kubernetes - Istio-无法将outboundTrafficPolicy.mode设置为REGISTRY_ONLY的https上的外部IP

Question

我们正在使用Istio，并将outboundTrafficPolicy.mode设置为REGISTRY_ONLY。我们使用ServiceEntries和Sidecar配置将许多域列入白名单，这些都可以正常工作。
但是，尝试将IP地址列入白名单并使用HTTPS无效。这是我们正在使用的ServiceEntry:

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  labels:
    app: test
  name: test-external-deps
  namespace: realistic-doubles
spec:
  addresses:
    - 54.xx.xx.xx
  endpoints:
    - address: 54.xx.xx.xx
  exportTo:
    - .
  hosts:
    - fakehost3.internal
  location: MESH_EXTERNAL
  ports:
    - name: https
      number: 8443
      protocol: TLS
  resolution: STATIC

当我们在Istio之外 curl 此IP时，我们会得到很好的响应。但是在网格中，我们得到:

root@trading-api-99f85fdbc-vskdg:/app# curl -v -k https://54.xx.xx.xx:8443
* Expire in 0 ms for 6 (transfer 0x561ea5c1ff50)
*   Trying 54.xx.xx.xx...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x561ea5c1ff50)
* Connected to 54.xx.xx.xx (54.xx.xx.xx) port 8443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 54.xx.xx.xx:8443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 54.xx.xx.xx:8443

特使访问日志显示了这一点，这似乎与其他被阻止的请求一致:

[2020-07-21T17:27:43.240Z] "- - -" 0 UH "-" "-" 0 0 0 - "-" "-" "-" "-" "-" - - 54.xx.xx.xx:8443 10.xx.xx.xx:48738 - -

我们如何将该外部IP列入白名单，以使其不会被Envoy阻止？

Answer 1

我发现了我所缺少的。仅仅添加一个ServiceEntry是不够的。我还需要更新Sidecar配置以列出伪造的主机名，如下所示:

apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
  name: test
  namespace: realistic-doubles
  labels:
    app: test
spec:
  workloadSelector:
    labels:
      app.kubernetes.io/name: test
  egress:
    - hosts:
        - "./fakehost3.internal"

添加完之后，我就可以从pod中解析静态IP了!