I have a sidecar that only allows egress traffic on the namespace it is being deployed. This limits also external calls. Is there a way to add an external host to the sidecar, something like:

          apiVersion: "networking.istio.io/v1beta1",
          kind: "Sidecar",
          metadata:{
            name: "egress-sidecar",
            namespace: "namespace",
          },
          spec:{
                workloadSelector:{
                    labels:{
                        app: 'target_app'
                    }
               },
               egress:[
                {
                    hosts:[
                             "namespace/*",
                             "google.com/*" # <--- something like this, this does not work
                          ]
                }
              ],
              outboundTrafficPolicy:{
                    mode: "REGISTRY_ONLY"
              }
          }

CodePudding user response：

Ik think you'll need at least a ServiceEntry (https://istio.io/latest/docs/reference/config/networking/service-entry/) for the external service (e.g. www.google.com) and then you can refer to it in the egress section of your Sidecar definition. Depending in which namespace you register the mentioned ServicEntry you can define the following in the hosts section under the egress section of your Sidecar definition :

*/www.google.com (ServiceEntry anywhere in the Service Mesh)

./www.google.com (ServiceEntry in the same namespace as your Sidecar definition)

(https://istio.io/latest/docs/reference/config/networking/sidecar/#IstioEgressListener)