Traffic redirect annotation#
This page describes how to configure a traffic redirect on an application with sidecars enabled.
Note
These instructions are only applicable for pods injected with the sidecar proxy.
Background#
A traffic redirect annotation allows for the alteration of traffic behavior to/from a sidecar in application pod. For example, you can configure traffic redirects such as excluding an outbound port from getting intercepted by the sidecar proxy.
These redirect parameters should be injected into the pod’s template annotation section.
Aspen Mesh supports the following traffic redirection parameters:
Annotation |
Description |
---|---|
traffic.sidecar.istio.io/excludeOutboundPorts |
A comma separated list of outbound ports to be excluded from redirection to Envoy. |
traffic.sidecar.istio.io/excludeOutboundIPRanges |
A comma separated list of IP ranges in CIDR form to be excluded from redirection. Only applies when all outbound traffic (i.e. ‘*’) is being redirected. |
traffic.sidecar.istio.io/includeOutboundIPRanges |
A comma separated list of IP ranges in CIDR form to redirect to Envoy (optional). The wildcard character ‘*’ can be used to redirect all outbound traffic. An empty list will disable all outbound redirection. |
traffic.sidecar.istio.io/excludeInboundPorts |
A comma separated list of inbound ports to be excluded from redirection to Envoy. Only applies when all inbound traffic (i.e. ‘*’) is being redirected. |
traffic.sidecar.istio.io/includeInboundPorts |
A comma separated list of inbound ports for which traffic is to be redirected to Envoy. The wildcard character ‘*’ can be used to configure redirection for all ports. An empty list will disable all inbound redirection. |
Note
In the case of the traffic.sidecar.istio.io/excludeInboundPorts
annotation, it needs to have traffic.sidecar.istio.io/includeInboundPorts
set to “*”. Ports that are used by Aspen Mesh should also be excluded, such as port 15020.
annotations:
traffic.sidecar.istio.io/excludeInboundPorts: "15020,80"
traffic.sidecar.istio.io/includeInboundPorts: "*"
Setup#
To configure, the annotation(s) need to be added to the pod. For example:
annotations:
traffic.sidecar.istio.io/excludeOutboundIPRanges: "172.30.0.0/24"
This will exclude any target IPs in the range of 172.30.0.0/24 to go through the sidecar proxy. Traffic will go directly from the pod without getting intercepted by the sidecar proxy.
Annotations for outbound should be applied to the client side as in the following example.
Example of the pod with annotation:#
apiVersion: apps/v1
kind: Deployment
metadata:
name: sleep
spec:
replicas: 1
selector:
matchLabels:
app: sleep
template:
metadata:
annotations:
traffic.sidecar.istio.io/excludeOutboundIPRanges: "172.30.0.0/24"
labels:
app: sleep
spec:
serviceAccountName: sleep
containers:
- name: sleep
image: governmentpaas/curl-ssl
command: ["/bin/sleep", "3650d"]
imagePullPolicy: IfNotPresent
volumeMounts:
- mountPath: /etc/sleep/tls
name: secret-volume
volumes:
- name: secret-volume
secret:
secretName: sleep-secret
optional: true
Test#
In testing, setup server side using httpbin without sidecar injection:
apiVersion: v1
kind: ServiceAccount
metadata:
name: httpbin8990
---
apiVersion: v1
kind: Service
metadata:
name: httpbin8990
labels:
app: httpbin
spec:
ports:
- name: http
port: 8990
targetPort: 80
selector:
app: httpbin
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: httpbin8990
spec:
replicas: 1
selector:
matchLabels:
app: httpbin
version: v1
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
labels:
app: httpbin
version: v1
spec:
serviceAccountName: httpbin
containers:
- image: docker.io/kennethreitz/httpbin
imagePullPolicy: IfNotPresent
name: httpbin
ports:
- containerPort: 80
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: httpbin8990
spec:
host: httpbin8990.cnf1-namespace.svc.cluster.local
trafficPolicy:
tls:
mode: DISABLE
Without traffic annotation, run curl http://httpbin8990.cnf1-namespace:8990/get?show_env=true
will result in:
{
"args": {
"show_env": "true"
},
"headers": {
"Accept": "*/*",
"Content-Length": "0",
"Host": "httpbin8990.cnf1-namespace:8990",
"User-Agent": "curl/7.64.0",
"X-B3-Sampled": "1",
"X-B3-Spanid": "e25675728cf08ccf",
"X-B3-Traceid": "d3ddd7b59e77d420e25675728cf08ccf",
"X-Envoy-Decorator-Operation": "httpbin8990.cnf1-namespace.svc.cluster.local:8990/*",
"X-Forwarded-Proto": "http",
"X-Istio-Attributes": "CkoKGGRlc3RpbmF0aW9uLnNlcnZpY2UuaG9zdBIuEixodHRwYmluODk5MC5jbmYxLW5hbWVzcGFjZS5zdmMuY2x1c3Rlci5sb2NhbApIChdkZXN0aW5hdGlvbi5zZXJ2aWNlLnVpZBItEitpc3RpbzovL2NuZjEtbmFtZXNwYWNlL3NlcnZpY2VzL2h0dHBiaW44OTkwCikKGGRlc3RpbmF0aW9uLnNlcnZpY2UubmFtZRINEgtodHRwYmluODk5MAoxCh1kZXN0aW5hdGlvbi5zZXJ2aWNlLm5hbWVzcGFjZRIQEg5jbmYxLW5hbWVzcGFjZQpCCgpzb3VyY2UudWlkEjQSMmt1YmVybmV0ZXM6Ly9zbGVlcC03ODc0NWZkOThkLWxwZzRrLmNuZjItbmFtZXNwYWNl",
"X-Request-Id": "df74980e-1885-9bd3-8149-f766de955ead"
},
"origin": "10.130.4.14",
"url": "http://httpbin8990.cnf1-namespace:8990/get?show_env=true"
}
With traffic annotation shown above to exclude the OutboundIPRange, curl http://httpbin8990.cnf1-namespace:8990/get?show_env=true
will result in:
{
"args": {
"show_env": "true"
},
"headers": {
"Accept": "*/*",
"Host": "httpbin8990.cnf1-namespace:8990",
"User-Agent": "curl/7.64.0"
},
"origin": "10.129.2.21",
"url": "http://httpbin8990.cnf1-namespace:8990/get?show_env=true"
}
The above demonstrates that without traffic annotation, traffic will go through sidecar (X-
headers are added by sidecar). With the traffic annotation to exclude outbound IP range, the traffic will not go through sidecar.