Istio can be configured to forbid the routing of addresses unknown to the mesh. Normally, if an application attempts to open a connection to an address that is unknown to the mesh, Istio would use DNS to resolve the address and execute the request. With the global.outboundTrafficPolicy mode option set to REGISTRY_ONLY, we can configure Istio to only allow connections to known addresses (that is, addresses for which a ServiceEntry is defined)
You can set outboundTrafficPolicy in OpenShift ServiceMesh by adding the following to ServiceMeshControlPlane:
spec:
....
proxy:
networking:
trafficControl:
outbound:
policy: REGISTRY_ONLY
Once the policy is added, any external access from a pod in the mesh will get a 503 error unless you add a ServiceEntry for the external domain:
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: httpbin-ext
namespace: <namespace>
spec:
hosts:
- httpbin.org
ports:
- number: 443
name: tls
protocol: TLS
resolution: DNS
location: MESH_EXTERNAL
There are few different ways you can enforce egress traffic also.
More details:
- https://www.openshift.com/blog/design-considerations-at-the-edge-of-the-servicemesh (Designing Egress Traffic section)
- https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/
- https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/
- https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/