Skip to main content
logoTetrate Istio SubscriptionVersion: Next

TIS1003 - OutboundTrafficPolicy with Empty Mode Value Is Ambiguous

An OutboundTrafficPolicy with an empty mode value is ambiguous due to an Istio limitation. This may indicate either ALLOW_ANY or REGISTRY_ONLY. The mode value needs to be explicitly defined to avoid confusion.

Recommendation: Ensure OutboundTrafficPolicy Is Explicitly Set

To avoid ambiguity and ensure consistent behavior, explicitly set the outboundTrafficPolicy mode in the Sidecar resource to either ALLOW_ANY or REGISTRY_ONLY based on your traffic control requirements.

Examples

  1. Sidecar Resource with Ambiguous OutboundTrafficPolicy

    apiVersion: networking.istio.io/v1beta1
    kind: Sidecar
    metadata:
      name: my-sidecar
      namespace: example-namespace
    spec:
      egress:
      - hosts:
        - "*/*"
      outboundTrafficPolicy: {}

    Explanation: The outboundTrafficPolicy field is defined but has an empty value, which causes ambiguity regarding the policy's mode. Istio may interpret this as either ALLOW_ANY (allowing outbound traffic to any destination) or REGISTRY_ONLY (restricting traffic to known destinations in the service registry). This ambiguity can lead to inconsistent behavior and unintentional access issues.

Recommendation

Correct the outboundTrafficPolicy in the Sidecar resource by explicitly setting the mode.

  1. Set Explicit Mode for OutboundTrafficPolicy

    To avoid ambiguity, set the outboundTrafficPolicy mode to either ALLOW_ANY or REGISTRY_ONLY based on your intended traffic policy.

    apiVersion: networking.istio.io/v1beta1
    kind: Sidecar
    metadata:
      name: my-sidecar
      namespace: example-namespace
    spec:
      egress:
      - hosts:
        - "*/*"
      outboundTrafficPolicy:
        mode: ALLOW_ANY

    Explanation: Setting the outboundTrafficPolicy mode to ALLOW_ANY clearly specifies that the sidecar should allow outbound traffic to any destination, removing any ambiguity. Alternatively, you can set the mode to REGISTRY_ONLY if you want to restrict outbound traffic to registered services.

  2. Example with REGISTRY_ONLY Mode

    If you intend to restrict outbound traffic, set the mode to REGISTRY_ONLY.

    apiVersion: networking.istio.io/v1beta1
    kind: Sidecar
    metadata:
      name: my-sidecar
      namespace: example-namespace
    spec:
      egress:
      - hosts:
        - "*/*"
      outboundTrafficPolicy:
        mode: REGISTRY_ONLY

    Explanation: Setting the outboundTrafficPolicy mode to REGISTRY_ONLY ensures that the sidecar only allows outbound traffic to services that are explicitly registered in the service registry, enhancing security.