Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Telemetry Policy to use TargetRef instead of workloadSelector #46844

Closed
whitneygriffith opened this issue Sep 5, 2023 · 0 comments · Fixed by #47162
Closed

Update Telemetry Policy to use TargetRef instead of workloadSelector #46844

whitneygriffith opened this issue Sep 5, 2023 · 0 comments · Fixed by #47162
Assignees
@MorrisLaw

Comments

@whitneygriffith
Copy link
Contributor

whitneygriffith commented Sep 5, 2023
edited
Loading

Part of #46360
Related to #46560

Find where workloadSelector is used (explicitly or implicitly) and add checks for the existence of a targetRef. Defaulting to the current label selector if targetRef doesn't exist for the policy.

Some things to note:

  • RBAC and policy enforcement in general is a listener concern in Envoy as seen in listener_waypoint.go. telemetryFilters may be where this enforcement occurs.
  • There may be resources precomputed based on namespace or workload selectors to provide a more effective lookup in Ambient . As seen here for Authorization Policy
  • targetRef applies to ingress gateways and waypoints
  • Validation is done to ensure the policies and the targetReferent is valid
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MorrisLaw MorrisLaw

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Telemetry target ref MorrisLaw/istio
2 participants
@MorrisLaw @whitneygriffith