New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Destination rule to set mTLS ignores specific host #19459
Comments
Thanks for the clear reproduction steps! |
hi, i would like to help with this, can you give me a little guidance as this is my first issue! |
@elieser1101 Here is based on my understanding, hope if helps. When Pilot builds up the destination rule for a outbound cluster push, we pre-calculate the matching destination rules that match with current service, istio/pilot/pkg/model/push_context.go Line 643 in b12fd8e
You can see there're some function calls of Based on this bug description, we should not have So a viable suggestion:
|
/assign edit: no can do? |
Given there is a ServiceEntry for *.bar.com, a DestinationRule for foo.bar.com applies to SerivceEntry/*.bar.com while it shouldn't. This PR fixes this issue by changing the way of matching DestinationRules from overlaps to subsets of a ServiceEntry hostname.
…21857) * DestinationRule for specific host matches wildcards (fixes #19459) Given there is a ServiceEntry for *.bar.com, a DestinationRule for foo.bar.com applies to SerivceEntry/*.bar.com while it shouldn't. This PR fixes this issue by changing the way of matching DestinationRules from overlaps to subsets of a ServiceEntry hostname. * fix formatting for unit test cases
Bug description
Following the discussion here.
DestinationRule host resolution is wrong when DestinationRule with a specific host is affecting wildcard service entry host.
Expected behavior
Only service entry with the exact host should be affected by the DestinationRule
Steps to reproduce the bug
Create 2 service entries:
Create a DestinationRule to encrypt traffic only for the specific host
Look at any service config dump and found that the wildcard service entry was affected
Version (include the output of
istioctl version --remote
andkubectl version
andhelm version
if you used Helm)Istio 1.3.2
How was Istio installed?
Not relevant to the bug
Environment where bug was observed (cloud vendor, OS, etc)
Not relevant to the bug
The text was updated successfully, but these errors were encountered: