istio.io/istio@v0.0.0-20240520182934-d79c90f27776/samples/external/README.md (about) 1 # External Services 2 3 By default, Istio-enabled services are unable to access services and URLs outside the cluster. Pods use <i>iptables</i> to transparently redirect all outbound traffic to the sidecar proxy, which only handles intra-cluster destinations. 4 5 See [the Egress Task](https://istio.io/docs/tasks/traffic-management/egress/) for 6 information on configuring Istio to contact external services. 7 8 This directory contains samples showing how to enable pods to contact a few well 9 known services. 10 11 If Istio is not configured to allow pods to contact external services, the pods will 12 see errors such as 404s, HTTPS connection problems, and TCP connection problems. If 13 ServiceEntries are misconfigured pods may see problems with server names. 14 15 ## Try it out 16 17 After an operator runs `kubectl create -f aptget.yaml` pods will be able to 18 succeed with `apt-get update` and `apt-get install`. 19 20 After an operator runs `kubectl create -f github.yaml` pods will be able to 21 succeed with `git clone https://github.com/fortio/fortio.git`. 22 23 Running `kubectl create -f pypi.yaml` allows pods to update Python libraries using `pip`. 24 25 It is not a best practice to enable pods to update libraries dynamically. 26 We are providing these samples 27 because they have proven to be helpful with interactive troubleshooting. Security minded clusters should only allow traffic to service dependencies such as cloud 28 services. 29 30 ### Enable communication by default 31 32 Note that [this note](https://istio.io/docs/tasks/traffic-management/egress/#install-istio-with-access-to-all-external-services-by-default) shows how to configure Istio to contact services by default. The technique 33 discussed there does not allow HTTP on port 80 or SSH on port 22. These examples will 34 allow external communication for ports 80 and 22.