Skip to main content

Configuring Istio external service access when using CNI

Craig Neth
  • Updated

Overview

If you want to completely bypass Istio for a specific IP range, you can configure the Envoy sidecars to prevent them from intercepting external requests. 

For the default configuration of the Istio addon, you do this using the global.proxy.includeIPRanges or the global.proxy.excludeIPRanges configuration options.

However, these options do not work properly if you have also configured Istio with the Istio CNI plugin.  This is due to a bug/missing feature in Istio versions < 1.9; basically, the proxy options are not being added to the Pod annotations, and the Istio CNI plugin only has access to pod annotations.   

Solution

Until the underlying issue in the Istio addon is resolved and available in a shipping version of DKP, you can configure Istio to add the necessary annotations in your cluster.yaml file.   For example:
  
name: istio 
enabled: true
values: |
  istioOperator:
    values:
      sidecarInjectorWebhook:
        injectedAnnotations:
          "traffic.sidecar.istio.io/includeOutboundIPRanges":""
          "traffic.sidecar.istio.io/excludeOutboundIPRanges":""