-
Bug
-
Resolution: Obsolete
-
Major
-
None
-
maistra-2.1.0
-
None
-
False
-
False
-
User Experience
-
Bug Description
We uses maistra servisemesh under openshift 4.7, and we saw a strange behavior.
If a deployment have the following annotations{}
spec:
template:
metadata:
annotations:
sidecar.istio.io/inject: 'true'
sidecar.istio.io/rewriteAppHTTPProbers: 'true'
traffic.sidecar.istio.io/excludeOutboundIPRanges: 0.0.0.0/0
{{}}
{{}}
We need the traffic.sidecar.istio.io/excludeOutboundIPRanges: 0.0.0.0/0 annotation.
The namespace serviceEntry rules will block the egress communications. But if a domain not exists inside the serviceEntry it can pass through. So the serviceEntry allow rule will be a domain blacklist.
We uses the following ServiceMeshControlPlane:
apiVersion: maistra.io/v2
kind: ServiceMeshControlPlane
metadata:
name: basic
namespace: istio-system
spec:
proxy:
networking:
trafficControl:
inbound: {}
outbound:
policy: REGISTRY_ONLY
security:
controlPlane:
tls:
minProtocolVersion: TLSV1_2
mtls: true
dataPlane:
mtls: true
version: v2.1
gateways:
enabled: true
egress:
enabled: true
ingress:
enabled: true
{{}}
It's a planned behavior?
Thank you!
Versions
{{Istio:
client version: 1.9.3
control plane version: OSSM_2.1.0-5.el8
data plane version: 1.9.8 (55 proxies)
Kubectl:
Client Version: v1.22.4
Server Version: v1.20.10+bbbc079
OC:
Client Version: 4.7.2
Server Version: 4.7.37
Kubernetes Version: v1.20.10+bbbc079
maistra:
maistra/v2
version: v2.1}}
