Cloud Run enabled clusters disable outbound network traffic from any pod by default
After creating a cluster with Cloud Run by following the documentation, one can check that all requests from inside a pod in the cluster, not even only from Knative service pods but really from any pod, will return 404. It's not clear which configuration sets this, but it's clear that it happens via creating a cluster with Cloud Run enabled.
In consequence, we're not able to, for instance, install helm on this cluster. In fact, we can't install anything that will require an external request from a pod.
Steps to reproduce:
1 - Follow Cloud Run setup official documentation
2 - Start a simple alpine pod in your cluster: kubectl run -it --rm --restart=Never alpine --image=alpine sh
3 - do any external request like: wget www.google.com
Cloud Run also documents this behaviour and explains how to enable outbound traffic
Although, I followed this steps and still couldn't enable the traffic. Perhaps I'm doing something wrong or it's really not working as it should.
Update
As noted in https://stackoverflow.com/a/55861559/3165889, this happens on the current Istio version Cloud Run uses, but should be changed on the 1.1 release where egress will be enabled for all outbound requests by default.
This is documented in the Cloud Run on GKE setup documentation: https://cloud.google.com/run/docs/gke/setup#enabling_outbound_network_access
This will not be necessary soon, as it will be enabled by default by moving to Istio 1.1 where outbound traffic policy allows any egress traffic, by default.
One possible solution is to disable the istio-sidecar on the default namespace: kubectl label namespace default istio-injection=disabled
More details: https://gitlab.com/groups/gitlab-org/-/epics/1202#note_164285838