1

I have istio set up with mtls globally enabled. I have verifed it by bashing into a pot without an envoy sidecar, and running a curl command on http, which failed. Then run a curl on HTTPS using the Istio certs, which worked.

When I port-forward to a service, eq kubectl port-forward svc/my-svc 8080:80 I am able to access my app by going to http://localhost:8080 I would expect that this wouldn't work, since mtls is being enforced. How does this port-forward with kubernetes work? Does it go directly to the node, thereby by-passing the sidecar?

TigerBear
  • 2,479
  • 1
  • 21
  • 24
  • Port forwarding goes to the process of the pause container using nsenter – Yonah Dissen Sep 13 '18 at 04:38
  • 1
    Possible duplicate of [How kubectl port-forward works?](https://stackoverflow.com/questions/51468491/how-kubectl-port-forward-works) – Akar Sep 13 '18 at 09:44
  • HI @Akar, I read the answers there before asking, but it doesn't answer this case. I.E. forwarding to a pod isn't specific enough, since in the case of istio, it sits in the pod and should be intercepting all traffic. – TigerBear Sep 13 '18 at 09:51
  • Could you please share the configuration of pod deployment and my-svc service? – Akar Sep 13 '18 at 10:55

1 Answers1

2

I found out that Istio is working in parallel with standard Kubernetes network services and does not affect traffic in case of port-forwarding.

Istio network service will create iptables rule exactly the same as kubectl port-forward or any other standard command do.

Unfortunately, I did not find any official documentation with an explanation of how it works.

Akar
  • 574
  • 3
  • 8