I have meshConfig.outboundTrafficPolicy.mode configured as ALLOW_ANY. I setup a nginx pod with istio-proxy configured as sidecar.
I didn't setup any ServiceEntry, so the istio shouldn't be aware of the google.com. The istio-proxy won't intercept the traffic from nginx container to google.com. So, I sent a simple GET request to google.com inside the nginx container, but the access log in istio-proxy looks like below.
{"downstream_local_address":"142.250.76.142:80","upstream_local_address":"10.3.18.110:55996","protocol":"HTTP/1.1","upstream_host":"142.250.76.142:80","upstream_cluster":"PassthroughCluster","method":"GET","response_code":301,"x_forwarded_for":null,"start_time":"2024-04-13T16:04:32.965Z","bytes_sent":219,"path":"/","response_code_details":"via_upstream","upstream_transport_failure_reason":null,"duration":73,"response_flags":"-","connection_termination_details":null,"request_id":"a8bdc1ce-5bb9-4ca7-9861-059232af2fcf","authority":"google.com","downstream_remote_address":"10.3.18.110:43972","route_name":"allow_any","bytes_received":0,"upstream_service_time":"73","requested_server_name":null,"user_agent":"curl/7.74.0"}
Does istio-proxy even log the requests that are not intercepted? Please correct me if I am wrong in any kind. Thank you.
Istio-proxy will configure iptables to intercept all the ingress and egress traffic coming to the pod by default. So even if you don't have a SE to resolve the host, Istio by default will know the google.com endpoint and will see the traffic. But this will go through the "passthrough" cluster, so you won't be able to do any decision on that traffic.