New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Plaintext Endpoints via PeerAuthentication aren't filtered out in multi-network #28798
Comments
cc @jtrbs |
Related issue #28766 |
cc @incfly |
I clicked through the link and having a bit trouble to connect the dots. if tlsMode := envoytransportSocketMetadata(lbEp, "tlsMode"); tlsMode == model.DisabledTLSModeLabel { This line is only looking at the endpoint label. The label is the result of the injection. And it's not taking PeerAuthenticatoin into account.
What are the characteristics of those enpdoints? With sidecar injected but configured as plaintext, therefore cross cluster traffic fails? |
Yes, we require TLS for SNI routing through the gateway. This doesn't fail for cross-cluster, single-network. Only cross-network traffic fails. |
I see. To answer the question, yes, I think we gather the PeerAuthentication config at the time when push context is initiated. If we consult that, it should be able to tell whether endpoints are plaintext or not. istio/pilot/pkg/model/push_context.go Line 1146 in 71b7265
Though I would look into how the client side auto mTLS decision is made, in cluster.go,
trying to reuse as much as we can. |
So if i understand correctly this is mostly related to the TLSContext on the cluster, not info directly on the lb endpoints. I'll have to look into a way to reference that in the eds flow with minimal recomputation. I did notice that we surround the
We want to filter these non-tls endpoints from the logic that converts endpoint address to gateway address, but we want to filter the endpoints entirely when building eds for the gateways themselves which have istio/samples/multicluster/gen-eastwest-gateway.sh Lines 97 to 98 in a43810c
Not sure how to handle this without recomputing some of the traffic policy logic inside of eds |
We filter out non-tls endpoints from cross-network LoadBalancing. Without TLS we don't have SNI, required to do routing at the gateway.
istio/pilot/pkg/xds/ep_filters.go
Lines 79 to 82 in 86b87f2
As part of #28621 and #28720 we're seeing the test apply the following
PeerAuthentication
s, but the unreachable endpoints aren't being removed from the LoadBalancing rotation.Global mtls disable
Port level mtls disable
Does the PeerAuthentication set the tlsMode early enough in our EDS code to be filtered out properly?
The text was updated successfully, but these errors were encountered: