Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Having port range or port wildcard in configurations and rules #23983

Open
tvdinh opened this issue May 20, 2020 · 11 comments
Open

Having port range or port wildcard in configurations and rules #23983

tvdinh opened this issue May 20, 2020 · 11 comments
Labels
area/networking kind/enhancement lifecycle/staleproof Indicates a PR or issue has been deemed to be immune from becoming stale and/or automatically closed
Milestone
Backlog

Comments

@tvdinh
Copy link

tvdinh commented May 20, 2020
edited by istio-policy-bot
Loading

Describe the feature request
Having port range or port wildcard in configurations and rules.

Context:

  1. Configure external service (Apache ActiceMQ server in particular) for Istio Service Mesh

  2. External services like Apache ActiceMQ, they have a few standards ports but then also use a random port to communicate with established clients (via JMS etc.). So to whitelist them, it would be useful that port range/wildcard can be defined like the below.

For example, defining a ServiceEntry

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: "activemq"
spec:
  hosts:
  - activemq.external
  location: MESH_EXTERNAL
  resolution: DNS
  ports:
  - name: "all-ports-activemq"
    number: *
    protocol: TCP

Describe alternatives you've considered
No obvious alternatives. Please suggest if there is an alternative

Additional context
@istio-policy-bot istio-policy-bot added area/networking area/security feature/Multi-control-plane issues related with multi-control-plane support in a cluster kind/enhancement labels May 20, 2020
@howardjohn
Copy link
Member

I am not sure this is really possible in Envoy. I assume you do not want to whitelist literally all traffic, and instead just any IP addressed returned from DNS for activemq.external, on any port?

As far as I know Envoy cannot do this; its DNS resolution is only for load balancing

@howardjohn
Copy link
Member

And if you want to allow all traffic, you can use ALLOW_ANY

@howardjohn howardjohn removed area/security feature/Multi-control-plane issues related with multi-control-plane support in a cluster labels May 20, 2020
@tvdinh
Copy link
Author

tvdinh commented May 21, 2020

And if you want to allow all traffic, you can use ALLOW_ANY

ALLOW_ANY is not a preferable for my use case as mentioned in https://istio.io/docs/tasks/traffic-management/egress/egress-control/, we want any service internal/external to be registered (to be aware of)

I am not sure this is really possible in Envoy. I assume you do not want to whitelist literally all traffic, and instead just any IP addressed returned from DNS for activemq.external, on any port?

You are right, only for activemq.external host and any port.

I think the use case is quite straightforward, is there a way to achieve that ?

@howardjohn
Copy link
Member

TCP traffic doesn't have a host header so you cannot do traffic routing based on host for tcp traffic

@tvdinh
Copy link
Author

tvdinh commented May 22, 2020

TCP traffic doesn't have a host header so you cannot do traffic routing based on host for tcp traffic

Thanks for pointing that out, I've used IP range instead and it works for single port, but the enquiry on the port range is still valid:

This works:

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: "activemq"
spec:
  hosts:
  - dummy.com
  location: MESH_EXTERNAL
  resolution: NONE
  addresses:
  - <IP address> 
  ports:
  - name: "broker-port"
    number: 61616
    protocol: TCP

This doesn't:

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: "activemq"
spec:
  hosts:
  - dummy.com
  location: MESH_EXTERNAL
  resolution: NONE
  addresses:
  - <IP address> 
  ports:
  - name: "all-ports"
    number: *
    protocol: TCP

@howardjohn
Copy link
Member

Yeah that last one I think is feasible. Would need to double check with Envoy that we can listen in all ports but I think at least in the near future with some changes to the envoy config we are doing it should be find

@howardjohn howardjohn added this to the Backlog milestone Jul 28, 2020
@howardjohn
Copy link
Member

#10533 is blocking

@uvw uvw mentioned this issue Nov 19, 2020
Closed
@istio-policy-bot istio-policy-bot added the lifecycle/stale Indicates a PR or issue hasn't been manipulated by an Istio team member for a while label Apr 26, 2021
@istio-policy-bot istio-policy-bot added the lifecycle/automatically-closed Indicates a PR or issue that has been closed automatically. label May 11, 2021
@johnma14 johnma14 reopened this Dec 8, 2021
@istio-policy-bot istio-policy-bot removed the lifecycle/stale Indicates a PR or issue hasn't been manipulated by an Istio team member for a while label Dec 8, 2021
@ceastman-ibm
Copy link

@howardjohn You mentioned last year that it might be possible in the future, just checking on the status of having a wildcard or a range of ports for a single service entry.

@howardjohn howardjohn mentioned this issue Feb 4, 2022
Closed
@istio-policy-bot istio-policy-bot added the lifecycle/stale Indicates a PR or issue hasn't been manipulated by an Istio team member for a while label Jun 7, 2022
@devenderkamble
Copy link

devenderkamble commented Jul 28, 2022
edited
Loading

Is there a roadmap plan to implement this feature , wildcard or a range of ports for a single service entry.

@howardjohn
Copy link
Member

This depends on #10533 which is a long ways off. So nothing in the medium term

@howardjohn howardjohn reopened this Jul 28, 2022
@istio-policy-bot istio-policy-bot removed the lifecycle/stale Indicates a PR or issue hasn't been manipulated by an Istio team member for a while label Jul 28, 2022
@howardjohn howardjohn added the lifecycle/staleproof Indicates a PR or issue has been deemed to be immune from becoming stale and/or automatically closed label Jul 28, 2022
@alexander-rondon
Copy link

I came across another use case for this feature, when I was trying to create a Service Entry for an Azure database where you have to allow outbound communication from the pod hosting the SQL client, in the Istio Mesh, to an external host in the port range 1433 to 65535, as required in Use Redirect connection policy with private endpoints

Something like this below will be really helpful instead of opting for 'global.proxy.excludeIPRanges' to allow external traffic.

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: azure-sql
spec:
  hosts:
    - "*.database.windows.net"
  ports:
    - name: https
      numbers: 1433 - 65535  # or just * 
      protocol: HTTPS
  resolution: DNS
  location: MESH_EXTERNAL

@zirain zirain removed the lifecycle/automatically-closed Indicates a PR or issue that has been closed automatically. label Jun 15, 2024
@howardjohn howardjohn moved this to Done in Prioritization Jul 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/networking kind/enhancement lifecycle/staleproof Indicates a PR or issue has been deemed to be immune from becoming stale and/or automatically closed
Projects
Prioritization
Status: Done
Milestone
Backlog
Development

No branches or pull requests
8 participants
@howardjohn @zirain @tvdinh @johnma14 @ceastman-ibm @alexander-rondon @istio-policy-bot @devenderkamble