WorkloadSelector support for DestinationRule #2207
Conversation
kfaseela
requested review from
ericvn,
howardjohn,
linsun,
louiscryan,
nrjpoddar and
smawson
as code owners
|
😊 Welcome @kfaseela! This is either your first contribution to the Istio api repo, or it's been You can learn more about the Istio working groups, code of conduct, and contributing guidelines Thanks for contributing! Courtesy of your friendly welcome wagon. |
istio-testing
added
do-not-merge/work-in-progress
kfaseela
force-pushed
the
egress-mtls-sidecar
branch
from
a5f27c7
to
0f4c64d
Compare
|
/test release-notes_api |
| // Criteria used to select the specific set of pods/VMs on which this | ||
| // `Sidecar` configuration should be applied. If omitted, the `Sidecar` | ||
| // configuration will be applied to all workload instances in the same namespace. | ||
| WorkloadSelector workload_selector = 5; |
There was a problem hiding this comment.
I think we should use istio.type.v1beta1.WorkloadSelector. Through unfortunate situation we ended up with two different ones to handle the same case, but all modern CRDs are using that type.
Also the comments are copy+pasted from Sidecar, need to be updated.
|
Curious, how does this interact with subset? Is it that the unmatched proxy won't have subset configured? If so should we also have workload selector at virtual service to make it consistent. There are definitely demand for this istio/istio#36240 and istio/istio#29434 |
|
VirtualService already basically has workload selector with sourceLabels? I
*think* its functionally equivalent
…On Fri, Jan 14, 2022 at 10:11 AM Pengyuan Bian ***@***.***> wrote:
Curious, how does this interact with subset? Is it that the unmatched
proxy won't have subset configured? If so should we also have workload
selector at virtual service to make it consistent. There are definitely
demand for this istio/istio#36240
<istio/istio#36240> and istio/istio#29434
<istio/istio#29434>
—
Reply to this email directly, view it on GitHub
<#2207 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAEYGXODKSNVKYXKOEINQSTUWBRMVANCNFSM5L7AGQRA>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because your review was requested.Message ID:
***@***.***>
|
|
First, i wanna say i am totally for this proposal. But with this, without workloadSelector set, it will be applied to the same namespace |
|
This is an interesting concept. Could we think through what impact it will have for DR priority ordering: client side, server side, namespace, global. BTW, is this workload selector for client side or server side? |
I think the confusion came due to my wrong description of the attribute that it will be namespace specific. will correct it |
workSelector by default is global, and we can use "exportTo" to limit namespace list. DR will impact server side in TLS case, TLS mode in DR can be changed to override global TLS mode (e.g.STRICT), from this perspective, we can limit the "workSelector" to client side only, and keep server side behaviour as before. |
I disagree, if workloadSelector is present it should only match current namespace. This matches all of our resources (except Gateway, and its been replaced by another mechanism in gateway-api and was a mistake IMO).
DR only impacts server for circuit breakers, not TLS. If we want similar for this behavior we should do #1754 imo |
istio/istio#36731 (comment) as an example of why it would also benefit server side. |
I think its still somewhat ambiguous and #1754 would be preferred. For example, say I have a DR for |
Yeah I agree. Adding selector to DR is more like a workaround for the inbound configuration issue, which might complicate the configuration or not even cover some of the use cases. |
kfaseela
force-pushed
the
egress-mtls-sidecar
branch
from
6e07f6c
to
bf91ad8
Compare
kfaseela
force-pushed
the
egress-mtls-sidecar
branch
from
bf91ad8
to
7ec7bdd
Compare
As per https://github.com/istio/api#updating `make proto-lock` has to be run as part of new api changes. I was trying to run the same for my PR istio#2207 and saw some additional changes added in proto.lock which was not introduced by my change. Hence putting them in a separate PR here to check if these changes are needed or not. Signed-off-by: Faseela K <faseela.k@est.tech>
As per https://github.com/istio/api#updating `make proto-lock` has to be run as part of new api changes. I was trying to run the same for my PR #2207 and saw some additional changes added in proto.lock which was not introduced by my change. Hence putting them in a separate PR here to check if these changes are needed or not. Signed-off-by: Faseela K <faseela.k@est.tech>
kfaseela
changed the title
istio-testing
added
needs-rebase
kfaseela
force-pushed
the
egress-mtls-sidecar
branch
from
95e82ca
to
b95db44
Compare
istio-testing
removed
the
needs-rebase
| @@ -162,6 +163,28 @@ import "gogoproto/gogo.proto"; | |||
| // simple: ROUND_ROBIN | |||
| // ``` | |||
| // {{</tab>}} | |||
| // | |||
| // {{<tab name="v1alpha3" category-value="v1alpha3">}} | |||
There was a problem hiding this comment.
This is adding a third tab to a tab group of {v1alpha3,v1beta1}.
If we want to provide and example with workloadSelector, we should look like:
You can also use a workload selector .. blah blah...
{{<tabset category-name="selector-example">}}
{{tab }}
....
There was a problem hiding this comment.
Not sure, if I fixed it properly. Could you please take another look now?
| // | ||
| // Criteria used to select the specific set of pods/VMs on which this | ||
| // `DestinationRule` configuration should be applied. If omitted, the `DestinationRule` | ||
| // configuration will be applied to all workload instances in the same namespace. |
There was a problem hiding this comment.
"Same namespace" is not require accurate, since it can apply cross namespace,
We should also note that with workload selector set it is NOT cross namespace.
There was a problem hiding this comment.
It should be clearly documented, whether this is selecting cross namespaces or within the same namespace.
Also move this field up to first position.
There was a problem hiding this comment.
I have tried to rephrase the comment.
kfaseela
force-pushed
the
egress-mtls-sidecar
branch
from
cb5009b
to
c69b6ea
Compare
istio-testing
added
size/L
| @@ -162,6 +163,28 @@ import "gogoproto/gogo.proto"; | |||
| // simple: ROUND_ROBIN | |||
| // ``` | |||
| // {{</tab>}} | |||
| // | |||
| // {{<tab name="v1alpha3" category-value="v1alpha3">}} | |||
Adding support for workloadSelector in DR as per RFC Simplify Sidecar Egress For MTLS Signed-off-by: Faseela K <faseela.k@est.tech>
Signed-off-by: Faseela K <faseela.k@est.tech>
Signed-off-by: Faseela K <faseela.k@est.tech>
Signed-off-by: Faseela K <faseela.k@est.tech>
Signed-off-by: Faseela K <faseela.k@est.tech>
kfaseela
force-pushed
the
egress-mtls-sidecar
branch
from
c69b6ea
to
bc7ed01
Compare
|
/retest |
| // configuration will be applied only to the workload instances matching the workload selector | ||
| // label in the same namespace. Workload selectors do not apply across namespace boundaries. | ||
| // If omitted, the `DestinationRule` falls back to its default behavior. | ||
| istio.type.v1beta1.WorkloadSelector workload_selector = 5; |
There was a problem hiding this comment.
May be we should explain when this will be used vs. default behaviour? That is not clear to me while reading this comment.
@howardjohn WDYT?
There was a problem hiding this comment.
Clarified in the comment
Signed-off-by: Faseela K <faseela.k@est.tech>
|
Thank you! |
| // Criteria used to select the specific set of pods/VMs on which this | ||
| // `DestinationRule` configuration should be applied. If specified, the `DestinationRule` | ||
| // configuration will be applied only to the workload instances matching the workload selector | ||
| // label in the same namespace. Workload selectors do not apply across namespace boundaries. |
There was a problem hiding this comment.
I donot think this is consistent with other API @howardjohn
Not a good idea to be inconsistent
There was a problem hiding this comment.
Can you explain what about it is inconsistent? My expectation is that this behaves the same way as every other Istio API that has a workload selector?
There was a problem hiding this comment.
Workload selectors do not apply across namespace boundaries.
For gateway, the selector works across namespaces.
There was a problem hiding this comment.
Another point it from implement view: currently dr is used both fro outbound and inbound setting. Then if this only applies to the same namespace, does that mean we need to create two DRs for a service if the caller resides in different namespace as server?
There was a problem hiding this comment.
@hzxuzhonghu : implementation can be seen at : istio/istio#37174
There was a problem hiding this comment.
I donot see how to deal with the inconsistency
There was a problem hiding this comment.
it is different from not only gateway. but also authorization policy
If the authorization policy is in the root namespace, the selector
// will additionally match with workloads in all namespaces.
There was a problem hiding this comment.
But not EnvoyFilter, Sidecar, Telemetry, ProxyConfig, WasmPlugin, PeerAuthentication, or Request Authentication.
Gateway was a mistake IMO - we do not do this cross namespace in the gateway-api and we have a flag to disable cross namespace for Istio gateway.
AuthzPolicy is the odd one out, not DR, IMO.
There was a problem hiding this comment.
It is very confusing and error-prone. What's the long-term plan? After upgrading API version, we should remove all this bad inconsistency
There was a problem hiding this comment.
There are two inconsistencies - Gateway and AuthzPolicy.
Gateway is mostly addressed as noted. The new API does not have these issues and the current one has a flag.
AuthzPolicy - we have started looking into changing it but there has been some push back https://docs.google.com/document/u/0/d/1sCA6ReTnAR5tyKwuc7KPMygv2UPOlxL6IEU8Og0nQm0/mobilebasic.
So we have a plan. In the mean time, this change is consistent with 7 other Istio APIs - including the 3 most recently added ones. It seems inconsistent and unfair to block this change for inconsistency when factoring this in.
What do you think? Is it ok to move forward with this? If not, do you have alternative ideas?
I am highly motivated to move forward with this as we are stretching @kfaseela 's - a new contributor who could become a major regular contributor - motivation very thin after months of work to put a hold on the last minute.
@kfaseela Is this correct? I thought there is no change in behaviour for the case of DR with no workload selector? |
This is not correct. The namespace restriction is there only for workloadSelector set cases. |
|
How to achieve workloadSelector for incoming traffic. I want to apply max connections limit using Destination Rule only on SERVER side of the service using istio proxy (side car). |
|
@pkgulati : This was discussed under: istio/istio#41235 |
Adding support for workloadSelector in DR
as per RFC Simplify Sidecar Egress For MTLS
Signed-off-by: Faseela K faseela.k@est.tech