Cluster local services

[sbarzowski]

Can we have Services which are reachable only from within the cluster? It is sometimes useful to have a helper service and exposing it to the outside world may be a security issue. It may be also useful for putting a proxy service in front of the "real services".

@tcnghia

BTW I'd be happy to help with this, but I'm sort of new to k8s world, and very new to knative / istio stuff, so I would need some guidance on how to approach it.

[sbarzowski]

My understanding is that it mostly boils down to not including knative-shared-gateway.knative-serving.svc.cluster.local in VirtualService associated with the service. Probably also it's worth it to remove the public hostname for a cluster-local service for clarity.

Can someone confirm?

[tcnghia]

@sbarzowski that would be part of it, which will make it:
(1) possible to connect to route.ns.svc.cluster.local from a pod with Istio sidecar injected.
(2) not possible to connect through knative-ingressgateway public IP.

however, that also (3) make it not possible to connect to route.ns.svc.cluster.local from a pod without sidecar injected. we currently make those requests go through knative-ingressgateway through the use of an ExternalName service.

I think we could implement this first by doing what you suggest and find a way to solve (3) after.

[tcnghia]

This is now tracked in #2127, which is planned to be part of Knative 0.3