Comments (7)
Hey. Take a look at
https://istio.io/docs/setup/kubernetes/helm-install/
The values for the fields come from the annotations block of the config-map itself. If you don't have an annotation there for excludeIP then we'll have to look elsewhere.
You can also see what the value is being expanded to by looking at the podspec of a pod that was mutated by the webhook
from old_issues_repo.
Hmm. Its possible someone has configured the ip whitelist for bypass
https://istio.io/docs/tasks/traffic-management/egress/
from old_issues_repo.
Thanks for the answer! This seems likely. However, I am a bit confused by the documentation. It explains how to set the value during the Istio installation but not how to read it out. I took a look (kubectl describe
) at the ConfigMap
of the istio-sidecar-injector
but it only shows the template and not the actual values. Is there a simple way to read out global.proxy.includeIPRanges
without the usage of helm (we didn't even use helm for the installation nor any specified cloud provider there).
We use this istio-init
-image: gcr.io/istio-release/proxy_init:release-0.8-20180531-09-15.
Here is the output of the describe
command:
➜ kubectl describe ConfigMap istio-sidecar-injector -n istio-system -R
Name: istio-sidecar-injector
Namespace: istio-system
Labels: app=istio
chart=istio-0.8.0
heritage=Tiller
istio=sidecar-injector
release=RELEASE-NAME
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"v1","data":{"config":"policy: enabled\ntemplate: |-\n initContainers:\n - name: istio-init\n image: gcr.io/istio-release/proxy_init...
Data
====
config:
----
policy: enabled
template: |-
initContainers:
- name: istio-init
image: gcr.io/istio-release/proxy_init:release-0.8-20180531-09-15
args:
- "-p"
- [[ .MeshConfig.ProxyListenPort ]]
- "-u"
- 1337
- "-m"
- [[ or (index .ObjectMeta.Annotations "sidecar.istio.io/interceptionMode") .ProxyConfig.InterceptionMode.String ]]
- "-i"
[[ if (isset .ObjectMeta.Annotations "traffic.sidecar.istio.io/includeOutboundIPRanges") -]]
- "[[ index .ObjectMeta.Annotations "traffic.sidecar.istio.io/includeOutboundIPRanges" ]]"
[[ else -]]
- "*"
[[ end -]]
- "-x"
[[ if (isset .ObjectMeta.Annotations "traffic.sidecar.istio.io/excludeOutboundIPRanges") -]]
- "[[ index .ObjectMeta.Annotations "traffic.sidecar.istio.io/excludeOutboundIPRanges" ]]"
[[ else -]]
- ""
[[ end -]]
- "-b"
[[ if (isset .ObjectMeta.Annotations "traffic.sidecar.istio.io/includeInboundPorts") -]]
- "[[ index .ObjectMeta.Annotations "traffic.sidecar.istio.io/includeInboundPorts" ]]"
[[ else -]]
- [[ range .Spec.Containers -]][[ range .Ports -]][[ .ContainerPort -]], [[ end -]][[ end -]][[ end]]
- "-d"
[[ if (isset .ObjectMeta.Annotations "traffic.sidecar.istio.io/excludeInboundPorts") -]]
- "[[ index .ObjectMeta.Annotations "traffic.sidecar.istio.io/excludeInboundPorts" ]]"
[[ else -]]
- ""
[[ end -]]
imagePullPolicy: IfNotPresent
securityContext:
capabilities:
add:
- NET_ADMIN
privileged: true
restartPolicy: Always
containers:
- name: istio-proxy
image: [[ if (isset .ObjectMeta.Annotations "sidecar.istio.io/proxyImage") -]]
"[[ index .ObjectMeta.Annotations "sidecar.istio.io/proxyImage" ]]"
[[ else -]]
gcr.io/istio-release/proxyv2:release-0.8-20180531-09-15
[[ end -]]
args:
- proxy
- sidecar
- --configPath
- [[ .ProxyConfig.ConfigPath ]]
- --binaryPath
- [[ .ProxyConfig.BinaryPath ]]
- --serviceCluster
[[ if ne "" (index .ObjectMeta.Labels "app") -]]
- [[ index .ObjectMeta.Labels "app" ]]
[[ else -]]
- "istio-proxy"
[[ end -]]
- --drainDuration
- [[ formatDuration .ProxyConfig.DrainDuration ]]
- --parentShutdownDuration
- [[ formatDuration .ProxyConfig.ParentShutdownDuration ]]
- --discoveryAddress
- [[ .ProxyConfig.DiscoveryAddress ]]
- --discoveryRefreshDelay
- [[ formatDuration .ProxyConfig.DiscoveryRefreshDelay ]]
- --zipkinAddress
- [[ .ProxyConfig.ZipkinAddress ]]
- --connectTimeout
- [[ formatDuration .ProxyConfig.ConnectTimeout ]]
- --statsdUdpAddress
- [[ .ProxyConfig.StatsdUdpAddress ]]
- --proxyAdminPort
- [[ .ProxyConfig.ProxyAdminPort ]]
- --controlPlaneAuthPolicy
- [[ .ProxyConfig.ControlPlaneAuthPolicy ]]
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: ISTIO_META_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: ISTIO_META_INTERCEPTION_MODE
value: [[ or (index .ObjectMeta.Annotations "sidecar.istio.io/interceptionMode") .ProxyConfig.InterceptionMode.String ]]
imagePullPolicy: IfNotPresent
securityContext:
privileged: false
readOnlyRootFilesystem: true
[[ if eq (or (index .ObjectMeta.Annotations "sidecar.istio.io/interceptionMode") .ProxyConfig.InterceptionMode.String) "TPROXY" -]]
capabilities:
add:
- NET_ADMIN
[[ else -]]
runAsUser: 1337
[[ end -]]
restartPolicy: Always
resources:
requests:
cpu: 100m
memory: 128Mi
volumeMounts:
- mountPath: /etc/istio/proxy
name: istio-envoy
- mountPath: /etc/certs/
name: istio-certs
readOnly: true
volumes:
- emptyDir:
medium: Memory
name: istio-envoy
- name: istio-certs
secret:
optional: true
[[ if eq .Spec.ServiceAccountName "" -]]
secretName: istio.default
[[ else -]]
secretName: [[ printf "istio.%s" .Spec.ServiceAccountName ]]
[[ end -]]
Events: <none>
Or do I have to inspect a different resource to find out whether someone could configure a bypass?
Greetings
René
from old_issues_repo.
Hi,
ok, I am starting to understand it. So for each pod there will be an istio-init
and istio-proxy
container which will be initialised by the template defined in this ConfigMap
I pasted above. If you use helm and you set global.proxy.includeIPRanges
, then it will set the .ObjectMeta.Annotations "traffic.sidecar.istio.io/includeOutboundIPRanges"
annotation with the value you put into it. However, if you don't provide this annotation (or use helm), then Istio will use '*'
which means, ALL outbound traffic is redirected to Envoy.
Here are the initContainer
-arguments of one of our services:
initContainers:
- args:
- -p
- "15001"
- -u
- "1337"
- -m
- REDIRECT
- -i
- '*'
- -x
- ""
- -b
- 3000,
- -d
- ""
image: gcr.io/istio-release/proxy_init:release-0.8-20180531-09-15
imagePullPolicy: IfNotPresent
name: istio-init
resources: {}
securityContext:
capabilities:
add:
- NET_ADMIN
privileged: true
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
However, that means that all outbound traffic (like you have when you do curl https://www.facebook.com/
inside that container) for this service should go to Envoy first. But, doing the curl command gives me the full HTML document of Facebook, even though we didn't whitelist it. Can you confirm that this is right what I wrote and that it is not bypassing the service?
Maybe reinstalling Istio on our cluster solves this problem. Though, it would be nice to identify the root cause.
from old_issues_repo.
from old_issues_repo.
Hi,
By default Istio acts like a transparent TCP proxy, primarily because we don't want your
apps to break when you install.
Are you sure about that? Because then I don't understand the documentation. If Istio acts like a transparent TCP proxy, why do you have to add this ServiceEntry
to make https://www.google.com
work?
cat <<EOF | istioctl create -f -
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: google-ext
spec:
hosts:
- www.google.com
ports:
- number: 443
name: https
protocol: HTTPS
EOF
In the documentation you do exactly the thing I do (notice that you use HTTPS aswell):
$ curl https://www.google.com
Also, when I tested it on Minikube, https://www.google.com
only worked after I added the ServiceEntry
entry above. Once I removed it, it didn't work again (which I expected!).
Regarding our problem: We surely didn't whitelist www.facebook.com
. It turned out, that the curl requests only sometimes work (80% maybe?). This makes us believe, that there might be some "zombie" process running or somehow two different versions of envoy or something like that. The best solution would be to reinstall Istio. Still, it would be nice if you could resolve my confusion regarding the "transparent TCP proxy" :)
from old_issues_repo.
ok. For anyone having the same issue: It turned out that the resolution
field of the ServiceEntry
field was missing. If it is missing it defaults to NONE.
REQUIRED: Service discovery mode for the hosts. Care must be taken when setting the resolution mode to NONE for a TCP port without accompanying IP addresses. In such cases, traffic to any IP on said port will be allowed (i.e. 0.0.0.0:).
https://istio.io/docs/reference/config/istio.networking.v1alpha3/
from old_issues_repo.
Related Issues (20)
- [BUG] Bookinfo tracing broken HOT 2
- BUG: Mirroring not working in Istio 0.8.0? HOT 2
- Istio 0.8.0 exposes Jaeger tracing page to the external world
- When multiple gateways are defined, only the first one is being used. HOT 5
- kubernetesenv adapter clusterDomain check HOT 1
- Istio sidecar-injector not ready after deploying istio release-0.8
- External services connectivity problem HOT 5
- How get client external ip to extrapolate geolocation HOT 2
- Deploying with rbac disabled causes pilot to never deploy HOT 1
- .0.8 latest can't pull the docker image HOT 21
- make tracing endpoint configuration straightforward HOT 2
- High latency at scale HOT 1
- istio-pilot pod restart 60 times in nine days HOT 1
- Service Entry Not Working HOT 9
- Requests hang in fresh helm install on k8s v1.10.2-gke.3 HOT 5
- EgressRule not working for AMQP (RabbitMQ) HOT 4
- Unable to access the grafana dashboard. HOT 2
- Error: customresourcedefinitions.apiextensions.k8s.io "gateways.networking.istio.io" already exists HOT 1
- istio circuit breaker doesn't work HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from old_issues_repo.