Istio 0.8.0 Service Entry does not work with istio-auth

7/25/2018

I have a cluster on Google Kubernetes Engine with Istio 0.8.0, using the istio-auth.yaml.

I followed this tutorial exactly: https://istio.io/docs/tasks/traffic-management/egress/.

Ingress works, I have https working to all of my routes and pods, but my containers cannot communicate to the external world.

If I deploy the sleep app (the one used in the tutorial) in a namespace that does NOT have the sidecar injection enabled, curl-ing out works just fine. To any route.

I have tried adding resolution:DNS, resolution:NONE, location: MESH_EXTERNAL. I have tried adding a destination rule to disable TLS on the egress gateway as shown in this issue: https://github.com/istio/istio/issues/7140

Here is the service entry as shown in their documentation.

apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: google-ext spec: hosts: - www.google.com ports: - number: 443 name: https protocol: HTTPS

Here is the command I run to exec into the sleep container, run curl,and the result:

$ export SOURCE_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name}) && kubectl exec -it $SOURCE_POD -c sleep -- curl h ttps://www.google.com curl: (35) Unknown SSL protocol error in connection to google.com:443 command terminated with exit code 35

If anyone has any suggestions or ideas, I am more than willing to try any of em.

If also you need more information, I am happy to provide it.

$ istioctl version Version: 0.8.0 GitRevision: 6f9f420f0c7119ff4fa6a1966a6f6d89b1b4db84 User: root@48d5ddfd72da Hub: docker.io/istio GolangVersion: go1.10.1 BuildStatus: Clean

$ kubectl version Client Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.2", GitCommit:"5fa2db2bd46ac79e5e00a4e6ed24191080aa463b", GitTreeState:"clean", BuildDate:"2018-01-18T10:09:24Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"windows/amd64"} Server Version: version.Info{Major:"1", Minor:"10+", GitVersion:"v1.10.4-gke.2", GitCommit:"eb2e43842aaa21d6f0bb65d6adf5a84bbdc62eaf", GitTreeState:"clean", BuildDate:"2018-06-15T21:48:39Z", GoVersion:"go1.9.3b4", Compiler:"gc", Platform:"linux/amd64"}

-- Murray Gudesblat
google-kubernetes-engine
istio

1 Answer

8/1/2018

I have just checked the ServiceEntry you wrote with Istio 0.8.0, with auth, it works for me. Note that it may take several seconds for the service entry definition to propagate, so I would wait for 30 seconds and try again.

-- Jason
Source: StackOverflow