Skip to content

Should Waypoint Apply L7 Policies for Traffic Accessed via Workload IPs (Pod IPs)? #1579

New issue
New issue
Open
Open
Should Waypoint Apply L7 Policies for Traffic Accessed via Workload IPs (Pod IPs)?#1579
Labels
questionFurther information is requested
@imuxin

Description

@imuxin
imuxin
opened on Jan 28, 2026

Description

In Istio, a Waypoint can be associated with both Services and Workloads.
We know that the LDS configuration delivered to Waypoint is matched based on Kubernetes Service IPs and ports.

When traffic is sent to a Service address, it is expected and clear that the request will enter the Waypoint’s L7 routing and filter chain, where L7 policies such as rate limiting can be applied.

However, when traffic is sent directly to a Workload address (for example, a Pod IP), the traffic is still forwarded to the Waypoint, but it does not match any L7 routing rules in the Waypoint. As a result, L7 filters such as rate limiting are not applied.

This raises the following questions:

How should we reason about this behavior semantically?

Is it expected that traffic addressed to a Workload IP should bypass Waypoint L7 routing and filters?

Or should such traffic also be eligible for L7 processing once it is forwarded to the Waypoint?

Practical Scenario

There is a concrete and common use case behind this question.

In many systems, client services have already integrated service discovery mechanisms such as Nacos in their SDKs. In these cases, service-to-service communication is performed directly using instance IPs, rather than Kubernetes Service addresses.

When such systems are onboarded to the mesh without removing the existing service discovery layer and without any code changes, the current behavior is that Waypoint L7 policies do not take effect, because traffic is addressed to Pod IPs instead of Service IPs.

Question

Should Istio / kmesh support and be compatible with this access pattern, so that L7 policies can still be enforced even when services are accessed via Workload IPs?

Or is the current behavior considered intentional, with the expectation that users must switch to Service-based addressing in order to benefit from Waypoint L7 capabilities?

We would like to understand the intended design and whether supporting this scenario is within scope.

Metadata

Metadata

Assignees

No one assigned

    Labels

    questionFurther information is requested

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions