K
Q

What URLs does the GKE extensible service proxy need to access

5/27/2019

I'm running Istio in Google Kubenetes Engine. My application uses gRPC and has an Extensible Service Proxy container to link to the Google Enpoints Service.

Istio on GKE by default blocks all egress requests, bu that breaks the ESP container since it needs to request some data from outside the Istio mesh.

The logs from the ESP informed me it was trying to access IP 169.254.169.254 to get some metadata, so I opened up an egress channel from Istio to let that happen, and that's fine.

But the next thing the ESP attempts is to "fetch the service config ID from the rollouts service". Again this is blocked but this time the log error doesn't tell me the URL that it's trying to access, only the path. So I don't know what url to open up for egress.

This is the log entry:

WARNING:Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'ProtocolError('Connection aborted.', error(104, 'Connection reset by peer'))': /v1/services/rev79.endpoints.rev79-232812.cloud.goog/rollouts?filter=status=SUCCESS

so can anyone tell me what URLs the ESP needs to access to be able to work?

-- Toby 1 Kenobi
google-kubernetes-engine
grpc
istio
url

Similar Questions

How to Sync K8s Service to Consul Cluster which is outside the K8s?
What is the difference between a service account and a context in Kubernetes?
Setup Ingress-Nginx rate limit rps for a specific path
readiness probe fails with connection refused
AWS IAM Role - AccessDenied error in one pod
How to check readiness without creating a deadlock in a cluster configuration in Kubernetes?
Exception occurred while authenticating Firebase
How to set up express.js with SSL inside K8s deployment

2 Answers

5/27/2019

I eventually stumbled across what I was looking for by googling parts of the path with some key words. This looks like what the ESP is trying to access: https://servicemanagement.googleapis.com/v1/services/{serviceName}/rollouts/{rolloutId}

Indeed opening up a route to that host gets the ESP up and running.

-- Toby 1 Kenobi
Source: StackOverflow
6/6/2019

For anyone else stuck with this problem.

The ESP needs access to two separate endpoints in order to run without crashing. They are

  • servicemanagement.googleapis.com (HTTPS)
  • 169.254.269.254 (HTTP)

To function correctly, it also needs

  • servicecontrol.googleapis.com (HTTPS)

If you have strict egress filtering in your Istio mesh, you will need two ServiceEntry resource to make this happen.

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: endpoints-cert
spec:
  hosts:
  - metadata.google # this field does not matter
  addresses:
  - 169.254.169.254/32
  ports:
  - number: 80
    name: http
    protocol: HTTP
  resolution: NONE
  location: MESH_EXTERNAL

---

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: endpoints-metadata
spec:
  hosts:
  - "servicemanagement.googleapis.com"
  - "servicecontrol.googleapis.com"
  ports:
  - number: 80 # may not be necessary
    name: http
    protocol: HTTP
  - number: 443
    name: https
    protocol: HTTPS
  resolution: DNS
  location: MESH_EXTERNAL

If you are using an egress gateway, you will need additional configuration for both of these endpoints.

-- user2620367
Source: StackOverflow