README.md
1# External Services
2
3By default Istio-enabled services are unable to access services and URLs outside of the cluster. Pods use <i>iptables</i> to transparently redirect all outbound traffic to the sidecar proxy, which only handles intra-cluster destinations.
4
5See [the Egress Task](https://istio.io/docs/tasks/traffic-management/egress/) for
6information on configuring Istio to contact external services.
7
8This directory contains samples showing how to enable pods to contact a few well
9known services.
10
11If Istio is not configured to allow pods to contact external services, the pods will
12see errors such as 404s, HTTPS connection problems, and TCP connection problems. If
13ServiceEntries are misconfigured pods may see problems with server names.
14
15## Try it out
16
17After an operator runs `kubectl create -f aptget.yaml` pods will be able to
18succeed with `apt-get update` and `apt-get install`.
19
20After an operator runs `kubectl create -f github.yaml` pods will be able to
21succeed with `git clone https://github.com/fortio/fortio.git`.
22
23Running `kubectl create -f pypi.yaml` allows pods to update Python libraries using `pip`.
24
25It is not a best practice to enable pods to update libraries dynamically.
26We are providing these samples
27because they have proven to be helpful with interactive troubleshooting. Security minded clusters should only allow traffic to service dependencies such as cloud
28services.
29
30### Enable communication by default
31
32Note that [this note](https://istio.io/docs/tasks/traffic-management/egress/#install-istio-with-access-to-all-external-services-by-default) shows how to configure Istio to contact services by default. The technique
33discussed there does not allow HTTP on port 80 or SSH on port 22. These examples will
34allow external communication for ports 80 and 22.
35