LocalhostListener

Message NameLocalhostListener
Message CodeIST0143
DescriptionA port exposed in a Service is bound to a localhost address
LevelError

This message occurs when a workload is listening on a localhost network interface, but the port is exposed in the Service. When this occurs, the port will not be accessible to other pods.

This check is primarily added to detect workloads on older Istio versions that may break when upgrading to Istio 1.10 or later. This behavior matches what would occur in a standard Kubernetes cluster without Istio, but older versions of Istio exposed these ports.

Because this check relies on privileged runtime checks, it is not included in the standard istioctl analyze. Instead, it is included during installation and upgrade checks from istioctl experimental precheck.

An example

Consider a Service, selecting a Pod running the command nc localhost 8080 -l:

  1. apiVersion: v1
  2. kind: Service
  3. metadata:
  4. name: netcat
  5. spec:
  6. ports:
  7. - port: 8080
  8. protocol: TCP
  9. selector:
  10. app: netcat

Because the application is serving traffic on localhost, it is not accessible from other pods.

The above example shows using the simple nc tool. Some equivalent examples in other languages:

  • Go: net.Listen("tcp", "localhost:8080")
  • Node.js: http.createServer().listen(8080, "localhost");
  • Python: socket.socket().bind(("localhost", 8083))

How to resolve

If you did not intend to expose the application to other pods, you can remove the port from the Service.

If you do want to expose the application to other pods, there are two options:

  • Modify the application to bind to a network interface exposed to other pods. Typically, this means binding to 0.0.0.0 or ::, such as nc 0.0.0.0 8080 -l.
  • Create a Sidecar configuration to customize the inbound networking configuration for the pod. For example, with the above application:
  1. apiVersion: networking.istio.io/v1
  2. kind: Sidecar
  3. metadata:
  4. name: ratings
  5. spec:
  6. workloadSelector:
  7. labels:
  8. app: netcat
  9. ingress:
  10. - port:
  11. number: 8080
  12. protocol: TCP
  13. name: tcp
  14. defaultEndpoint: 127.0.0.1:8080