How Can I Block Access from Some IP Address Ranges or Ports for a Service Mesh?

Scenarios

In Istio, to implement transparent traffic management of a service mesh, sidecars are designed to intercept all incoming and outgoing traffic by default. This design prevents service intrusion and ensures security and reliability. However, this design may cause the following problems in actual scenarios:

• When all traffic passes through a sidecar, the sidecar's memory and CPU usages are high. In severe cases, the service pod may be restarted or there is even a service cascading failure.
• In some scenarios, direct access to external services (such as database connection pools) is required, where the default interception mechanism cannot be used.

This section describes how to configure refined traffic interception rules to resolve the problems.

Workload Configuration for Blocking or Allowing Traffic from Some IP Address Ranges

Modify the deployment file to block the IP address ranges.

Run the kubectl edit deploy –n user_namespace user_deployment command.

1. In deployment.spec.template.metadata.annotations, use traffic.sidecar.istio.io/includeOutboundIPRanges to specify IP address ranges to be blocked.

2. In deployment.spec.template.metadata.annotations, use traffic.sidecar.istio.io/excludeOutboundIPRanges to specify IP address ranges that are allowed.

The preceding operations will result in rolling upgrades of service containers.

Workload Configuration for Blocking or Allowing Traffic over Some Ports

Modify the deployment file to block or allow ingress and egress traffic over some ports.

Run the kubectl edit deploy –n user_namespace user_deployment command.

1. In deployment.spec.template.metadata.annotations, use traffic.sidecar.istio.io/excludeInboundPorts to specify the ports that allow the ingress traffic.

2. In deployment.spec.template.metadata.annotations, use traffic.sidecar.istio.io/includeInboundPorts to specify the ports that block the ingress traffic.

3. In deployment.spec.template.metadata.annotations, use traffic.sidecar.istio.io/excludeOutboundPorts to specify the ports that allow the egress traffic.

4. In deployment.spec.template.metadata.annotations, use traffic.sidecar.istio.io/includeOutboundPorts to specify the ports that block the egress traffic.

The preceding operations will result in rolling upgrades of service containers.

Verification

The configurations take effect in iptables of containers. Run the following commands to check whether the configurations take effect.

1. Log in to the node where the workload is running and run the docker ps command to find the pause container and view the container ID.
2. Run the docker inspect <CONTAINER_ID> | grep –i pid command to view the process ID.
3. Run the nsenter –t <PID> -n bash command to go to the namespace of the container.
4. Run the iptables iptables –t nat –L –n –v command to check whether the configurations take effect for specified IP address ranges and ports.