K
Q

Istio-proxy does not intercept outgoing traffic with global.proxy.includeIPRanges config

9/19/2018

Having AWS EKS cluster in VPC with CIDR 172.20.0.0/16 and installed istio 1.0.2 with helm:

helm upgrade -i istio install/kubernetes/helm/istio \
--namespace istio-system \
--set tracing.enabled=true \
--set grafana.enabled=true \
--set telemetry-gateway.grafanaEnabled=true \
--set telemetry-gateway.prometheusEnabled=true \
--set global.proxy.includeIPRanges="172.20.0.0/16" \
--set servicegraph.enabled=true \
--set galley.enabled=false

Then deploy some pods for testing:

apiVersion: v1
kind: Service
metadata:
  name: service-one
  labels:
    app: service-one
spec:
  ports:
  - port: 80
    targetPort: 8080
    name: http
  selector:
    app: service-one
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: service-one
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: service-one
    spec:
      containers:
      - name: app
        image: gcr.io/google_containers/echoserver:1.4
        ports:
        - containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
  name: service-two
  labels:
    app: service-two
spec:
  ports:
  - port: 80
    targetPort: 8080
    name: http-status
  selector:
    app: service-two
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: service-two
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: service-two
    spec:
      containers:
      - name: app
        image: gcr.io/google_containers/echoserver:1.4
        ports:
        - containerPort: 8080

and deploy it with:

kubectl apply -f <(istioctl kube-inject -f app.yaml)

Then inside service-one pod, I'm requesting service-two and there are no logs about outgoing request inside service-one's istio-proxy container, but if I reconfigure istio without setting global.proxy.includeIPRanges it works as expected (but I need this config to allow multiple external connections). How can I debug what is going on?

-- andfadeev
amazon-eks
istio
kubernetes

Similar Questions

How to switch between clusters in Cockpit-Kubernetes
Shouldn't kubernetes default-scheduler respect a node having reached --max-pods?
docker build failing in kubernetes nodes
How do I properly bring up a kubernetes cluster that was previously brought down?
How to share files between containers in the same kubernetes pod
validating webhook configuration not getting any request

1 Answer

9/20/2018

Setting global.proxy.includeIPRanges is deprecated and should not work. There was a discussion on Git about this. The new closest thing is includeOutboundIpRanges in pod's sidecar-injector Config-Map or traffic.sidecar.istio.io/includeOutboundIPRanges pod annotation. Annotation looks easier. For now, it is not clear in the official documentation.

You could add the annotation to your deployment:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  annotations:
     traffic.sidecar.istio.io/includeOutboundIPRanges: "172.20.0.0/16"       
  name: service-one
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: service-one
    spec:
      containers:
      - name: app
        image: gcr.io/google_containers/echoserver:1.4
        ports:
        - containerPort: 8080

And the same for second deployment.

-- Nick Rak
Source: StackOverflow