如何允许非HTTP离开istio-cluster/pod

我在一个k8s集群(1个主节点，2个工作节点)中安装了istio v1.0.5，并部署了一个需要从客户端到服务的HTTP应用程序，然后该服务需要在集群外进行通信。我没有使用helm来安装istio，我读到的材料中有很多helm示例来更新init容器配置，以包括集群IP cidr。

据我所知，这仍然是与开发人员的持续讨论，解决这个问题的最佳方法是用以下内容注释部署：

---
apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
kind: Deployment
metadata:
name: home-devices-deployment
namespace: home-devices-app
labels:
app: home-devices-app
annotations:
traffic.sidecar.istio.io/includeOutboundIPRanges: "10.244.0.0/16"

我放入了clusterIP CIDR，但它仍然不允许容器通过SSH/TCP 22连接到外部系统。

ubuntu@k8s-master:~/applications$ kubectl cluster-info dump | grep -i cidr
"podCIDR": "10.244.0.0/24",
"podCIDR": "10.244.1.0/24"
"podCIDR": "10.244.2.0/24"
"--allocate-node-cidrs=true",
"--cluster-cidr=10.244.0.0/16",
"--node-cidr-mask-size=24",

感谢您的帮助。

--更新--

我尝试了ServiceEntry，但仍然没有成功。请记住，这是一个容器，是SSH’ing外部。

ubuntu@k8s-master:~/applications$ kubectl get serviceentry -n home-devices-app -o yaml
apiVersion: v1
items:
- apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
creationTimestamp: "2019-01-10T02:45:27Z"
generation: 1
name: ex-ssh-service-entry
namespace: home-devices-app
resourceVersion: "1432196"
selfLink: /apis/networking.istio.io/v1alpha3/namespaces/home-devices-    app/serviceentries/ex-ssh-service-entry
uid: c9b22284-1481-11e9-ad97-000c297d3726
spec:
addresses:
- 10.10.10.5
hosts:
- '*.ca'
location: MESH_EXTERNAL
ports:
- name: ssh
number: 22
protocol: TCP
resolution: NONE
- apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
creationTimestamp: "2019-01-10T02:45:27Z"
generation: 1
name: srx-ssh-service-entry
namespace: home-devices-app
resourceVersion: "1432197"
selfLink: /apis/networking.istio.io/v1alpha3/namespaces/home-devices-    app/serviceentries/srx-ssh-service-entry
uid: c9b3b586-1481-11e9-ad97-000c297d3726
spec:
addresses:
- 10.10.10.6
hosts:
- '*.ca'
location: MESH_EXTERNAL
ports:
- name: ssh
number: 22
protocol: TCP
resolution: NONE
kind: List
metadata:
resourceVersion: ""
selfLink: ""