K
Q

Istio Pilot is creating TCP Listeners that should be HTTP

2/5/2019

Setup is Kubernetes v1.13 & Istio 1.0.5

I'm running into an issue where the Istio service discovery is creating Envoy configurations that match TCP listeners instead of HTTP listeners.

The communication is working in the service mesh, but I need Envoy to serve as a Layer 7 proxy and not a Layer 4 pass through. I'm not getting the logs I need for the HTTP requests coming through Envoy.

Here is what I see in the sidecar istio-proxy log:

[2019-02-05T15:40:59.403Z] - 5739 7911 149929 "127.0.0.1:80" inbound|80||api-endpoint.default.svc.cluster.local 127.0.0.1:44560 10.244.3.100:80 10.244.3.105:35204

Which when I inspect the Envoy config in the sidecar - this is the corresponding config for that log message.

      "name": "envoy.tcp_proxy",
      "config": {
       "cluster": "inbound|80||api-endpoint.default.svc.cluster.local",
       "access_log": [
        {
         "name": "envoy.file_access_log",
         "config": {
          "path": "/dev/stdout",
          "format": "[%START_TIME%] %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION% \"%UPSTREAM_HOST%\" %UPSTREAM_CLUSTER% %UPSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_REMOTE_ADDRESS%\n"
         }
        }
       ],
       "stat_prefix": "inbound|80||api-endpoint.default.svc.cluster.local"
      }

So my question is: Why is Pilot providing Envoy with a TCP config for an HTTP service?

-- Jonathan H
istio
kubernetes

Similar Questions

How to configure readinessProbe correctly for containers that do http to https redirects?
How to bind kubernetes resource to helm release
AWS EKS enable basic auth
Kube / create deployment with config map

1 Answer

2/5/2019

I've come across this, in my case the port name for my service was not in the form http-xyz.

Istio/Envoy assumes that traffic is TCP, unless it gets a hint from the port name that it is some other protocol.

As per https://istio.io/help/faq/traffic-management/#naming-port-convention

Named ports: Service ports must be named.

The port names must be of the form protocol-suffix with http, http2, grpc, mongo, or redis as the protocol in order to take advantage of Istio’s routing features.

For example, name: http2-foo or name: http are valid port names, but name: http2foo is not. If the port name does not begin with a recognized prefix or if the port is unnamed, traffic on the port will be treated as plain TCP traffic (unless the port explicitly uses Protocol: UDP to signify a UDP port).

-- Paul Annetts
Source: StackOverflow