Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Istio not logging blocked traffic #17759
The release notes for istio 1.3 say, “Added telemetry reporting for traffic destined to the Passthrough and BlackHole clusters”. Unless I am misunderstanding the purpose of the BlackHole cluster, when we have an outboundTrafficPolicy of
Affected product area (please put an X in all that apply)
[ ] Configuration Infrastructure
Steps to reproduce the bug
Version (include the output of
How was Istio installed?
Environment where bug was observed (cloud vendor, OS, etc)
Yes, we only added telemetry support. Just for clarity, when you mean logging, are you talking about Envoy or Mixer. Mixer should be both access logging and generating metrics for BlackHole.
It's a reasonable feature request to support Envoy access logging in all cases, if that's what you want.
It sounds like I just misunderstood the release notes then.
Here's a hopefully more clear example of the behavior we're looking for. Let's say I have the following ServiceEntry.
Then we can run a any pod in that namespace with curl on it.
From here if we run
@nrjpoddar We are running into a similar issue. The issue comes when you have a listener such as 0.0.0.0_443 with multiple filter chains with a filter chain match on server_names - https://gist.github.com/mdhume/bf262a5ec426d37e6aa94ddfeb328760 . If a request comes on a domain that is not in the filter chain match e.g.
…18620) * Add fallthrough listener filer chain for BlackHoleCluster (#18541) * Add fallthrough listener filer chain for BlackHoleCluster * Fix telemetry reported Fixes: #17271 #17759 * Tests for IsAllowAnyOutbound * Use t.Run * Added mixer plugin tests * Added listener tests * Fix unit tests * Fix unit tests * Fix lint