Error while getting config map appconfig Get "https://xxx.xx.x.x:443/api/v1/namespaces/app/configmaps/appconfig": dial tcp xxx.xx.x.x:443: connect: connection refused"
But when istio sidecar is not injected, there is no error
Asked
Active
Viewed 116 times
1 Answers
0
Try this:
oc patch deploy <deployment-name> -p '{"spec":{"template":{"metadata":{"annotations":{"traffic.sidecar.istio.io/excludeOutboundIPRanges": "'$(oc get svc kubernetes -n default -o jsonpath='{.spec.clusterIP}')/32'"}}}}}'
Not sure if it is a bug or not, but apparently istio sidecar proxy does not allow for application containers to communicate with kubernetes API server when data plane is in strict mtls mode.
The above patch introduces an IP range in which the kubernetes API server resides and allows connections to those addresses go outside the sidecar proxy, thus avoiding network rules it enforces.
Justin Case
- 211
- 1
- 4
- 11