The docs here cover using the new default global.outboundTrafficPolicy.mode=ALLOW_ANY setting to allow all outbound traffic by default.
It also covers using global.proxy.includeIPRanges to restrict proxy interception to a known cluster CIDR.
There are two issues here:
ALLOW_ANY is misleading. By default it doesn't actually allow traffic on port 80, for example -- it gets intercepted and returns a 404, which means systems like kube2iam won't work. There are workarounds with a ServiceEntry but the description makes it sound like those aren't needed... and they don't work at all for IP addresses (like 169.254.169.254).- The interaction between these options are unclear. If
ALLOW_ANY is set, does that take precedence over includeIPRanges? Do they somehow intersect? The Istio chart side of this should probably simplify the configuration here too so it's clear if only one is used at a time.
The docs here cover using the new default
global.outboundTrafficPolicy.mode=ALLOW_ANYsetting to allow all outbound traffic by default.It also covers using
global.proxy.includeIPRangesto restrict proxy interception to a known cluster CIDR.There are two issues here:
ALLOW_ANYis misleading. By default it doesn't actually allow traffic on port 80, for example -- it gets intercepted and returns a 404, which means systems likekube2iamwon't work. There are workarounds with aServiceEntrybut the description makes it sound like those aren't needed... and they don't work at all for IP addresses (like 169.254.169.254).ALLOW_ANYis set, does that take precedence overincludeIPRanges? Do they somehow intersect? The Istio chart side of this should probably simplify the configuration here too so it's clear if only one is used at a time.