K
Q

What are the endpoints of Amazon S3?

10/24/2018

I've created an "Istio-enabled" Kubernetes cluster, and my containers, by default, "are unable to access URLs outside of the cluster" (Istio v1.0.2). This is fine and matches my security requirements:

By default, Istio-enabled services are unable to access URLs outside of the cluster because the pod uses iptables to transparently redirect all outbound traffic to the sidecar proxy...

Now I'm trying to create an Istio Service Entry to allow my containers to requests my s3 buckets that are outside the Istio service mesh.

As far I know, Amazon S3 does not have a specific "host" or a well-defined range of IP addresses. How can I do this? What protocol do I need to use?

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: enable-access-to-s3-buckets
spec:
  hosts:
  - ????????
  ports:
  - number: ???????
    name: ??????
    protocol: ??????
  resolution: ?????

Note: Istio v1.2 changed the default outbound traffic policy to ALLOW_ANY.

-- Eduardo Baitello
amazon-s3
istio
kubernetes

Similar Questions

kafka - ERROR Error when sending message to topic test-topic with key: null, value: 17 bytes with error
JMX different port forward from kubernetes pod
Adding spinnaker webhook in bitbucket giving Cannot get property 'username' on null object exception
Should a Kubernetes readiness probe emit an event when the container transitions to ready?
Probing kubernetes ingress to check health
Kubernetes CPU quotas and process scheduling behavior

1 Answer

10/24/2018

Looking here you can get a list on the terminating points of s3 that might help: https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region

Another solution can be to create a s3 endpoint inside the same VPC of your K8S cluster and use that name to restrict the access with private IPs rules. see https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-s3.html for a detailed documentation on it.

-- webofmars
Source: StackOverflow