New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Eastwest gateway incorrectly applies DR #38704
Comments
@howardjohn do you know if there is anything that can be done here? I know that this logic was added to deal with a vul. |
@stevenctl I think the DR part specifically is actually not for the CVE, but rather to avoid accidentally sending non-mTLS traffic to EW gw (which fails). So to have that same check at the EW gw may not make sense? Just the DR part - the rest is required. |
@stevenctl are you still looking into this? Can I assign to you? |
@stevenctl gentle ping ... are you still looking at this? We had to roll-back the change. |
not-stale. Need to verify #40243 fixed this. I don' think it did. |
Bug Description
If mTLS for a destination is enabled via a DR in a namespace other than
istio-system
, the eastwest gateway will never get endpoints for the destination service.This is due to the fact that the eastwest gateway still applies endpoint filters, which use the
mtlsChecker
. East-west'smtlsChecker
will have no DR for the service (since the DR was not applied to theistio-system
namespace) and will therefore assume the default non-mTLS setting, which means that the endpoint will be filtered from the east-west gateway.Judging by the comment in that code, it appears this was intentional. However, I'm not sure that this particular case was considered or tested. Other parts of the logic for eastwest gateway ignore DR, and I suspect this should as well.
Version
Additional Information
No response
The text was updated successfully, but these errors were encountered: