K
Q

Make Istio ignore connections between two containers in the same deployment

1/22/2020

I have an OpenShift deployment with two containers: main java app and a custom sidecar that does jmx monitoring of the main app. So when I don't inject Istio sidecar (with annotation sidecar.istio.io/inject: 'false') everything works as I expect and jmx sidecar can establish connection. But when I inject Istio sidecar I have connection problems.

There are annotations like:

  • traffic.sidecar.istio.io/excludeInboundPorts
  • traffic.sidecar.istio.io/excludeOutboundPorts
  • traffic.sidecar.istio.io/includeInboundPorts

but they don't seem to work, at least in my case and I couldn't find much information about them.

Here is my deployment yaml with relevant information that works with 'false' and doesn't with 'true' Istio sidecar inject option

apiVersion: apps/v1beta1
kind: Deployment
spec:
  template:
    metadata:
      annotations:
        sidecar.istio.io/inject: 'true'
    spec:
      containers:
      - image: mainjavaappsource
        ports:
            - containerPort: 9090
      - image: jmxsidecarsource
      dnsPolicy: ClusterFirst

So the question is - how can I exclude connections between containers in the same deployment from being intercepted by Istio sidecar?

-- SniXosha
istio
kubernetes
openshift

Similar Questions

Replicaset-controller why need burstReplicas
Get authentication token from AWS EKS using the AWS Java SDK v2
Why can I pull images from a private repo but not create a kubernetes deployment with it?
Kubernetes duplicate pod kube-system/metrics-server received error
Change flink job pods names

1 Answer

1/22/2020

Prevent the proxy from intercepting the traffic, basically means to exclude that service from the mesh. Simply don't inject the sidecar (so, keep that service outside the mesh), and create a ServiceEntry.

-- suren
Source: StackOverflow