add dry-run annotation #1933
add dry-run annotation #1933
Conversation
yangminzhu
requested review from
dcberg,
duderino,
linsun,
louiscryan,
nrjpoddar and
smawson
as code owners
google-cla
bot
added
the
cla: yes
istio-testing
added
the
size/XS
| @@ -392,3 +392,11 @@ annotations: | |||
| hidden: false | |||
| resources: | |||
| - Pod | |||
|
|
|||
| - name: istio.io/dry-run | |||
| featureStatus: Alpha | |||
There was a problem hiding this comment.
Note: I wanted to set the featureStatus to experimental but the tool currently only supports alpha, beta and stable. I will look into the tool later to add the support and update the PR when exposing this in the doc (currently this is hidden).
|
@istio/technical-oversight-committee Hi, could anyone from TOC take a quick look at this, the design is already approved by security WG, the implementation is blocked on this and I'm trying to get this into the 1.10 release (code cut in 1 week). |
howardjohn
added
the
release-notes-none
|
/retest |
|
@yangminzhu since this annotation can be used in other resources in future. Can we describe what the annotation does for AuthZ policy. Where and how do the users see the policy dry-run output? |
yes, we will add documentation on istio.io for using the annotation. The output can be found in Envoy (log), Prometheus (metric) and Jaeger (tracking). |
|
That’s great. Thanks! |
Allows customers to dry-run an authorization policy to test the effect using real traffic without enforcing the policy, reducing the risk of creating or changing the authorization policy.
Only supports AuthorizationPolicy for now, the admission controller will reject other resources with the dry-run annotation.
Design doc: https://docs.google.com/document/d/1xQdZsEgJ3Ld2qebfT3EJkg2COTtCR1TqBVojmnvI78g (approved by Security WG)