I have istio set up with mtls globally enabled. I have verifed it by bashing into a pot without an envoy sidecar, and running a curl command on http, which failed. Then run a curl on HTTPS using the Istio certs, which worked.
When I port-forward to a service, eq kubectl port-forward svc/my-svc 8080:80
I am able to access my app by going to http://localhost:8080
I would expect that this wouldn't work, since mtls is being enforced. How does this port-forward with kubernetes work? Does it go directly to the node, thereby by-passing the sidecar?
I found out that Istio is working in parallel with standard Kubernetes network services and does not affect traffic in case of port-forwarding
.
Istio network service will create iptables rule exactly the same as kubectl port-forward
or any other standard command do.
Unfortunately, I did not find any official documentation with an explanation of how it works.