0

Not able to connect other pod ip from other pod when enabling REGISTER_ONLY in mode of config in engress gateway of istio

apiVersion: v1
data:
  mesh: |-
    accessLogEncoding: TEXT
    accessLogFile: /dev/stdout
    accessLogFormat: ""
    defaultConfig:
      concurrency: 2
      configPath: ./etc/istio/proxy
      connectTimeout: 10s
      controlPlaneAuthPolicy: NONE
      discoveryAddress: istiod.istio-system.svc:15012
      drainDuration: 45s
      parentShutdownDuration: 1m0s
      proxyAdminPort: 15000
      proxyMetadata:
        DNS_AGENT: ""
      serviceCluster: istio-proxy
      tracing:
        zipkin:
          address: zipkin.istio-system:9411
    disableMixerHttpReports: true
    disablePolicyChecks: true
    enablePrometheusMerge: false
    ingressClass: istio
    ingressControllerMode: STRICT
    ingressService: istio-ingressgateway
    outboundTrafficPolicy:
      mode: REGISTRY_ONLY
    excludeIPRanges: ""
    protocolDetectionTimeout: 100ms
    reportBatchMaxEntries: 100
    reportBatchMaxTime: 1s
    sdsUdsPath: unix:/etc/istio/proxy/SDS
    trustDomain: cluster.local
    trustDomainAliases: null
  meshNetworks: 'networks: {}'
kind: ConfigMap
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","data":{"mesh":"accessLogEncoding: TEXT\naccessLogFile: /dev/stdout\naccessLogFormat: \"\"\ndefaultConfig:\n  concurrency: 2\n  configPath: ./etc/istio/proxy\n  connectTimeout: 10s\n  controlPlaneAuthPolicy: NONE\n  discoveryAddress: istiod.istio-system.svc:15012\n  drainDuration: 45s\n  parentShutdownDuration: 1m0s\n  proxyAdminPort: 15000\n  proxyMetadata:\n    DNS_AGENT: \"\"\n  serviceCluster: istio-proxy\n  tracing:\n    zipkin:\n      address: zipkin.istio-system:9411\ndisableMixerHttpReports: true\ndisablePolicyChecks: true\nenablePrometheusMerge: false\ningressClass: istio\ningressControllerMode: STRICT\ningressService: istio-ingressgateway\noutboundTrafficPolicy:\n  mode: REGISTRY_ONLY\nexcludeIPRanges: \"\"\nprotocolDetectionTimeout: 100ms\nreportBatchMaxEntries: 100\nreportBatchMaxTime: 1s\nsdsUdsPath: unix:/etc/istio/proxy/SDS\ntrustDomain: cluster.local\ntrustDomainAliases: null","meshNetworks":"networks: {}"},"kind":"ConfigMap","metadata":{"annotations":{},"labels":{"istio.io/rev":"default","release":"istio"},"name":"istio","namespace":"istio-system"}}
  creationTimestamp: "2021-01-04T10:57:02Z"
  labels:
    istio.io/rev: default
    release: istio
  name: istio
  namespace: istio-system
  resourceVersion: "3289298"
  selfLink: /api/v1/namespaces/istio-system/configmaps/istio
  uid: a912bef1-4be2-4a48-a632-0495a79cc880

but when I am enabling mode to ALLOW_ANY then it's able to connect to other pod using pod ip. We want to block external calls from the cluster but want to allow pod to pod ip communication using IP

I tried to add excludeIPRandge and includeIPRange but it's still not able to make pod to pod connection with pod ip.

Rahul Gogyani
  • 1
  • 1
  • Are both of your pods within the mesh? Also, `excludeIPRange` and `includeIPRange` are not options in mesh config, they would be on install config. You could add those annotations directly to the pod. `ALLOW_ANY` works because it isn't blocking what it appears as any external traffic to the mesh. With `REGISTRY_ONLY` it restricts to the internal service registry. Is there a reason you're not using a service hostname to access the pod? – Thomas Stringer Feb 04 '23 at 15:45
  • Yes both are in same mesh. In our namespce there is one solr which is basically getting the pod ip from zookeeper and application is using pod ip to connect to solr – Rahul Gogyani Feb 05 '23 at 07:10
  • I don't know enough about solr or zookeeper to comment specifically there, but Istio's configuration is primarily service-based, and wouldn't know about pod IP targets in the mesh. You can see that if you were to do a `istioctl proxy-config route -o json` dump you wouldn't find any pod IP addresses there. – Thomas Stringer Feb 05 '23 at 19:37
  • Perhaps [this Istio issue on a similar topic](https://github.com/istio/istio/issues/23494) could help? – Thomas Stringer Feb 05 '23 at 19:37

0 Answers0