K
Q

How does port-forward avoid mtls

9/12/2018

I have istio set up with mtls globally enabled. I have verifed it by bashing into a pot without an envoy sidecar, and running a curl command on http, which failed. Then run a curl on HTTPS using the Istio certs, which worked.

When I port-forward to a service, eq kubectl port-forward svc/my-svc 8080:80 I am able to access my app by going to http://localhost:8080 I would expect that this wouldn't work, since mtls is being enforced. How does this port-forward with kubernetes work? Does it go directly to the node, thereby by-passing the sidecar?

-- TigerBear
istio
kubernetes
portforwarding

Similar Questions

Running Stateful Sets on Non Preemptible nodes?
Running StorageOS on Kubernetes
Deploying a mobile app backend with kubernetes
How to remove image from kubernetes(GKE) - Container image "<name/name>:latest" already present on machine
Can&#39;t read configMap with name: [XXXX] in namespace:[default]. Ignoring
GO get K8S api server health status
Not able to run kubectl cp command in Argo workflow
How to push events from Kafka via WebSockets in a Kubernetes cluster
get a template resource - full yaml script code of helm (K8S)

1 Answer

9/13/2018

I found out that Istio is working in parallel with standard Kubernetes network services and does not affect traffic in case of port-forwarding.

Istio network service will create iptables rule exactly the same as kubectl port-forward or any other standard command do.

Unfortunately, I did not find any official documentation with an explanation of how it works.

-- Akar
Source: StackOverflow