istio

1
apiVersion: release-notes/v2
2
kind: bug-fix
3
area: traffic-management
4
issue:
5
- 29940
6
upgradeNotes:
7
  - title: Inbound Forwarding Configuration
8
    content: |
9
      The behavior of inbound forwarding will be modified in the near future. While this change is not enabled
10
      by default in Istio 1.10, it can be enabled today by configuring the `PILOT_ENABLE_INBOUND_PASSTHROUGH=true` environment
11
      variable in Istiod.
12

13
      Previously, requests would be forwarded to `localhost`. This leads to two important differences compared to running applications
14
      without Istio:
15

16
      * Applications that bind to `localhost` will be exposed to external pods.
17
      * Applications that bind to `<POD_IP>` will not be exposed to external pods.
18

19
      The latter is a common source of friction when adopting Istio, in particular with stateful services where this is common.
20

21
      The new behavior instead forwards the request as is. This matches the behavior a user would see without Istio installed.
22
      However, as a result, applications that have come to rely on `localhost` being exposed externally by Istio, may stop working.
23

24
      The [check-binds.sh](https://gist.github.com/howardjohn/edcdbe5a85ae2e5ba7809739bd55c566) script can be used to detect what binds your applications are using.
25

26
      Regardless of Istio version, the behavior can be explicitly controlled by the `Sidecar`.
27
      For example, to configure the 9080 port to explicitly be sent to localhost:
28

29
      ```yaml
30
      apiVersion: networking.istio.io/v1beta1
31
      kind: Sidecar
32
      metadata:
33
        name: ratings
34
        spec:
35
          workloadSelector:
36
            labels:
37
              app: ratings
38
              ingress:
39
                - port:
40
                  number: 9080
41
                  protocol: HTTP
42
                  name: http
43
                  defaultEndpoint: 127.0.0.1:9080
44
                ```
45

46