5

How do you allow all outbound traffic with Istio?

I tried the following:

  • Disable the egress gateway and bypass the sidecar with --set global.proxy.includeIPRanges="0.0.0.0/0\,0.0.0.0/0"

None of the options work, worth to mention I'm using kubernetes 1.11.2

Rico
  • 58,485
  • 12
  • 111
  • 141
user399256
  • 141
  • 2
  • 5

3 Answers3

2

I assume you followed this, that's pretty much the way to do it.

Make sure that you update the istio-sidecar-injector ConfigMap on your namespace and restart your pods.

Rico
  • 58,485
  • 12
  • 111
  • 141
  • 1
    Hi the documentation is correct, i noticed that when i define--set global.proxy.includeIPRanges="0.0.0.0/0\,0.0.0.0/0" it doesnt work i also tried --set global.proxy.includeIPRanges="0.0.0.0/0" which is not working either, so i finally tried --set global.proxy.includeIPRanges="0.0.0.0" excluding the netmask and it seemed to be working fine – user399256 Oct 08 '18 at 16:10
  • @user399256 can/how can I add `global.proxy.includeIPRanges="0.0.0.0" ` in configmaps file ? I tried using `kubectl -n istio-system edit ...` but not able to do so. – Ahsan Naseem Oct 19 '18 at 13:20
1

Doing **global.proxy.includeIPRanges: "0.0.0.0" ** won't work. Its probably by defualt 0.0.0.0. The global.proxy.includeIPRanges tells istio what IPs are included in the mesh and you want the opposite.

So if your k8s svc CIDR is 10.244.0.0/16 do global.proxy.includeIPRanges: "10.244.0.0/16" everything out of that range will bypass istio

Bobby Donchev
  • 335
  • 1
  • 5
-1

@user399256 if you are using helm charts you just edit that under values.yaml than you have to implement the change as explained in: this actually did anyone try to allow all traffic using global.proxy.includeIPRanges: "0.0.0.0" ? did it work? is there maybe more elegant way ?

Shahaf Benita
  • 11
  • 3