-
Bug
-
Resolution: Done
-
Normal
-
None
-
OSSM 2.5.1
-
None
When setting "sidecar.isito.io/interceptionMode: TPROXY" in a Deployment, the traffic never reaches the application container in the pod.
❯ oc get pods NAME READY STATUS RESTARTS AGE nginx-5c547849f7-h444z 2/2 Running 0 115s sleep-6849bb8544-6bw5p 2/2 Running 0 11m ❯ oc get -o yaml pod nginx-5c547849f7-h444z| grep TPROXY sidecar.istio.io/interceptionMode: TPROXY value: TPROXY
Trying to connect from the sleep pod never returns:
❯ oc exec -ti sleep-6849bb8544-6bw5p -- curl nginx:8080
... here it just waits forever
The logs in the istio-proxy container of the sleep pod show the connection as usual:
[2024-05-01T07:03:49.339Z] "- - -" 0 - - - "-" 74 248 15 - "-" "-" "-" "-" "10.129.2.20:8080" outbound|8080||nginx.mesh-tproxy.svc.cluster.local 10.129.2.22:56852 172.30.88.193:8080 10.129.2.22:51514 - -
And the logs in the istio-proxy container of the nginx pod fail to reach the application container:
[2024-05-01T07:13:18.813Z] "- - -" 0 UF,URX - - "-" 0 0 10005 - "-" "-" "-" "-" "10.128.2.15:8080" inbound|8080|| - 10.128.2.15:8080 10.129.2.22:36130 outbound_.8080_._.nginx.mesh-tproxy.svc.cluster.local -
When running the nginx pod in REDIRECT mode (the default), the connection works as expected, and the logs from the istio-proxy container show this:
[2024-05-01T07:17:35.728Z] "- - -" 0 - - - "-" 836 1024 13 - "-" "-" "-" "-" "10.128.2.18:8080" inbound|8080|| 127.0.0.6:59309 10.128.2.18:8080 10.129.2.22:51142 outbound_.8080_._.nginx.mesh-tproxy.svc.cluster.local -
Should "redirectMode: TPROXY" work out of the box? or is there any extra configuration needed?