on another cluster with 1.21 on AWS EKS!

I also have this application running with istio without any issues in Azure on 1.22

Answer 1

I seem to have fix it :)

It seems to be a port issue with the security groups. I was letting terraform build its own group.

When I opened all the ports up in the 'inbound' section it seemed to work.

I then closed them all again and only opened 80 and 443 - which again stopped Istio from auto-injecting its sidecar

My app was requesting to talk to Istio on port 15017, so i opened just that port, along sided ports 80 and 443.

Once that port was opened, my app started to work and got the sidecar from Istio without any issue.

So it seems like the security group stops pod-to-pod communication... unless i have completely messed up my terraform build in some way