I'd like to use Istio to restrict egress out of my GKE Kubernetes cluster.
I'm attempting to change to the blocking-by-default policy by running the following command to change the global.outboundTrafficPolicy.mode option to REGISTRY_ONLY:
$ kubectl get configmap istio -n istio-system -o yaml | sed 's/mode: ALLOW_ANY/mode: REGISTRY_ONLY/g' | kubectl replace -n istio-system -f -That works temporarily, however because GKE has installed Istio as an add-on, the setting is quickly reconciled back to ALLOW_ANY.
Is there any other way to apply this setting to GKE's Istio or is there some other approach I can take to accomplish the same result?
Specifically for the managed version of Istio on GKE, they recommend installing your own egress controller to avoid having your changes rolled back due to the reconciliation mode.
You may try to block by egress service. kubectl get svc -n istio-system |grep egress & edit it as per your requirement.