Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tracker for caveats and existing problems with Multicluster #4822

Closed
sdake opened this issue Apr 9, 2018 · 22 comments

Comments

@sdake
Copy link
Member

commented Apr 9, 2018

This tracker will track caveats and known issues with the multicluster implementation in the 0.8 release.

@sdake sdake changed the title Tracker for Caveats and Existing problems with Multicluster Tracker for Caveats and existing problems with Multicluster Apr 9, 2018

@sdake sdake changed the title Tracker for Caveats and existing problems with Multicluster Tracker for caveats and existing problems with Multicluster Apr 9, 2018

@sdake

This comment has been minimized.

Copy link
Member Author

commented Apr 14, 2018

Note:
Priorities are not relative to 1.0 but relative to this feature. We will still ship Istio 1.0 if P0 work items in this tracker are incomplete.

Incomplete work items:

  • P0 revisit how to properly handle control plane networking without using Pod IPs directly. - #5535
  • P0 Make mixer functional - #4825
  • P0 mixer changes required for 1.0 #6498
  • P0 Make automatic side car injection work properly on Istio control plane cluster and remotes - #6092
  • P0 Switch multicluster's secret controller to use envoy v2 API. PR: #6311
  • P0 Validate credential input to pilot. - #6443
  • P1 Clean up end to end testing - #6072
  • P1 improve security by using service accounts with reduced RBAC permissions (on remotes?) instead of the current broad admin credentials installed in the primary cluster. - #6094
  • P1 Citadel setup in multiplecluster #6153
  • P1 Multicluster circle-ci
  • P2 istio-remote helm chart should optionally render services' info. #6321
  • P2 document a bookinfo example running on multiple clusters. istio/istio.io#1381
  • P2 improve security and reduce dependency on secret copying (dependent on SDS) - #6095
  • P2 Expand multicluster to non-Kubernetes registries - #6097
  • P2 automate the generation of remote cluster service account and certificates, including cert rotation. -
  • P2 followup PRs to #4869 comments
  • P0 implement e2e testing -
  • P0 implement secret storage - #4706
  • P0 generate YAMLs for e2e testing - #4869
  • P0 create install docs to match existing implementation - istio/istio.io#1139
  • P0 Update https://preliminary.istio.io/docs/setup/kubernetes/multicluster-install.html to latest configmap
  • P0 update https://preliminary.istio.io/docs/setup/kubernetes/multicluster-install.html to match secrets only storage -
  • P0 update remote deployment to match existing implementation - #4953,
  • P0 update Istio control plane install documentation to match existing implementation
  • P1 sort out citadel on remote clusters including rotation of both cluster and citadel (if that is a problem)
  • P1 implement addition of secret storage only -
  • P2 clean up obsolete code and references to configmap - #4923
@costinm

This comment has been minimized.

Copy link
Contributor

commented Jun 7, 2018

Not sure "merge istio-remote into istio helm chart once istio-remote is solidified" is a good move, cleaner to keep them separate ( as we address SDS and make other improvements, istio-remote should become smaller and may have specific needs - on the other side istio templates are already getting too messy).

@costinm

This comment has been minimized.

Copy link
Contributor

commented Jun 7, 2018

" determine if local and remotes can use automatic injection, or if manual injection is only available." - I think we just miss the config, there should be no problem.

I would add:
(P2 for 1.0) "improve security and reduce dependency on secret copying" - i.e. if SDS is available switch to it. That would use a central CA, and each node will fetch/renew secrets from it without using k8s Secret.

(P2) Expand MC to non-k8s registries ?

P1: improve security by using service accounts with reduced RBAC permissions instead of the current
broad admin credentials installed in the primary cluster.
P2: automated the generation of remote cluster service account and certificates, including cert rotation.

@sdake

This comment has been minimized.

Copy link
Member Author

commented Jun 7, 2018

@costinm re RBAC, do you mean application of limited RBAC to istio-remote? That is the only way that sentence makes sense to me.

@tiswanso

This comment has been minimized.

Copy link
Contributor

commented Jun 7, 2018

@sdake @costinm -- I have the service-account procedure for creating the remote's kubeconf to give pilot limited RBAC controls. I don't have the exact limitation on what pilot needs, though. Probably read-only to all service, endpoint, and pod objects. I will try to push a doc PR soon with what I have.

@sdake

This comment has been minimized.

Copy link
Member Author

commented Jun 7, 2018

@tiswanso what would be better is a change to istio-remote helm chart with limited RBAC.

@tiswanso

This comment has been minimized.

Copy link
Contributor

commented Jun 7, 2018

@sdake -- not sure how helm can do anything RBAC-wise but anyway, that's for setting up the Istio control pod (citadel), secrets, and selectorless services on the remote cluster. The service-account RBAC I'm referring to is tied to the kubeconf secrets we're creating in the control-plane cluster. So, it'd be limiting what pilot could do on the remote kube-api-server.

@sdake

This comment has been minimized.

Copy link
Member Author

commented Jun 7, 2018

What I meant was adding very strict rbac here: https://github.com/istio/istio/tree/master/install/kubernetes/helm/istio-remote/templates - perhaps this is the wrong place to do it.

@tiswanso can you create an issue with your proposal? I'll link it from the first entry in this issue tracker and we can continue discussion there.

Cheers
-steve

@sdake

This comment has been minimized.

Copy link
Member Author

commented Jun 8, 2018

@myidpt @costinm struggling to write an issue for this text:

 P2 automate the generation of remote cluster service account and certificates, including cert rotation. -

could either of you expand on this a bit as to what you think is needed in terms of the specific problem so I can write a new issue? (or alternately write an issue and link it or I can link it).

TIA!
-steve

@costinm

This comment has been minimized.

Copy link
Contributor

commented Jun 8, 2018

@sdake

This comment has been minimized.

Copy link
Member Author

commented Jun 8, 2018

@costinm thanks - I think both of these requirements are captured now.

Cheers
-steve

@Rigdon

This comment has been minimized.

Copy link
Contributor

commented Jun 8, 2018

I'm looking at #6092

@Rigdon

This comment has been minimized.

Copy link
Contributor

commented Jun 8, 2018

Also related to the RBAC discussion: I'm attempting this first with a service account bound to the system:node-proxier role on the remote clusters. This service account token is what I'll store on the control plane cluster for each remote.

It's still more permissions than are needed but at least it's read-only.

@tiswanso

This comment has been minimized.

Copy link
Contributor

commented Jun 8, 2018

doc PR for instructions to create serviceaccount on remotes with min RBAC: istio/istio.io#1484

@Rigdon

This comment has been minimized.

Copy link
Contributor

commented Jun 8, 2018

thanks @tiswanso! I'll add that cluster role to my WIP for the istio-remote helm chart

@john-a-joyce

This comment has been minimized.

Copy link
Contributor

commented Jun 13, 2018

@sdake - I intend to add the multicluster circleci item we have talked Costin about a few times. Should be a P1 I think. If I don't hear anything I will edit in tomorrow.

@sbezverk

This comment has been minimized.

Copy link
Member

commented Jun 15, 2018

@sdake Here is PR to switch multicluster's secret controller to use envoy v2 API:
#6311

@tiswanso

This comment has been minimized.

Copy link
Contributor

commented Jun 15, 2018

Created new issue for istio-remote helm chart: #6321

@sdake

This comment has been minimized.

Copy link
Member Author

commented Jun 18, 2018

Folks when issues are complete please click the checkmark.

Cheers
-steve

@sdake

This comment has been minimized.

Copy link
Member Author

commented Jun 21, 2018

A new issue with multicluster reported - invalid credential input causes pilot to crater. #6443

@costinm costinm added this to the 1.0 milestone Jun 25, 2018

john-a-joyce added a commit to john-a-joyce/istio.github.io that referenced this issue Jul 3, 2018

Document stable access to istio services
This change enumerate options to mitigate or avoid the Pod restart issue.  
istio/istio#4822

This is an update to istio#1586
@stale

This comment has been minimized.

Copy link

commented Aug 2, 2018

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 2 weeks unless it is tagged "help wanted" or other activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Aug 2, 2018

@jasminejaksic jasminejaksic modified the milestones: 1.0 - launched, 1.1 Aug 2, 2018

@stale stale bot removed stale labels Aug 2, 2018

@sdake

This comment has been minimized.

Copy link
Member Author

commented Dec 19, 2018

this has been released in alpha quality. If others have additional changes they wish to propose, please file a new issue in the issue tracker.

Cheers
-steve

@sdake sdake closed this Dec 19, 2018

@sdake sdake removed this from the 1.2 milestone Dec 19, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.