K
Q

Can a `ServiceEntry` be applied to only 1 service?

5/21/2020

We have a cluster with Istio, but there is this one condition, I can't find how to fulfill.

We need one of the services to have certain restrictions within the mesh as well, and to talk to one external endpoint. Through Sidecar object, I should be able to set the restrictions internally, but I don't know how to restrict to one external endpoint.

I can set the external endpoint in the Sidecar object as well, but I have to create a ServiceEntry anyways, in which case all the services can talk to that external endpoint.

It seems that what I need is to set a ServiceEntry for one specific service, but this is not possible. Is there any other way to achieve this?

-- suren
istio
kubernetes

Similar Questions

Flink Statefun HA kubernetes cluster
Unable to deploy image to kubernetes (Problems with packaging structure)
Graylog helm with alb ingress controller
Price range for hosting Django with Google Kubernetes engine

1 Answer

5/22/2020

I asked this question on GitHub; to Istio team, and the only way to achieve this is putting the service in a different namespace, and make the ServiceEntry to apply to the workloads only in that namespace through exportTo parameter.

The ServiceEntry would look like this:

apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: se-demo
spec:
  exportTo:
  - .                 # with ".", we are saying the ServiceEntry to only apply to the workloads in the same namespace.
  hosts:
  - www.google.com
  location: MESH_EXTERNAL
  ports:
  - name: https
    number: 443
    protocol: HTTPS
  resolution: DNS
-- suren
Source: StackOverflow