istio proxy iptable - how to view these configuration

Istio init container runs and configures ip table of our pod (not node) for us. How can we see these iptable in our pod? 

First we need to ensure that our deployment 

1. annotated with "sidecar.istio.io/enableCoreDump" = true. For example

   prometheus.io/scrape: "true"
   sidecar.istio.io/enableCoreDump: "true"
   sidecar.istio.io/status: '{"initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["workload-socket","credential-socket","workload-certs","istio-envoy","istio-data","istio-podinfo","istio-token","istiod-ca-cert","istio-ca-crl"],"imagePullSecrets":null,"revision":"default"}'
   creationTimestamp: null

2. readOnlyRootFilesystem is configured to false. 

  securityContext:
          allowPrivilegeEscalation: true
          capabilities:
            add:
            - NET_ADMIN
            - NET_RAW
            drop:
            - ALL
          privileged: true
          readOnlyRootFilesystem: false
          runAsGroup: 0
          runAsNonRoot: false
          runAsUser: 0

Otherwise you're going to run into "Iptables : can't open lock file /run/xtables.lock: Read-only file system".

And then shell into our proxy using the following command

kubectl exec -it service-one-fc878cc5b-kdf82 -c istio-proxy -- /bin/sh

Given that istio has move iptable to iptable-nft, so we should be running these command 

 sudo nft list ruleset

And you should see the followings:-


sudo iptables-nft -t nat -L -v --line-numbers



Interpreting the results from our outputs:-


# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain PREROUTING (policy ACCEPT 59 packets, 3540 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       59  3540 ISTIO_INBOUND  tcp  --  any    any     anywhere             anywhere

Chain INPUT (policy ACCEPT 59 packets, 3540 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 23 packets, 1902 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       23  1902 ISTIO_OUTPUT  all  --  any    any     anywhere             anywhere

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain ISTIO_INBOUND (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 RETURN     tcp  --  any    any     anywhere             anywhere             tcp dpt:15008
2        0     0 RETURN     tcp  --  any    any     anywhere             anywhere             tcp dpt:15090
3       59  3540 RETURN     tcp  --  any    any     anywhere             anywhere             tcp dpt:15021
4        0     0 RETURN     tcp  --  any    any     anywhere             anywhere             tcp dpt:15020
5        0     0 ISTIO_IN_REDIRECT  tcp  --  any    any     anywhere             anywhere

Chain ISTIO_IN_REDIRECT (3 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 REDIRECT   tcp  --  any    any     anywhere             anywhere             redir ports 15006

Chain ISTIO_OUTPUT (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 RETURN     all  --  any    lo      127.0.0.6            anywhere
2        0     0 ISTIO_IN_REDIRECT  tcp  --  any    lo      anywhere            !localhost            tcp dpt:!15008 owner UID match istio-proxy
3        0     0 RETURN     all  --  any    lo      anywhere             anywhere             ! owner UID match istio-proxy
4       22  1834 RETURN     all  --  any    any     anywhere             anywhere             owner UID match istio-proxy
5        0     0 ISTIO_IN_REDIRECT  tcp  --  any    lo      anywhere            !localhost            tcp dpt:!15008 owner GID match istio-proxy
6        0     0 RETURN     all  --  any    lo      anywhere             anywhere             ! owner GID match istio-proxy
7        0     0 RETURN     all  --  any    any     anywhere             anywhere             owner GID match istio-proxy
8        0     0 RETURN     all  --  any    any     anywhere             localhost
9        1    68 ISTIO_REDIRECT  all  --  any    any     anywhere             anywhere

Chain ISTIO_REDIRECT (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 REDIRECT   tcp  --  any    any     anywhere             anywhere             redir ports 15001
$ E1102 08:10:18.867144    9144 v2.go:129] "Unhandled Error" err="next reader: websocket: close 1006 (abnormal closure): unexpected EOF"
E1102 08:10:18.867144    9144 v2.go:150] "Unhandled Error" err="next reader: websocket: close 1006 (abnormal closure): unexpected EOF"
error: error reading from error stream: next reader: websocket: close 1006 (abnormal closure): unexpected EOF


PREROUTING 

Chain PREROUTING (policy ACCEPT 59 packets, 3540 bytes)

num   pkts bytes target     prot opt in     out     source               destination

1       59  3540 ISTIO_INBOUND  tcp  --  any    any     anywhere             anywhere


  • PREROUTING is part of the NAT table and applies to all inbound packets before routing.

  • Rule #1 sends all TCP traffic to the chain ISTIO_INBOUND.

  • Packet counts (59 packets, 3540 bytes) show how many packets matched this rule.

  Effect: Incoming traffic to the pod is evaluated by Istio’s inbound rules.


INPUT Chain

Chain INPUT (policy ACCEPT 59 packets, 3540 bytes)


Default chain for traffic destined directly to the pod itself.No specific Istio rules here because Istio only uses PREROUTING + custom chains for redirection


OUTPUT Chain

Chain OUTPUT (policy ACCEPT 23 packets, 1902 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       23  1902 ISTIO_OUTPUT  all  --  any    any     anywhere             anywhere

  • OUTPUT handles packets generated by the pod (outbound traffic).

  • All outbound traffic is sent to the ISTIO_OUTPUT chain.

Effect: All outgoing traffic goes through Envoy sidecar.


ISTIO_INBOUND Chain

Chain ISTIO_INBOUND (1 references)

num   pkts bytes target     prot opt in     out     source               destination

1        0     0 RETURN     tcp  --  any    any     anywhere             anywhere             tcp dpt:15008

2        0     0 RETURN     tcp  --  any    any     anywhere             anywhere             tcp dpt:15090

3       59  3540 RETURN     tcp  --  any    any     anywhere             anywhere             tcp dpt:15021

4        0     0 RETURN     tcp  --  any    any     anywhere             anywhere             tcp dpt:15020

5        0     0 ISTIO_IN_REDIRECT  tcp  --  any    any     anywhere             anywhere


  • RETURN rules (#1-#4): Exclude Envoy health/metrics ports from redirection:

    • 15008 → Istio custom port

    • 15090 → Envoy metrics

    • 15021 → Envoy readiness probe

    • 15020 → Envoy statsRule #5: All other inbound traffic goes to ISTIO_IN_REDIRECT.


    • ISTIO_IN_REDIRECT Chain

    Chain ISTIO_IN_REDIRECT (3 references)

    num   pkts bytes target     prot opt in     out     source               destination

    1        0     0 REDIRECT   tcp  --  any    any     anywhere             anywhere             redir ports 15006


    • REDIRECT to 15006 → Envoy inbound listener port

    • Any inbound traffic not excluded is redirected here.

    Effect: App never sees traffic directly; Envoy handles it first.


    ISTIO_OUTPUT Chain

    Chain ISTIO_OUTPUT (1 references)

    num   pkts bytes target     prot opt in     out     source               destination

    ...

    9        1    68 ISTIO_REDIRECT  all  --  any    any     anywhere             anywhere


    Handles outbound traffic from the pod.Some rules exclude traffic generated by Envoy UID/GID, loopback, or local traffic. Rule #9 sends remaining traffic to ISTIO_REDIRECT.

     ISTIO_REDIRECT Chain

    Chain ISTIO_REDIRECT (1 references)

    num   pkts bytes target     prot opt in     out     source               destination

    1        0     0 REDIRECT   tcp  --  any    any     anywhere             anywhere             redir ports 15001


    REDIRECT to 15001 → Envoy outbound listener portAll pod-originated traffic that is not excluded hits Envoy firs

    Effect: Outbound traffic flows through Envoy for routing, telemetry, mTLS, etc.



    Comments

    Post a Comment

    Popular posts from this blog

    gemini cli getting file not defined error

    Image
     While trying to run gemini cli on my windows linux subsystem, i bump into this error here - "/Roaming/npm/node_modules/@google/gemini-cli/node_modules/undici/lib/web/webidl/index.js:512 webidl.is.File = webidl.util.MakeTypeAssertion(File)"  "ReferenceError: File is not defined" In Node.js, there’s no built-in File (until very recent Node 20+ with experimental WHATWG APIs). So, unless polyfilled, File is undefined, leading to the ReferenceError. And to resolve this, I had to upgrade to node 22 (might work for node 20) and then I was able to run it.
    Read more

    NodeJS: Error: spawn EINVAL in window for node version 20.20 and 18.20

    Encounter this issue when running autorest (that uses nodejs).  I am using node version:  v18.20.2 After i revert to use node v18.12.0, then i was able to get my app to run without this error. Since i am working with Azure devops yaml, i was able to use the following to resolve my issue.  - task : NodeTool@0   inputs :     versionSource : 'spec'     versionSpec : '18.18.0'
    Read more

    vllm : Failed to infer device type

    Trying to run vllm without gpu will typicaly lands you into this issue. To resolve this issue: we can use set these both. Setting one does not work for me. So i had to configure both settings below:- 1.  environment variable CUDA_VISIBLE_DEVICES = "" 2. in the command line, change to use device cpu and remove  tensor-parallel-size. For example, python3 -m vllm.entrypoints.openai.api_server --port 8080 --model deepseek-ai/DeepSeek-R1 --device cpu --trust-remote-code --max-model-len 4096" References https://docs.vllm.ai/en/latest/getting_started/troubleshooting.html#failed-to-infer-device-type
    Read more