从 Istio egress 网关访问外部代理

我需要严格控制 K8S 命名空间中的应用程序到外部站点的所有流量。由于 K8S NetworkPolicy 对象仅允许指定目标 IP 地址，因此我们更喜欢使用 Istio 来管理传出流量，以便我们可以使用主机名而不是 CIDR 来配置外部服务。此外，我们有一个企业范围的代理，必须用于所有到互联网的流量。

以下https://istio.io/latest/docs/tasks/traffic-management/egress/http-proxy/我们可以管理 Pod 的 sidecar（设置了正确的环境变量 HTTP_PROXY 等）可以访问通过公司代理访问互联网。这意味着通信 POD --> sidecar --> proxy --> external site 有效。然而在这种情况下，Istio 出口网关被绕过。

但是我们需要的是以下通信路径：POD --> sidecar --> Istio egress gateway --> proxy --> external site。

当前设置如下：

• POD 具有 HTTP_PROXY 环境。变量设置为

  proxy.int.xxx.zz:8080

• 我们应用了以下 yaml：

apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: proxylb
spec:
  hosts:
    - proxy.int.xxx.zz
  ports:
    - number: 8080
      name: tcp
      protocol: TCP
  location: MESH_EXTERNAL
  resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: cnn
spec:
  hosts:
    - edition.cnn.com
  ports:
    - number: 80
      name: http-port
      protocol: HTTP
    - number: 443
      name: tls
      protocol: TLS
  resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: orf
spec:
  hosts:
    - www.orf.at
  ports:
    - number: 80
      name: http-port
      protocol: HTTP
    - number: 443
      name: tls
      protocol: TLS
  resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: istio-egressgateway
spec:
  selector:
    istio: egressgateway
  servers:
    - port:
        number: 80
        name: http
        protocol: HTTP
      hosts:
        - edition.cnn.com
        - www.orf.at
    - port:
        number: 443
        name: tls
        protocol: TLS
      hosts:
        - edition.cnn.com
        - www.orf.at
      tls:
        mode: PASSTHROUGH
    - port:
        number: 8080
        name: tcp
        protocol: TCP
      hosts:
        - proxy.int.xxx.zz
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: istio-egressgateway
spec:
  host: istio-egressgateway.istio-system.svc.cluster.local
  subsets:
    - name: cnn
    - name: orf
    - name: proxylb
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: direct-cnn-through-egress-gateway
spec:
  hosts:
    - edition.cnn.com
  gateways:
    - mesh
    - istio-egressgateway
  tls:
    - match:
        - gateways:
            - mesh
          port: 443
          sniHosts:
            - edition.cnn.com
      route:
        - destination:
            host: istio-egressgateway.istio-system.svc.cluster.local
            subset: cnn
            port:
              number: 443
    - match:
        - gateways:
            - istio-egressgateway
          port: 443
          sniHosts:
            - edition.cnn.com
      route:
        - destination:
            host: edition.cnn.com
            port:
              number: 443
          weight: 100
  http:
    - match:
        - gateways:
            - mesh
          port: 80
      route:
        - destination:
            host: istio-egressgateway.istio-system.svc.cluster.local
            subset: cnn
            port:
              number: 80
          weight: 100
    - match:
        - gateways:
            - istio-egressgateway
          port: 80
      route:
        - destination:
            host: edition.cnn.com
            port:
              number: 80
          weight: 100
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: direct-orf-through-egress-gateway
spec:
  hosts:
    - www.orf.at
  gateways:
    - mesh
    - istio-egressgateway
  tls:
    - match:
        - gateways:
            - mesh
          port: 443
          sniHosts:
            - www.orf.at
      route:
        - destination:
            host: istio-egressgateway.istio-system.svc.cluster.local
            subset: orf
            port:
              number: 443
    - match:
        - gateways:
            - istio-egressgateway
          port: 443
          sniHosts:
            - www.orf.at
      route:
        - destination:
            host: www.orf.at
            port:
              number: 443
          weight: 100
  http:
    - match:
        - gateways:
            - mesh
          port: 80
      route:
        - destination:
            host: istio-egressgateway.istio-system.svc.cluster.local
            subset: orf
            port:
              number: 80
          weight: 100
    - match:
        - gateways:
            - istio-egressgateway
          port: 80
      route:
        - destination:
            host: www.orf.at
            port:
              number: 80
          weight: 100
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: direct-proxylb-through-egress-gateway
spec:
  hosts:
    - proxy.int.xxx.zz
  gateways:
    - mesh
    - istio-egressgateway
  tcp:
    - match:
        - gateways:
            - mesh
          port: 8080
      route:
        - destination:
            host: istio-egressgateway.istio-system.svc.cluster.local
            subset: proxylb
            port:
              number: 8080
          weight: 100
    - match:
        - gateways:
            - istio-egressgateway
          port: 8080
      route:
        - destination:
            host: proxy.int.xxx.zz
            port:
              number: 8080
          weight: 100

---
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
  name: trilateral
spec:
  egress:
    - hosts:
        - "./*"
  outboundTrafficPolicy:
    mode: REGISTRY_ONLY

但是，当运行卷曲时，我们得到：

 curl -k -I https://istio.io
curl: (56) Recv failure: Connection reset by peer

这个设置应该有效吗？缺少什么？

提前非常感谢您的任何提示。