Sidecar
Sidecar
describes the configuration of the sidecar proxy that mediates
inbound and outbound communication to the workload instance it is attached to. By
default, Istio will program all sidecar proxies in the mesh with the
necessary configuration required to reach every workload instance in the mesh, as
well as accept traffic on all the ports associated with the
workload. The Sidecar
configuration provides a way to fine tune the set of
ports, protocols that the proxy will accept when forwarding traffic to
and from the workload. In addition, it is possible to restrict the set
of services that the proxy can reach when forwarding outbound traffic
from workload instances.
Services and configuration in a mesh are organized into one or more
namespaces (e.g., a Kubernetes namespace or a CF org/space). A Sidecar
configuration in a namespace will apply to one or more workload instances in the same
namespace, selected using the workloadSelector
field. In the absence of a
workloadSelector
, it will apply to all workload instances in the same
namespace. When determining the Sidecar
configuration to be applied to a
workload instance, preference will be given to the resource with a
workloadSelector
that selects this workload instance, over a Sidecar
configuration
without any workloadSelector
.
NOTE 1: Each namespace can have only one Sidecar
configuration without any workloadSelector
that specifies the
default for all pods in that namespace. It is recommended to use
the name default
for the namespace-wide sidecar. The behavior of
the system is undefined if more than one selector-less Sidecar
configurations exist in a given namespace. The behavior of the
system is undefined if two or more Sidecar
configurations with a
workloadSelector
select the same workload instance.
NOTE 2: A Sidecar
configuration in the MeshConfig
root namespace
will be applied by default to all namespaces without a Sidecar
configuration. This global default Sidecar
configuration should not have
any workloadSelector
.
The example below declares a global default Sidecar
configuration
in the root namespace called istio-config
, that configures
sidecars in all namespaces to allow egress traffic only to other
workloads in the same namespace as well as to services in the
istio-system
namespace.
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: default
namespace: istio-config
spec:
egress:
- hosts:
- "./*"
- "istio-system/*"
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: default
namespace: istio-config
spec:
egress:
- hosts:
- "./*"
- "istio-system/*"
The example below declares a Sidecar
configuration in the
prod-us1
namespace that overrides the global default defined
above, and configures the sidecars in the namespace to allow egress
traffic to public services in the prod-us1
, prod-apis
, and the
istio-system
namespaces.
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: default
namespace: prod-us1
spec:
egress:
- hosts:
- "prod-us1/*"
- "prod-apis/*"
- "istio-system/*"
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: default
namespace: prod-us1
spec:
egress:
- hosts:
- "prod-us1/*"
- "prod-apis/*"
- "istio-system/*"
The following example declares a Sidecar
configuration in the
prod-us1
namespace for all pods with labels app: ratings
belonging to the ratings.prod-us1
service. The workload accepts
inbound HTTP traffic on port 9080 without any authentication, and
HTTPS traffic on port 9443 with one-way TLS termination using
custom certificates. To accomplish custom TLS termination on this
workload, the PeerAuthentication
security policy must be declared
to disable Istio mutual TLS on these two ports. Any other
auto-generated listener for this workload will still obey the
mutual TLS termination requirements set forth in the
PeerAuthentication policy. The traffic is then forwarded to the
attached workload instance listening on a Unix domain socket. In
the egress direction, in addition to the istio-system
namespace,
the sidecar proxies only HTTP traffic bound for port 9080 for
services in the prod-us1
namespace.
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: ratings
namespace: prod-us1
spec:
workloadSelector:
labels:
app: ratings
ingress:
- port:
number: 9080
protocol: HTTP
name: somename
defaultEndpoint: unix:///var/run/someuds.sock
- port:
number: 9443
protocol: HTTPS
name: httpsport
inboundTls:
mode: SIMPLE # overrides namespace default
serverCertificate: /etc/certs/servercert.pem
privateKey: /etc/certs/privatekey.pem
defaultEndpoint: unix:///var/run/someuds.sock
egress:
- port:
number: 9080
protocol: HTTP
name: egresshttp
hosts:
- "prod-us1/*"
- hosts:
- "istio-system/*"
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: ratings
namespace: prod-us1
spec:
workloadSelector:
labels:
app: ratings
ingress:
- port:
number: 9080
protocol: HTTP
name: somename
defaultEndpoint: unix:///var/run/someuds.sock
- port:
number: 9443
protocol: HTTPS
name: httpsport
inboundTls:
mode: SIMPLE # overrides namespace default
serverCertificate: /etc/certs/servercert.pem
privateKey: /etc/certs/privatekey.pem
defaultEndpoint: unix:///var/run/someuds.sock
egress:
- port:
number: 9080
protocol: HTTP
name: egresshttp
hosts:
- "prod-us1/*"
- hosts:
- "istio-system/*"
and the associated PeerAuthentication security policy to ensure that mutual TLS based authentication is not configured for ports 9080 and 9443:
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: ratings-istio-mtls-exception
namespace: prod-us1
spec:
selector:
matchLabels:
app: ratings
# other ports inherit the settings from namespace-wide policy.
portLevelMtls:
9080:
mode: DISABLE
9443:
mode: DISABLE
and the associated DestinationRule to ensure that the clients use the appropriate TLS settings:
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: ratings-istio-mtls-exception
namespace: prod-us1
spec:
host: ratings.prod-us1.svc.cluster.local
trafficPolicy:
portLevelSettings:
- port:
number: 9080
tls:
mode: DISABLE
- port:
number: 9443
tls:
mode: SIMPLE
caCertificates: /etc/certs/ca-certs.pem
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: ratings-istio-mtls-exception
namespace: prod-us1
spec:
host: ratings.prod-us1.svc.cluster.local
trafficPolicy:
portLevelSettings:
- port:
number: 9080
tls:
mode: DISABLE
- port:
number: 9443
tls:
mode: SIMPLE
caCertificates: /etc/certs/ca-certs.pem
If the workload is deployed without IPTables-based traffic capture,
the Sidecar
configuration is the only way to configure the ports
on the proxy attached to the workload instance. The following
example declares a Sidecar
configuration in the prod-us1
namespace for all pods with labels app: productpage
belonging to
the productpage.prod-us1
service. Assuming that these pods are
deployed without IPtable rules (i.e. the istio-init
container)
and the proxy metadata ISTIO_META_INTERCEPTION_MODE
is set to
NONE
, the specification, below, allows such pods to receive HTTP
traffic on port 9080 (wrapped inside Istio mutual TLS) and forward
it to the application listening on 127.0.0.1:8080
. It also allows
the application to communicate with a backing MySQL database on
127.0.0.1:3306
, that then gets proxied to the externally hosted
MySQL service at mysql.foo.com:3306
.
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: no-ip-tables
namespace: prod-us1
spec:
workloadSelector:
labels:
app: productpage
ingress:
- port:
number: 9080 # binds to proxy_instance_ip:9080 (0.0.0.0:9080, if no unicast IP is available for the instance)
protocol: HTTP
name: somename
defaultEndpoint: 127.0.0.1:8080
captureMode: NONE # not needed if metadata is set for entire proxy
egress:
- port:
number: 3306
protocol: MYSQL
name: egressmysql
captureMode: NONE # not needed if metadata is set for entire proxy
bind: 127.0.0.1
hosts:
- "*/mysql.foo.com"
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: no-ip-tables
namespace: prod-us1
spec:
workloadSelector:
labels:
app: productpage
ingress:
- port:
number: 9080 # binds to proxy_instance_ip:9080 (0.0.0.0:9080, if no unicast IP is available for the instance)
protocol: HTTP
name: somename
defaultEndpoint: 127.0.0.1:8080
captureMode: NONE # not needed if metadata is set for entire proxy
egress:
- port:
number: 3306
protocol: MYSQL
name: egressmysql
captureMode: NONE # not needed if metadata is set for entire proxy
bind: 127.0.0.1
hosts:
- "*/mysql.foo.com"
And the associated service entry for routing to mysql.foo.com:3306
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: external-svc-mysql
namespace: ns1
spec:
hosts:
- mysql.foo.com
ports:
- number: 3306
name: mysql
protocol: MYSQL
location: MESH_EXTERNAL
resolution: DNS
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: external-svc-mysql
namespace: ns1
spec:
hosts:
- mysql.foo.com
ports:
- number: 3306
name: mysql
protocol: MYSQL
location: MESH_EXTERNAL
resolution: DNS
It is also possible to mix and match traffic capture modes in a single
proxy. For example, consider a setup where internal services are on the
192.168.0.0/16
subnet. So, IP tables are setup on the VM to capture all
outbound traffic on 192.168.0.0/16
subnet. Assume that the VM has an
additional network interface on 172.16.0.0/16
subnet for inbound
traffic. The following Sidecar
configuration allows the VM to expose a
listener on 172.16.1.32:80
(the VM’s IP) for traffic arriving from the
172.16.0.0/16
subnet.
NOTE: The ISTIO_META_INTERCEPTION_MODE
metadata on the
proxy in the VM should contain REDIRECT
or TPROXY
as its value,
implying that IP tables based traffic capture is active.
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: partial-ip-tables
namespace: prod-us1
spec:
workloadSelector:
labels:
app: productpage
ingress:
- bind: 172.16.1.32
port:
number: 80 # binds to 172.16.1.32:80
protocol: HTTP
name: somename
defaultEndpoint: 127.0.0.1:8080
captureMode: NONE
egress:
# use the system detected defaults
# sets up configuration to handle outbound traffic to services
# in 192.168.0.0/16 subnet, based on information provided by the
# service registry
- captureMode: IPTABLES
hosts:
- "*/*"
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: partial-ip-tables
namespace: prod-us1
spec:
workloadSelector:
labels:
app: productpage
ingress:
- bind: 172.16.1.32
port:
number: 80 # binds to 172.16.1.32:80
protocol: HTTP
name: somename
defaultEndpoint: 127.0.0.1:8080
captureMode: NONE
egress:
# use the system detected defaults
# sets up configuration to handle outbound traffic to services
# in 192.168.0.0/16 subnet, based on information provided by the
# service registry
- captureMode: IPTABLES
hosts:
- "*/*"
CaptureMode
CaptureMode
describes how traffic to a listener is expected to be
captured. Applicable only when the listener is bound to an IP.
Name | Description |
---|---|
DEFAULT | The default capture mode defined by the environment. |
IPTABLES | Capture traffic using IPtables redirection. |
NONE | No traffic capture. When used in an egress listener, the application is expected to explicitly communicate with the listener port or Unix domain socket. When used in an ingress listener, care needs to be taken to ensure that the listener port is not in use by other processes on the host. |
IstioEgressListener
IstioEgressListener
specifies the properties of an outbound traffic
listener on the sidecar proxy attached to a workload instance.
IstioIngressListener
IstioIngressListener
specifies the properties of an inbound
traffic listener on the sidecar proxy attached to a workload instance.
OutboundTrafficPolicy
OutboundTrafficPolicy
sets the default behavior of the sidecar for
handling outbound traffic from the application.
If your application uses one or more external
services that are not known apriori, setting the policy to ALLOW_ANY
will cause the sidecars to route any unknown traffic originating from
the application to its requested destination. Users are strongly
encouraged to use ServiceEntry
configurations to explicitly declare any external
dependencies, instead of using ALLOW_ANY
, so that traffic to these
services can be monitored.
OutboundTrafficPolicy.Mode
Name | Description |
---|---|
REGISTRY_ONLY | Outbound traffic will be restricted to services defined in the
service registry as well as those defined through |
ALLOW_ANY | Outbound traffic to unknown destinations will be allowed, in case
there are no services or |
Sidecar
Sidecar
describes the configuration of the sidecar proxy that mediates
inbound and outbound communication of the workload instance to which it is
attached.
WorkloadSelector
WorkloadSelector
specifies the criteria used to determine if the Gateway
,
Sidecar
, or EnvoyFilter
configuration can be applied to a proxy. The matching criteria
includes the metadata associated with a proxy, workload instance info such as
labels attached to the pod/VM, or any other info that the proxy provides
to Istio during the initial handshake. If multiple conditions are
specified, all conditions need to match in order for the workload instance to be
selected. Currently, only label based selection mechanism is supported.