K
Q

Egress Istio rule won't work

11/10/2017

I have a deployment istio is injected in with access to the google maps distance matrix api. If I run the istioctl kube-inject with --includeIPRanges 10.0.0.0/8 it seems to work. If I remove this flag and instead apply a egress rule it won't work:

apiVersion: config.istio.io/v1alpha2 kind: EgressRule metadata: name: google-egress-rule namespace: microservices spec: destination: service: "maps.googleapis.com" ports: - port: 443 protocol: https - port: 80 protocol: http

Both, deployment and Egress rule are in the same namespace (microservices).

Any idea where my fault is?

-- user3232739
istio
kubernetes

Similar Questions

Google Compute Engine denying access to ip address
Detect successful kubernetes deployment
Pods don't seem to be receiving upstream dns or stub domains when using custom kube-dns config map
Access non Istio resource

1 Answer

11/11/2017

From what I see by running curl maps.googleapis.com, it redirects to https://developers.google.com/maps/.

Two issues here:

  1. You have specify an additional EgressRule for developers.google.com
  2. Currently you have to access https external sites by issuing http requests to port 443, like curl http://developers.google.com/maps:443. Istio proxy will open an https connection to developers.google.com for you. Unfortunately, currently there is no other way to do it, except for using --includeIPRanges.
-- Vadim Eisenberg
Source: StackOverflow