Overview
If you want to completely bypass Istio for a specific IP range, you can configure the Envoy sidecars to prevent them from intercepting external requests.For the default configuration of the Istio addon, you do this using the
global.proxy.includeIPRanges
or the global.proxy.excludeIPRanges
configuration options.However, these options do not work properly if you have also configured Istio with the Istio CNI plugin. This is due to a bug/missing feature in Istio versions < 1.9; basically, the proxy options are not being added to the Pod annotations, and the Istio CNI plugin only has access to pod annotations.
Solution
Until the underlying issue in the Istio addon is resolved and available in a shipping version of DKP, you can configure Istio to add the necessary annotations in your cluster.yaml file. For example:name: istio enabled: true values: | istioOperator: values: sidecarInjectorWebhook: injectedAnnotations: "traffic.sidecar.istio.io/includeOutboundIPRanges":"" "traffic.sidecar.istio.io/excludeOutboundIPRanges":""