K
Q

How to allow non-HTTP out of an istio cluster/pod

1/9/2019

I've installed istio v1.0.5 in a k8s cluster (1 master, 2 worker nodes) and have deployed an application that requires HTTP from clients into a service and this service then needs to communicate out of the cluster. I did not use helm to install istio and the material I've read has a lot of helm examples to update the init container config to include the cluster IP cidr.

From my understanding, this is still an on-going discussion with the devs and the best way to solve this issue is to annotate the deployment with the following:

---
apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
kind: Deployment
metadata:
  name: home-devices-deployment
  namespace: home-devices-app
  labels:
    app: home-devices-app
  annotations:
     traffic.sidecar.istio.io/includeOutboundIPRanges: "10.244.0.0/16"

I put in my clusterIP CIDR but it still doesn't allow the container to connect to an external system via SSH/TCP 22.

ubuntu@k8s-master:~/applications$ kubectl cluster-info dump | grep -i cidr
                "podCIDR": "10.244.0.0/24",
                "podCIDR": "10.244.1.0/24"
                "podCIDR": "10.244.2.0/24"
                            "--allocate-node-cidrs=true",
                            "--cluster-cidr=10.244.0.0/16",
                            "--node-cidr-mask-size=24",

Any help is appreciated.

--update--

I tried ServiceEntry's but still am not successful. Please remember this is a container that is SSH'ing externally.

ubuntu@k8s-master:~/applications$ kubectl get serviceentry -n home-devices-app -o yaml
apiVersion: v1
items:
- apiVersion: networking.istio.io/v1alpha3
  kind: ServiceEntry
  metadata:
    creationTimestamp: "2019-01-10T02:45:27Z"
    generation: 1
    name: ex-ssh-service-entry
    namespace: home-devices-app
    resourceVersion: "1432196"
    selfLink: /apis/networking.istio.io/v1alpha3/namespaces/home-devices-    app/serviceentries/ex-ssh-service-entry
    uid: c9b22284-1481-11e9-ad97-000c297d3726
  spec:
    addresses:
    - 10.10.10.5
    hosts:
    - '*.ca'
    location: MESH_EXTERNAL
    ports:
    - name: ssh
      number: 22
      protocol: TCP
    resolution: NONE
- apiVersion: networking.istio.io/v1alpha3
  kind: ServiceEntry
  metadata:
    creationTimestamp: "2019-01-10T02:45:27Z"
    generation: 1
    name: srx-ssh-service-entry
    namespace: home-devices-app
    resourceVersion: "1432197"
    selfLink: /apis/networking.istio.io/v1alpha3/namespaces/home-devices-    app/serviceentries/srx-ssh-service-entry
    uid: c9b3b586-1481-11e9-ad97-000c297d3726
  spec:
    addresses:
    - 10.10.10.6
    hosts:
    - '*.ca'
    location: MESH_EXTERNAL
    ports:
    - name: ssh
      number: 22
      protocol: TCP
    resolution: NONE
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""
-- TheLemon
istio
kubernetes

Similar Questions

Access Traefik UI from Kubernetes hosted in Azure
Keycloak invalid redirect URI when deployed on openshift with https
How to configure metricbeat helm chart to output to elasticsearch?
what role does network bridge `docker0` play in k8s with flannel
Spark property that kills the spark application after a certain number of failed executors
Kubernetes loadbalance between monolith and microservices
Code Changes for Implementing Kubernetes Probes
Call Azure function inside the Kubernetes cluster shows error?

1 Answer

1/9/2019

Try adding a service entry like below. It worked for me.

    apiVersion: networking.istio.io/v1alpha3
    kind: ServiceEntry
    metadata:
      name: ext-svcentry
    spec:
      hosts:
      - "*.com"
     location: MESH_EXTERNAL
     addresses:
     - 11.22.33.44
     ports:
     - number: 8080
       name: http
       protocol: TCP
     resolution: NONE
-- mjkool
Source: StackOverflow