howardjohn/check-binds.sh

## check-binds.sh
#!/usr/bin/env bash

# This script determines how applications in the mesh and exposed by a Service bind.
# Dependencies on host: kubectl, istioctl, jq.
# Dependencies on mesh: distroless is not supported, ipv6 untested. This script supports only Istio 1.8.1+.
# This will `exec` into the proxy, but only run ss, so it should be suitable to run in a live cluster.
#
# In Istio 1.9, localhost and wildcard binds are supported out of the box. A bind to POD_IP can be enabled
# with a custom Sidecar.
# In future versions of Istio, we may change this to support wildcard and POD_IP binds out of the box, and
# localhost binds requiring a custom Sidecar. This matches the behavior of Kubernetes without Istio.
# This scripts attempts to determine whether any pods in the mesh will be impacted.
# * red: "localhost bind" result indicates the pod will stop working without additional configuration
# * green: "wildcard bind" result indicates no changes will occur
# * yellow: "bind not found" likely means your Service exposes a non-existent port (or this script is broken)
# * blue: "other bind found" likely means either: you have already created a custom Sidecar for this port, the port does not work, or the script had an issue

# Example output:
# Checking cassandra-1611606400-0/default...
#   Port 7000: other bind found (10.36.2.100)
#   Port 7001: bind not found
#   Port 7199: localhost bind
#   Port 8080: bind not found
#   Port 9042: wildcard bind
#   Port 9160: wildcard bind


red='\x1B[0;31m'
blue='\x1B[0;34m'
green='\x1B[0;32m'
yellow='\x1B[0;33m'
clr='\x1B[0m'

pods="$(kubectl get pods -l security.istio.io/tlsMode=istio -A --template '{{range .items}}{{.metadata.name}}/{{.metadata.namespace}}{{"\n"}}{{end}}')"
code=0
for pod in $pods; do
  name=$(<<<$pod cut -d/ -f1)
  ns=$(<<<$pod cut -d/ -f2)
  echo "Checking ${name}/${ns}..."
  ports="$(istioctl proxy-config cluster $name.$ns --direction=inbound -ojson | jq '.[].name' | cut -d'|' -f2)"
  listeners="$(kubectl exec $name -n $ns -c istio-proxy -- sh -c 'ss -ltn | awk '"'"'{print $4}'"'")"
  for port in ${ports}; do
    bind="$(<<<"${listeners}" grep "${port}" | head -n1 | cut -d: -f1)"
    case "${bind}" in
      "")
        echo -e "  ${yellow}Port ${port}: bind not found${clr}";;
      '*' | "0.0.0.0" | "[::1]")
        echo -e "  ${green}Port ${port}: wildcard bind${clr}";;
      "127.0.0.1" | "[::ffff:127.0.0.1]")
        echo -e "  ${red}Port ${port}: localhost bind${clr}"
        code=1
        ;;
      *)
        echo -e "  ${blue}Port ${port}: other bind found (${bind})${clr}";;
    esac
  done
done

exit $code
	#!/usr/bin/env bash

	# This script determines how applications in the mesh and exposed by a Service bind.
	# Dependencies on host: kubectl, istioctl, jq.
	# Dependencies on mesh: distroless is not supported, ipv6 untested. This script supports only Istio 1.8.1+.
	# This will `exec` into the proxy, but only run ss, so it should be suitable to run in a live cluster.
	#
	# In Istio 1.9, localhost and wildcard binds are supported out of the box. A bind to POD_IP can be enabled
	# with a custom Sidecar.
	# In future versions of Istio, we may change this to support wildcard and POD_IP binds out of the box, and
	# localhost binds requiring a custom Sidecar. This matches the behavior of Kubernetes without Istio.
	# This scripts attempts to determine whether any pods in the mesh will be impacted.
	# * red: "localhost bind" result indicates the pod will stop working without additional configuration
	# * green: "wildcard bind" result indicates no changes will occur
	# * yellow: "bind not found" likely means your Service exposes a non-existent port (or this script is broken)
	# * blue: "other bind found" likely means either: you have already created a custom Sidecar for this port, the port does not work, or the script had an issue

	# Example output:
	# Checking cassandra-1611606400-0/default...
	# Port 7000: other bind found (10.36.2.100)
	# Port 7001: bind not found
	# Port 7199: localhost bind
	# Port 8080: bind not found
	# Port 9042: wildcard bind
	# Port 9160: wildcard bind


	red='\x1B[0;31m'
	blue='\x1B[0;34m'
	green='\x1B[0;32m'
	yellow='\x1B[0;33m'
	clr='\x1B[0m'

	pods="$(kubectl get pods -l security.istio.io/tlsMode=istio -A --template '{{range .items}}{{.metadata.name}}/{{.metadata.namespace}}{{"\n"}}{{end}}')"
	code=0
	for pod in $pods; do
	name=$(<<<$pod cut -d/ -f1)
	ns=$(<<<$pod cut -d/ -f2)
	echo "Checking ${name}/${ns}..."
	ports="$(istioctl proxy-config cluster $name.$ns --direction=inbound -ojson \| jq '.[].name' \| cut -d'\|' -f2)"
	listeners="$(kubectl exec $name -n $ns -c istio-proxy -- sh -c 'ss -ltn \| awk '"'"'{print $4}'"'")"
	for port in ${ports}; do
	bind="$(<<<"${listeners}" grep "${port}" \| head -n1 \| cut -d: -f1)"
	case "${bind}" in
	"")
	echo -e " ${yellow}Port ${port}: bind not found${clr}";;
	'*' \| "0.0.0.0" \| "[::1]")
	echo -e " ${green}Port ${port}: wildcard bind${clr}";;
	"127.0.0.1" \| "[::ffff:127.0.0.1]")
	echo -e " ${red}Port ${port}: localhost bind${clr}"
	code=1
	;;
	*)
	echo -e " ${blue}Port ${port}: other bind found (${bind})${clr}";;
	esac
	done
	done

	exit $code