I run istio on Kubernetes. I want to know how the envoy sidecar works. For example, after sidecar is injected into the pod, the original container cannot access the outer network without EgressRule. How does it work?
All the traffic inside the pod is captured by iptables commands and directed to the sidecar proxy. Then the sidecar proxy performs routing, according to routing tables it receives from Istio Pilot (a part of the Istio Control Plane). The routing tables are based on the Kubernetes services and on the Istio RouteRules. Since Istio cannot know anything about the external services, it cannot route the traffic to the external services without an EgressRule defined. EgressRules define the routing tables for the external services.