You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is not a security vulnerability or a crashing bug
This is not a question about how to use Istio
Bug Description
I'm somewhat convinced at this point that the behavior is related to running istio on IPv6. I think the HTTPS endpoints I am reproducing the problem on all do not support IPv6, so istio is allocating an IPv6 address within the pod and then failing to proxy the traffic properly to the IPv4 endpoints.
Create a simple ServiceEntry to allow egress control / visibility of traffic from a pod:
app@myapp-mq-main-757dd77ddc-bdn7v:~$ true | openssl s_client -connect sts.us-east-2.amazonaws.com:443 -servername sts.us-east-2.amazonaws.com 2>/dev/null
CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 319 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
istioctl proxy-config
Note the auto-allocated ip addresses used here via the ISTIO_META_DNS_AUTO_ALLOCATE setting.
❯ istioctl pc l myapp-mq-main-757dd77ddc-bdn7v | grep 443
2001:2::f0f0:6366 443 ALL Cluster: outbound|443||s3.us-east-2.amazonaws.com
2001:2::f0f0:a18 443 ALL Cluster: outbound|443||sts.us-east-2.amazonaws.com
2001:2::f0f0:e873 443 ALL Cluster: outbound|443||s3.dualstack.us-east-2.amazonaws.com
:: 443 Trans: raw_buffer; App: http/1.1,h2c Route: 443
:: 443 ALL PassthroughCluster
fdf5:2e6e:6925::1 443 ALL Cluster: outbound|443||kubernetes.default.svc.cluster.local
fdf5:2e6e:6925::52e4 443 ALL Cluster: outbound|443||metrics-server.kube-system.svc.cluster.local
fdf5:2e6e:6925::6372 443 ALL Cluster: outbound|443||istiod.istio-system.svc.cluster.local
fdf5:2e6e:6925::88a5 443 ALL Cluster: outbound|443||cert-manager-webhook.cert-manager.svc.cluster.local
fdf5:2e6e:6925::a50b 443 ALL Cluster: outbound|443||istio-ingressgateway.istio-ingressgateway-private.svc.cluster.local
fdf5:2e6e:6925::eba5 443 Trans: raw_buffer; App: http/1.1,h2c Route: external-secrets-webhook.external-secrets.svc.cluster.local:443
fdf5:2e6e:6925::eba5 443 ALL Cluster: outbound|443||external-secrets-webhook.external-secrets.svc.cluster.local
fdf5:2e6e:6925::f50b 443 Trans: raw_buffer; App: http/1.1,h2c Route: aws-load-balancer-webhook-service.kube-system.svc.cluster.local:443
fdf5:2e6e:6925::f50b 443 ALL Cluster: outbound|443||aws-load-balancer-webhook-service.kube-system.svc.cluster.local
The text was updated successfully, but these errors were encountered:
mmerickel
changed the title
ServiceEntry is causing SSL validation errors when acting as a TLS passthrough to an external HTTPS service
ServiceEntry is causing SSL validation errors when acting as a TLS passthrough to an external IPv4 HTTPS service on an IPv6 cluster
May 2, 2024
This is in EKS in which there is a link local interface allowing only egress ipv4. Hence a special flag was added ISTIO_ENABLE_IPV4_OUTBOUND_LISTENER_FOR_IPV6_CLUSTERS and it does not require enabling dual stack according to previous comments in other threads.
@hzxuzhonghu please see #46719 (comment) and the followup comment by @day0ops indicating dual stack mode shouldn't be required. If it is, I'd like to know because istio hasn't been exactly clear on this issue.
Is this the right place to submit this?
Bug Description
I'm somewhat convinced at this point that the behavior is related to running istio on IPv6. I think the HTTPS endpoints I am reproducing the problem on all do not support IPv6, so istio is allocating an IPv6 address within the pod and then failing to proxy the traffic properly to the IPv4 endpoints.
curl https://sts.us-east-2.amazonaws.com
successfully.curl https://sts.us-east-2.amazonaws.com
:Version
Extra configs:
ISTIO_ENABLE_IPV4_OUTBOUND_LISTENER_FOR_IPV6_CLUSTERS: "true"
ENABLE_NATIVE_SIDECARS: "true"
Additional Information
attempts to view certificates
istioctl proxy-config
Note the auto-allocated ip addresses used here via the ISTIO_META_DNS_AUTO_ALLOCATE setting.
The text was updated successfully, but these errors were encountered: