我将 meshConfig.outboundTrafficPolicy.mode 配置为 ALLOW_ANY。我设置了一个 nginx pod,并将 istio-proxy 配置为 sidecar。
我没有设置任何 ServiceEntry,所以 istio 不应该知道 google.com。 istio-proxy 不会拦截从 nginx 容器到 google.com 的流量。因此,我在 nginx 容器内向 google.com 发送了一个简单的 GET 请求,但 istio-proxy 中的访问日志如下所示。
{“downstream_local_address”:“142.250.76.142:80”,“upstream_local_address”:“10.3.18.110:55996”,“协议”:“HTTP/1.1”,“upstream_host”:“142.250.76.142:80”,“upstream_cluster ":"PassthroughCluster","方法":"GET","response_code":301,"x_forwarded_for":null,"start_time":"2024-04-13T16:04:32.965Z","bytes_sent":219,"路径":"/","response_code_details":"via_upstream","upstream_transport_failure_reason":null,"duration":73,"response_flags":"-","connection_termination_details":null,"request_id":"a8bdc1ce-5bb9- 4ca7-9861-059232af2fcf","authority":"google.com","downstream_remote_address":"10.3.18.110:43972","route_name":"allow_any","bytes_received":0,"upstream_service_time":"73" ,"requested_server_name":null,"user_agent":"curl/7.74.0"}
istio-proxy 是否会记录未被拦截的请求?如果我有任何错误,请纠正我。谢谢你。
Istio-proxy 将配置 iptables 默认拦截所有传入 pod 的入口和出口流量。因此,即使您没有 SE 来解析主机,Istio 默认情况下也会知道 google.com 端点并查看流量。但这将通过“直通”集群,因此您将无法对该流量做出任何决定。