Traffic redirect annotation#

This page describes how to configure a traffic redirect on an application with sidecars enabled.

Note

These instructions are only applicable for pods injected with the sidecar proxy.

Background#

A traffic redirect annotation allows for the alteration of traffic behavior to/from a sidecar in application pod. For example, you can configure traffic redirects such as excluding an outbound port from getting intercepted by the sidecar proxy.

These redirect parameters should be injected into the pod’s template annotation section.

Aspen Mesh supports the following traffic redirection parameters:

Annotation

Description

traffic.sidecar.istio.io/excludeOutboundPorts

A comma separated list of outbound ports to be excluded from redirection to Envoy.

traffic.sidecar.istio.io/excludeOutboundIPRanges

A comma separated list of IP ranges in CIDR form to be excluded from redirection. Only applies when all outbound traffic (i.e. ‘*’) is being redirected.

traffic.sidecar.istio.io/includeOutboundIPRanges

A comma separated list of IP ranges in CIDR form to redirect to Envoy (optional). The wildcard character ‘*’ can be used to redirect all outbound traffic. An empty list will disable all outbound redirection.

traffic.sidecar.istio.io/excludeInboundPorts

A comma separated list of inbound ports to be excluded from redirection to Envoy. Only applies when all inbound traffic (i.e. ‘*’) is being redirected.

traffic.sidecar.istio.io/includeInboundPorts

A comma separated list of inbound ports for which traffic is to be redirected to Envoy. The wildcard character ‘*’ can be used to configure redirection for all ports. An empty list will disable all inbound redirection.

Note

In the case of the traffic.sidecar.istio.io/excludeInboundPortsannotation, it needs to have traffic.sidecar.istio.io/includeInboundPorts set to “*”. Ports that are used by Aspen Mesh should also be excluded, such as port 15020.

annotations:
  traffic.sidecar.istio.io/excludeInboundPorts: "15020,80"
  traffic.sidecar.istio.io/includeInboundPorts: "*"

Setup#

To configure, the annotation(s) need to be added to the pod. For example:

annotations:
  traffic.sidecar.istio.io/excludeOutboundIPRanges: "172.30.0.0/24"

This will exclude any target IPs in the range of 172.30.0.0/24 to go through the sidecar proxy. Traffic will go directly from the pod without getting intercepted by the sidecar proxy.

Annotations for outbound should be applied to the client side as in the following example.

Example of the pod with annotation:#

apiVersion: apps/v1
kind: Deployment
metadata:
  name: sleep
spec:
  replicas: 1
  selector:
    matchLabels:
      app: sleep
  template:
    metadata:
      annotations:
        traffic.sidecar.istio.io/excludeOutboundIPRanges: "172.30.0.0/24"
      labels:
        app: sleep
    spec:
      serviceAccountName: sleep
      containers:
      - name: sleep
        image: governmentpaas/curl-ssl
        command: ["/bin/sleep", "3650d"]
        imagePullPolicy: IfNotPresent
        volumeMounts:
        - mountPath: /etc/sleep/tls
          name: secret-volume
      volumes:
      - name: secret-volume
        secret:
          secretName: sleep-secret
          optional: true

Test#

In testing, setup server side using httpbin without sidecar injection:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: httpbin8990
---
apiVersion: v1
kind: Service
metadata:
  name: httpbin8990
  labels:
    app: httpbin
spec:
  ports:
  - name: http
    port: 8990
    targetPort: 80
  selector:
    app: httpbin
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: httpbin8990
spec:
  replicas: 1
  selector:
    matchLabels:
      app: httpbin
      version: v1
  template:
    metadata:
      annotations:
        sidecar.istio.io/inject: "false"
      labels:
        app: httpbin
        version: v1
    spec:
      serviceAccountName: httpbin
      containers:
      - image: docker.io/kennethreitz/httpbin
        imagePullPolicy: IfNotPresent
        name: httpbin
        ports:
        - containerPort: 80

---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: httpbin8990
spec:
  host: httpbin8990.cnf1-namespace.svc.cluster.local
  trafficPolicy:
    tls:
      mode: DISABLE

Without traffic annotation, run curl http://httpbin8990.cnf1-namespace:8990/get?show_env=true will result in:

{
  "args": {
    "show_env": "true"
  },
  "headers": {
    "Accept": "*/*",
    "Content-Length": "0",
    "Host": "httpbin8990.cnf1-namespace:8990",
    "User-Agent": "curl/7.64.0",
    "X-B3-Sampled": "1",
    "X-B3-Spanid": "e25675728cf08ccf",
    "X-B3-Traceid": "d3ddd7b59e77d420e25675728cf08ccf",
    "X-Envoy-Decorator-Operation": "httpbin8990.cnf1-namespace.svc.cluster.local:8990/*",
    "X-Forwarded-Proto": "http",
    "X-Istio-Attributes": "CkoKGGRlc3RpbmF0aW9uLnNlcnZpY2UuaG9zdBIuEixodHRwYmluODk5MC5jbmYxLW5hbWVzcGFjZS5zdmMuY2x1c3Rlci5sb2NhbApIChdkZXN0aW5hdGlvbi5zZXJ2aWNlLnVpZBItEitpc3RpbzovL2NuZjEtbmFtZXNwYWNlL3NlcnZpY2VzL2h0dHBiaW44OTkwCikKGGRlc3RpbmF0aW9uLnNlcnZpY2UubmFtZRINEgtodHRwYmluODk5MAoxCh1kZXN0aW5hdGlvbi5zZXJ2aWNlLm5hbWVzcGFjZRIQEg5jbmYxLW5hbWVzcGFjZQpCCgpzb3VyY2UudWlkEjQSMmt1YmVybmV0ZXM6Ly9zbGVlcC03ODc0NWZkOThkLWxwZzRrLmNuZjItbmFtZXNwYWNl",
    "X-Request-Id": "df74980e-1885-9bd3-8149-f766de955ead"
  },
  "origin": "10.130.4.14",
  "url": "http://httpbin8990.cnf1-namespace:8990/get?show_env=true"
}

With traffic annotation shown above to exclude the OutboundIPRange, curl http://httpbin8990.cnf1-namespace:8990/get?show_env=true will result in:

{
  "args": {
    "show_env": "true"
  },
  "headers": {
    "Accept": "*/*",
    "Host": "httpbin8990.cnf1-namespace:8990",
    "User-Agent": "curl/7.64.0"
  },
  "origin": "10.129.2.21",
  "url": "http://httpbin8990.cnf1-namespace:8990/get?show_env=true"
}

The above demonstrates that without traffic annotation, traffic will go through sidecar (X- headers are added by sidecar). With the traffic annotation to exclude outbound IP range, the traffic will not go through sidecar.