Accessing Istio enabled K8S pod from a service outside of the mesh

9/21/2017

Let's say a Istio enabled Service A exposes a port 8080 which is named http and as such Istio performs L7 load balancing when accessing it from inside of the mesh.

I'd like to know if there is a way to access this 8080 port from a pod/service B that doesn't have the Istio sidecar. In such case the traffic would be:

B -> A Envoy -> A

or

B -> A

This way, I'm able to access an A's port that is not named http (i.e., only L4 load balancing is in place)

My particular use-case is that I have Prometheus (not running in the mesh) with Prometheus Operator scraping the services running in the mesh directly (Istio Mixer is not involved; the services expose their own business logic metrics). It works for me only and only if a given service doesn't name its port http.

-- Stepan Vavra
istio
kubernetes
prometheus
prometheus-operator

1 Answer

9/23/2017

If you have auth (mTLS) enabled it doesn't work, by design, as in that case Istio tries to protect all service to service communication.

You can turn auth off, and if that doesn't help, also try with the Istio 0.2.4 release candidate (or whichever is the latest at the time you read this, see https://github.com/istio/istio/releases) and see if the problem persists, if it does please file an issue at https://github.com/istio/issues/issues/new

In 0.3 (and possibly earlier) we'll let you have fine grain control over mTLS.

-- Laurent Demailly
Source: StackOverflow