0

I want to see how an istio sidecar may restrict a pod's connections (I am learning istio through its references) so I am working with the bookinfo example, after installing the example (having a Docker Desktop) - I wrote a simple sidecar resource the restricts the connections of ratings to reviews and details services as following:

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: bookinfo-ratings-sidecar
spec:
  workloadSelector:
    labels:
      app: ratings
  egress:
    - hosts:
      - "./details.default.svc.cluster.local"
      - "./reviews.default.svc.cluster.local"

when I run the following command istioctl proxy-config clusters ratings-v1-5f9699cfdf-hb2gd I really see that it includes only details.default.svc.cluster.local , reviews.default.svc.cluster.local (from the bookinfo services) but if I run kubectl exec ratings-v1-5f9699cfdf-hb2gd -- curl -sS productpage:9080 I get an html result i.e. it doesn't refuse the connection with productpage as if the sidecar doesn't exist What am I missing ? (p.s this The result of sidecar injection was not what I expected didn't help)

David Maze
  • 130,717
  • 29
  • 175
  • 215
Sh.F
  • 11
  • 3
  • Attaching similar [issue](https://github.com/istio/istio/issues/31308), let me know if this resolves your issuse. – Sai Chandra Gadde Jan 12 '23 at 15:57
  • In sidecar yaml which is provided in the question didnt had any values w.r.t connections. You can use istio destination rule to control connections. Please refer istio documentation https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings Once the DR is applied and if you take the configdump you would see those settings for that service. – Nataraj Medayhal Jan 19 '23 at 05:49

0 Answers0