How does port-forward avoid mtls

9/12/2018

I have istio set up with mtls globally enabled. I have verifed it by bashing into a pot without an envoy sidecar, and running a curl command on http, which failed. Then run a curl on HTTPS using the Istio certs, which worked.

When I port-forward to a service, eq kubectl port-forward svc/my-svc 8080:80 I am able to access my app by going to http://localhost:8080 I would expect that this wouldn't work, since mtls is being enforced. How does this port-forward with kubernetes work? Does it go directly to the node, thereby by-passing the sidecar?

-- TigerBear
istio
kubernetes
portforwarding

1 Answer

9/13/2018

I found out that Istio is working in parallel with standard Kubernetes network services and does not affect traffic in case of port-forwarding.

Istio network service will create iptables rule exactly the same as kubectl port-forward or any other standard command do.

Unfortunately, I did not find any official documentation with an explanation of how it works.

-- Akar
Source: StackOverflow