Search code examples
kubernetesistioservicemesh

Istio outboundTrafficPolicy for pods in and out of the service mesh

I'm Trying to understand how Istio envoy proxy works when outboundTrafficPolicy mode is set to REGISTRY_ONLY. With the setup defined below I would expect that the inside pod would be blocked from accessing the outside pod since the sidecar.istio.inject label is set to "false" for the outside pod and "true" for the inside pod. However when I exec into the inside pod and issue a curl command I get a success .

kubectl -n istio-test exec -it inside-85f794ff76-7x44s -c sleep -- curl  http://outside
<html><body><h1>It works!</h1></body></html>

Configuration Setup

---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: outside
  name: outside
  namespace: istio-test
spec:
  ports:
  - name: 80-80
    port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: outside
  type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: inside
  name: inside
  namespace: istio-test
spec:
  ports:
  - name: 80-80
    port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: inside
  clusterIP: None
  type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: outside
  name: outside
  namespace: istio-test
spec:
  replicas: 1
  selector:
    matchLabels:
      app: outside
  template:
    metadata:
      labels:
        app: outside
        version: v1
        sidecar.istio.io/inject: "false"
    spec:
      containers:
      - image: httpd
        name: httpd
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: inside
  name: inside
  namespace: istio-test
spec:
  replicas: 1
  selector:
    matchLabels:
      app: inside
  template:
    metadata:
      labels:
        app: inside
        version: v1
        sidecar.istio.io/inject: "true"
    spec:
      containers:
      - image: curlimages/curl
        name: sleep
        command:
        - /bin/sleep
        - infinity
---
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: default
  namespace: istio-test
spec:
  workloadSelector:
    labels:
      app: inside
  outboundTrafficPolicy:
    mode: REGISTRY_ONLY

I was expecting to need a ServiceEntry to register the external pod. Why does this not appear to be the case?

How can I block traffic from the inside pod to the outside pod?

Solution

  • Istio "REGISTRY_ONLY" option blocks the traffic when there is no HTTP service or service entry defined within the mesh. In above case there is service "outside" which is getting created. To understand "REGISTRY_ONLY" option, the example explained istio document can be evaluated.

    The option to block the traffic for "outside" service application is to use "Authorization Policy".

    Below is one the sample to deny all traffic. More options on authorization policy are explained in istio document

    apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: allow-nothing
  namespace: istio-test
spec:
  selector:
    matchLabels:
      app: outside