How to allow non-HTTP out of an istio cluster/pod

1/9/2019

I've installed istio v1.0.5 in a k8s cluster (1 master, 2 worker nodes) and have deployed an application that requires HTTP from clients into a service and this service then needs to communicate out of the cluster. I did not use helm to install istio and the material I've read has a lot of helm examples to update the init container config to include the cluster IP cidr.

From my understanding, this is still an on-going discussion with the devs and the best way to solve this issue is to annotate the deployment with the following:

---
apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
kind: Deployment
metadata:
  name: home-devices-deployment
  namespace: home-devices-app
  labels:
    app: home-devices-app
  annotations:
     traffic.sidecar.istio.io/includeOutboundIPRanges: "10.244.0.0/16"

I put in my clusterIP CIDR but it still doesn't allow the container to connect to an external system via SSH/TCP 22.

ubuntu@k8s-master:~/applications$ kubectl cluster-info dump | grep -i cidr
                "podCIDR": "10.244.0.0/24",
                "podCIDR": "10.244.1.0/24"
                "podCIDR": "10.244.2.0/24"
                            "--allocate-node-cidrs=true",
                            "--cluster-cidr=10.244.0.0/16",
                            "--node-cidr-mask-size=24",

Any help is appreciated.

--update--

I tried ServiceEntry's but still am not successful. Please remember this is a container that is SSH'ing externally.

ubuntu@k8s-master:~/applications$ kubectl get serviceentry -n home-devices-app -o yaml
apiVersion: v1
items:
- apiVersion: networking.istio.io/v1alpha3
  kind: ServiceEntry
  metadata:
    creationTimestamp: "2019-01-10T02:45:27Z"
    generation: 1
    name: ex-ssh-service-entry
    namespace: home-devices-app
    resourceVersion: "1432196"
    selfLink: /apis/networking.istio.io/v1alpha3/namespaces/home-devices-    app/serviceentries/ex-ssh-service-entry
    uid: c9b22284-1481-11e9-ad97-000c297d3726
  spec:
    addresses:
    - 10.10.10.5
    hosts:
    - '*.ca'
    location: MESH_EXTERNAL
    ports:
    - name: ssh
      number: 22
      protocol: TCP
    resolution: NONE
- apiVersion: networking.istio.io/v1alpha3
  kind: ServiceEntry
  metadata:
    creationTimestamp: "2019-01-10T02:45:27Z"
    generation: 1
    name: srx-ssh-service-entry
    namespace: home-devices-app
    resourceVersion: "1432197"
    selfLink: /apis/networking.istio.io/v1alpha3/namespaces/home-devices-    app/serviceentries/srx-ssh-service-entry
    uid: c9b3b586-1481-11e9-ad97-000c297d3726
  spec:
    addresses:
    - 10.10.10.6
    hosts:
    - '*.ca'
    location: MESH_EXTERNAL
    ports:
    - name: ssh
      number: 22
      protocol: TCP
    resolution: NONE
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""
-- TheLemon
istio
kubernetes

1 Answer

1/9/2019

Try adding a service entry like below. It worked for me.

    apiVersion: networking.istio.io/v1alpha3
    kind: ServiceEntry
    metadata:
      name: ext-svcentry
    spec:
      hosts:
      - "*.com"
     location: MESH_EXTERNAL
     addresses:
     - 11.22.33.44
     ports:
     - number: 8080
       name: http
       protocol: TCP
     resolution: NONE
-- mjkool
Source: StackOverflow