New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
traffic simulation: add false positive support #30391
Conversation
Hi @kailun-qin. Thanks for your PR. I'm waiting for a istio member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, I am not quite sure I understand this false positive stuff. If the logic for the filter chain matching is wrong, why not just modify the logic in L488-L498 that is doing the matching?
There are several reasons:
Let me know if this explains a bit more. Or any other better way? Thanks! |
Thank you! I will take another look |
Envoy is able to handle multiple configured filter chains w/ SNI wildcards, which the current XDS traffic simulation flow considers as an error and fails with a NACK. This patch: * extends the XDS traffic simulation flow with a false positive check support for `multiple filter chain matched` error on `server_names`; * adds a new test for gateway using `single virtual service with multiple TLS match blocks`; * removes confusing comments related to filter chain generation with SNI match specified in TLS match blocks. Signed-off-by: Kailun Qin <kailun.qin@intel.com>
@@ -514,10 +516,17 @@ func (sim *Simulation) matchFilterChain(chains []*listener.FilterChain, defaultC | |||
}, func(fc *listener.FilterChainMatch) bool { | |||
return sets.NewSet(fc.GetApplicationProtocols()...).Contains(input.Alpn) | |||
}) | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Your comment mentioned checking for overlapping FC when we create the objects instead of during match, but I don't see anything do that. is that intended? I think we could improve validateFilterChainMatch
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe it would be more clear to add the overlapping check there, then modify the filter() function to return the best match instead of all matches? I think that would mirror envoy logic better.
We may actually have false matches today. For example, if I have
- match: sni: *.com, transport: tls
- match: sni: example.com, transport: plain
and I send a request that is sni: example.com, transport: tls
. Current logic would match FC 0; envoy would amtch neither I think
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Your comment mentioned checking for overlapping FC when we create the objects instead of during match, but I don't see anything do that. is that intended? I think we could improve validateFilterChainMatch
No, it is not included in this patchset. I did think that it should go that way but I was intended not to break too much on the current logic for this first attempt.
I agree that we could improve validateFilterChainMatch. What's in my mind is roughly similar to what you've suggested below. :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe it would be more clear to add the overlapping check there, then modify the filter() function to return the best match instead of all matches? I think that would mirror envoy logic better.
We may actually have false matches today. For example, if I have
- match: sni: *.com, transport: tls - match: sni: example.com, transport: plain
and I send a request that is
sni: example.com, transport: tls
. Current logic would match FC 0; envoy would amtch neither I think
Thanks a lot for the hints! I'll give a try for this approach.
🚧 This issue or pull request has been closed due to not having had activity from an Istio team member since 2021-01-28. If you feel this issue or pull request deserves attention, please reopen the issue. Please see this wiki page for more information. Thank you for your contributions. Created by the issue and PR lifecycle manager. |
traffic simulation: add false positive support
Envoy is able to handle multiple configured filter chains w/ SNI wildcards,
which the current XDS traffic simulation flow considers as an error and
fails with a NACK.
This patch:
for
multiple filter chain matched
error onserver_names
;single virtual service with multiple TLS match blocks
;match specified in TLS match blocks.
Signed-off-by: Kailun Qin kailun.qin@intel.com
[ ] Configuration Infrastructure
[ ] Docs
[ ] Installation
[x] Networking
[ ] Performance and Scalability
[ ] Policies and Telemetry
[ ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
Pull Request Attributes
Please check any characteristics that apply to this pull request.
[ ] Does not have any changes that may affect Istio users.