istio.io/istio@v0.0.0-20240520182934-d79c90f27776/releasenotes/notes/inbound-passthrough.yaml (about) 1 apiVersion: release-notes/v2 2 kind: bug-fix 3 area: traffic-management 4 issue: 5 - 29940 6 upgradeNotes: 7 - title: Inbound Forwarding Configuration 8 content: | 9 The behavior of inbound forwarding will be modified in the near future. While this change is not enabled 10 by default in Istio 1.10, it can be enabled today by configuring the `PILOT_ENABLE_INBOUND_PASSTHROUGH=true` environment 11 variable in Istiod. 12 13 Previously, requests would be forwarded to `localhost`. This leads to two important differences compared to running applications 14 without Istio: 15 16 * Applications that bind to `localhost` will be exposed to external pods. 17 * Applications that bind to `<POD_IP>` will not be exposed to external pods. 18 19 The latter is a common source of friction when adopting Istio, in particular with stateful services where this is common. 20 21 The new behavior instead forwards the request as is. This matches the behavior a user would see without Istio installed. 22 However, as a result, applications that have come to rely on `localhost` being exposed externally by Istio, may stop working. 23 24 The [check-binds.sh](https://gist.github.com/howardjohn/edcdbe5a85ae2e5ba7809739bd55c566) script can be used to detect what binds your applications are using. 25 26 Regardless of Istio version, the behavior can be explicitly controlled by the `Sidecar`. 27 For example, to configure the 9080 port to explicitly be sent to localhost: 28 29 ```yaml 30 apiVersion: networking.istio.io/v1beta1 31 kind: Sidecar 32 metadata: 33 name: ratings 34 spec: 35 workloadSelector: 36 labels: 37 app: ratings 38 ingress: 39 - port: 40 number: 9080 41 protocol: HTTP 42 name: http 43 defaultEndpoint: 127.0.0.1:9080 44 ``` 45