Uploaded image for project: 'Maistra'
  1. Maistra
  2. MAISTRA-1629

Maistra doesn't respect "traffic.sidecar.istio.io/excludeOutboundPorts" pod annotation

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • maistra-1.1.8
    • maistra-1.1.2
    • None
    • None
    • MAISTRA 1.1.8

      My scenario:

      I have an OCP 4.3 cluster with Maistra 1.1.2 installed and working as expected for other projects/namespaces (FWIW I'm a heavy user of vanilla K8s and vanilla Istio for ~2 years now).

      In this same OCP cluster, I've created a deployment with a container that listens on multiple ports; A port for HTTP traffic, and a port for TCP traffic (AMQP). Ingress for the HTTP port is exposed externally via the usual OCP Route -> Istio Gateway -> service/pod, and this is working as expected. However, ingress for the TCP port is directly exposed via a service of type: LoadBalancer without any associated Route/Gateway resource, and this is not working.

      In our vanilla k8s/istio clusters, we have the same deployment running with the pod annotation traffic.sidecar.istio.io/includeInboundPorts: "8080", which configures Istio to intercept the HTTP port 8080, but NOT the secondary TCP port. This enables us to expose the service as a LoadBalancer (as described above).

      However, when using OCP 4.3 and Maistra 1.1.2, a deployment with the same configuration (including the pod annotation traffic.sidecar.istio.io/includeInboundPorts: "8080") is not working as expected; the istio-proxy sidecar is still intercepting inbound traffic to the TCP port, despite the includeInboundPorts annotation telling it to only intercept the HTTP port 8080.

      My question:

      Is it expected that Maistra respects the traffic.sidecar.istio.io/includeInboundPorts pod annotation? If not, how can I configure Maistra to intercept the HTTP port exclude the TCP port in a similar way that Istio supports?

      Additionally, is there any other standard vanilla Istio functionality that Maistra diverges from and doesn't support that isn't described on this page? My concern is that as we migrate more and more of our Istio-enabled applications from vanilla k8s/Istio to OCP/Maistra, we'll run into more issues like this one, and it'd be nice to know these limitations beforehand.

      My theory:

      I assume this has something to do with the fact that Maistra isn't using istio-init containers to rewrite iptables rules for port interception on OCP 4.x, but rather some other CNI magic.

        1. app.yaml
          4 kB
        2. app-v2.yaml
          4 kB
        3. smcp.yaml
          2 kB

            kconner@redhat.com Kevin Conner (Inactive)
            cool-fz338 Chris O'Brien (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: