-
Notifications
You must be signed in to change notification settings - Fork 542
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add dry-run annotation #1933
add dry-run annotation #1933
Conversation
@@ -392,3 +392,11 @@ annotations: | |||
hidden: false | |||
resources: | |||
- Pod | |||
|
|||
- name: istio.io/dry-run | |||
featureStatus: Alpha |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note: I wanted to set the featureStatus to experimental but the tool currently only supports alpha, beta and stable. I will look into the tool later to add the support and update the PR when exposing this in the doc (currently this is hidden).
@istio/technical-oversight-committee Hi, could anyone from TOC take a quick look at this, the design is already approved by security WG, the implementation is blocked on this and I'm trying to get this into the 1.10 release (code cut in 1 week). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm comfortable adding this annotation, it seems similar in spirit to some of our other annotations/labels that are meta-controls and don't really make sense as fields (for example istio.io/rev).
/retest |
@yangminzhu since this annotation can be used in other resources in future. Can we describe what the annotation does for AuthZ policy. Where and how do the users see the policy dry-run output? |
yes, we will add documentation on istio.io for using the annotation. The output can be found in Envoy (log), Prometheus (metric) and Jaeger (tracking). |
That’s great. Thanks! |
Allows customers to dry-run an authorization policy to test the effect using real traffic without enforcing the policy, reducing the risk of creating or changing the authorization policy.
Only supports AuthorizationPolicy for now, the admission controller will reject other resources with the dry-run annotation.
Design doc: https://docs.google.com/document/d/1xQdZsEgJ3Ld2qebfT3EJkg2COTtCR1TqBVojmnvI78g (approved by Security WG)