I've created an "Istio-enabled" Kubernetes cluster, and my containers, by default, "are unable to access URLs outside of the cluster" (Istio v1.0.2). This is fine and matches my security requirements:
By default, Istio-enabled services are unable to access URLs outside of the cluster because the pod uses iptables to transparently redirect all outbound traffic to the sidecar proxy...
Now I'm trying to create an Istio Service Entry to allow my containers to requests my s3 buckets that are outside the Istio service mesh.
As far I know, Amazon S3 does not have a specific "host" or a well-defined range of IP addresses. How can I do this? What protocol do I need to use?
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: enable-access-to-s3-buckets
spec:
hosts:
- ????????
ports:
- number: ???????
name: ??????
protocol: ??????
resolution: ?????
Note: Istio v1.2 changed the default outbound traffic policy to ALLOW_ANY
.
Looking here you can get a list on the terminating points of s3 that might help: https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region
Another solution can be to create a s3 endpoint inside the same VPC of your K8S cluster and use that name to restrict the access with private IPs rules. see https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-s3.html for a detailed documentation on it.