-
Notifications
You must be signed in to change notification settings - Fork 7.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Outbound Traffic Policy: REGISTRY_ONLY , sidecar ALLOW_ANY works for various ports but fails for port 80 (http) #39794
Comments
A bit confused since you said there is no ServiceEntry but then you deleted the Service Entry? |
I deleted the sidecar crd:
|
I turned on the istio proxy debug logs and found this:
|
This seems specific to port 80 traffic (http). When I try other protocols they work as expected when the outbound traffic policy is set to registry_only but I have the sidecar resource set to override it for a specific microservice. it seems that for port 80 (http) traffic it is not getting routed to the PassthroughCluster works: curl https://www.google.com doesn't work: |
@robertpanzer Why would port 80 (http) traffic get routed differently from other traffic? |
Related to this request from 2019: #12873 |
* Check AllowAny mode in RDS cache key Fixes istio#39794 (comment) * Add note
* Check AllowAny mode in RDS cache key Fixes istio#39794 (comment) * Add note
* Check AllowAny mode in RDS cache key Fixes #39794 (comment) * Add note Co-authored-by: John Howard <howardjohn@google.com>
* Check AllowAny mode in RDS cache key Fixes #39794 (comment) * Add note Co-authored-by: John Howard <howardjohn@google.com>
Bug Description
I have the global mesh set to: Outbound Traffic Policy: REGISTRY_ONLY but I have a sidecar entry as follows:
No service entries specified in the apps namespace.
works as expected:
curl https://www.cnn.com
returns a 502 bad gateway:
curl http://www.cnn.com
when the sidecar entry is deleted
curl https://www.cnn.com
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.cnn.com:443
Version
Additional Information
No response
The text was updated successfully, but these errors were encountered: