By default all outbound traffic is blocked for the cluster (including access to
Google APIs). To enable all outbound network access, for example to connect to
Google Cloud services such as Cloud Storage or external APIs, you need
to set the correct scope of the proxy IP range by editing the
This assumes that you have set up the gcloud and kubectl command line tools following the setup instructions.
Enabling all outbound network access
The following instructions apply only to cluster versions older than cluster
1.12-based clusters), or older than
1.11-based clusters). Older cluster versions require you
to enable outbound traffic to all IP addresses on the internet. This allows your
applications to connect to potentially untrusted endpoints.
Determining the IP scope of your cluster
To set the correct scope, you need to determine the current IP ranges of your cluster. The scope varies depending on your cluster configuration.
Invoke the command to determine the scope:
gcloud container clusters describe [CLUSTER_NAME] \ | grep -e clusterIpv4Cidr -e servicesIpv4Cidr
Replace [CLUSTER_NAME] with your cluster name. Note that you must supply the cluster name even if you have set it as the default cluster for gcloud. Note also, that if you haven't set your default zone as shown in the prerequisites section, you must also supply the
zoneparameter after the cluster name:
--zone=[ZONE], replacing [ZONE] with your cluster's zone.
Note the IP ranges shown from the above command, similar to this:
... clusterIpv4Cidr: 10.8.0.0/14 servicesIpv4Cidr: 10.11.240.0/20 ...
You must append these IP ranges together to enable all outbound access, as described in the next section.
Setting the IP scope
istio.sidecar.includeOutboundIPRanges parameter in the
ConfigMap specifies the IP ranges that Istio sidecar intercepts. To allow
outbound access, replace the default parameter value with the IP ranges of your
cluster that you obtained in the previous steps:
Run the following command to edit the
kubectl edit configmap config-network --namespace knative-serving
Use an editor of your choice to change the
istio.sidecar.includeOutboundIPRangesparameter value from * to the IP range you obtained in the previous steps. Separate multiple IP entries with a comma. For example:
# Please edit the object below. Lines beginning with a '#' will be ignored, # and an empty file will abort the edit. If an error occurs while saving this file will be # reopened with the relevant failures. # apiVersion: v1 data: istio.sidecar.includeOutboundIPRanges: '10.16.0.0/14,10.19.240.0/20' kind: ConfigMap metadata: ...
When you set the parameter to a valid set of IP address ranges, Istio will no longer intercept traffic that is going to the IP addresses outside the provided ranges, and you don't need to specify any egress rules.
If you omit the
istio.sidecar.includeOutboundIPRanges parameter or set it
to '', the value of the
global.proxy.includeIPRanges parameter provided
at Istio deployment time will be used: this value is
Note that if an invalid value is used, '' will be used instead.
- Save your changes. Note that any change is automatically picked up and used for all deployed revisions.
Troubleshooting outbound networking issues
If you experience trouble making calls outside your cluster, verify that the
policy was applied to the pod running your service by checking the metadata on
the pod. Verify that the
annotation matches the expected value from the
Make sure there is a pod running, because pods can scale to zero:
curl -H "Host: helloworld-go.default.example.com" http://35.203.155. 229
Replace the host URL and IP address with your own URL and the cluster's IP address. If you don't know how to locate the cluster's IP address, see the instructions in Accessing your deployed service.
Within 5 minutes, invoke this command to get the list of available pods:
kubectl get pods
From the output of the
get podscommand, locate the pod associated with your service: it will start with the name of your service.
Use that pod name in the following command to retrieve the metadata and see the labels applied.
kubectl get pod [POD_NAME] --output yaml
Replace [POD_NAME] with your pod name. See the pod documentation for more information on pods.
You should see a result similar to this:
apiVersion: v1 kind: Pod metadata: annotations: serving.knative.dev/configurationGeneration: "2" sidecar.istio.io/inject: "true" ... traffic.sidecar.istio.io/includeOutboundIPRanges: 10.16.0.0/14,10.19.240.0/20 ...
The line starting with
has the most important information.