CODEWITHSUNDEEP
kubernetesmeshistioenvoyproxy
Bogdan993
Bogdan993

Reputation: 89

Istio outbound https traffic troubleshooting

I have 2 AKS clusters, Cluster 1 and Cluster 2 both running Istio 1.14 minimal out-of-the-box (default configs).

Everything on Cluster 1 works as expected (after deploying Istio).

On Cluster 2, all HTTPS outbound connections initiated from my services (injected with istio-proxy) fail.

curl http://www.google.com  #works
curl https://www.google.com #fails

If I create a service entry for google, then the https curl works:

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: google
spec:
  hosts:
  - www.google.com
  ports:
  - number: 443
    name: https
    protocol: HTTPS
  resolution: DNS
  location: MESH_EXTERNAL

Both Istio installations are out-of-the-box so meshConfig.outboundTrafficPolicy.mode is set to ALLOW_ANY (double-checked).

I read online that there were some Istio bugs that would cause this behavior, but I don't think it's the case here. I also compared the Istio configs between the 2 clusters and they really seem to be the same.

I'm starting to think the problem may lie in some cluster configs because I know there are some differences between the 2 clusters here.

How would you go about troubleshooting this? Do you think the issue is related to Istio or Cluster services/configs? What should I look into first?

Upvotes: 0

Views: 992

Answers (1)

Nataraj Medayhal
Nataraj Medayhal

Reputation: 1221

You are correct. By default ALLOW_ANY is value set for meshConfig.outboundTrafficPolicy.mode. This can be verified in the cluster by running below command.

kubectl get configmap istio -n istio-system -o yaml | grep -o "mode: ALLOW_ANY"

Please also refer the istio documentation for the options available in accessing external services

Upvotes: 1

Related Questions