Support crd discovery selector

[hzxuzhonghu]

Please provide a description of this PR:

Fix #36627

[howardjohn]

This is a breaking change. The API explicitly only applies to discovery, so making it do more will be incompatible.

It would be good to revisit the design doc. I recall we explicitly decided to make it only discovery. If we are changing our minds there we ought to understand why our decisions have changed.

[hzxuzhonghu]

The api does not explicitly say it does not limit CR, and also it does not explicitly say it works on it. Will search the design

[hzxuzhonghu]

Unfortunately, there is even no mention of crd in the design https://docs.google.com/document/d/1S3GPCUBmTmvh09NmpuMCG3vwDTNkVeRhGT3lbLyA4qs/edit?resourcekey=0-a8iMutRwjQElYN5dlgEDdw#heading=h.h3lxcxfhqndp

SO I think there is no compatibility issue, this can be treated as a feature request

[howardjohn]

Regardless of if it's in the doc dramatically changing the functionality of an existing API is incompatible.

Let's take a step back here. I haven't seen any discussion of the motivations for this change. We already have a lot of 'scoping' mechanisms. What problems are we trying to solve here?

[hzxuzhonghu]

#35092

[hzxuzhonghu]

@howardjohn @ramaraochavali What do i need to promote this feature?

[howardjohn]

I still don't understand the use case. The issue you linked does not explain why they want this.

[hzxuzhonghu]

An special case i can think of is in multi tenant case, multi istio can be deployed in a single cluster. We donot want the crd{CR} to interference each other.

[hzxuzhonghu]

@howardjohn #31115

[howardjohn]

Doesn't Sidecar scoping handle this?

In multitenant situations I would imagine its typical to not actually have permission to read from all namespaces?

[howardjohn]

I think this is a pretty important topic and should probably have a proper design. At the very least, we cannot change the behavior of the existing field or there will be incompatible behavior change when users of discoverySelector upgrade to this commit

[hzxuzhonghu]

I donot think there are many users of discoverySelector who have CR created in namespaces that are not selected.

For sake, I am fine to add a knob for this. We can also propose a discussion about it.

[howardjohn]

I haven't tested this, but the doc for sidecar workload selector (this is what you mean, right?) does not mention scoping for all CRs but only a handful? Does scoping work on all CRs?

All the CRs it does not scope are already scoped by namespace. For example, if you have a PeerAuthentication if foobar namespace, and have no proxies in foobar, it does nothing.

[emike922]

For us (non-vanilla) this might be a convenient way to avoid configuration leakage between multiple tenants/istiod control planes. Tenant boundaries could be defined in terms of immutable kubernetes.io/metadata.name labels, allowing to dynamically extend or shrink the scope of each control plane without too much hassle or risk.

For vanilla users, this might be useful to include or exclude namespaces for configuration discovery, for example to ignore "less trusted" namespaces when operating in a shared environment.
It could also be useful to enable testing of revisions with incompatible or maybe just experimental (globally-scoped) configurations without affecting the productive instance.

[kfaseela]

Doesn't Sidecar scoping handle this?

In multitenant situations I would imagine its typical to not actually have permission to read from all namespaces?

@howardjohn sidecar scoping solves part of the issue, but what about the gateways?

[howardjohn]

@kfaseela Gateways have namespace scoping options already: PILOT_SCOPE_GATEWAY_TO_NAMESPACE or use new Kubernetes Gateway API which has this as default

[kfaseela]

@kfaseela Gateways have namespace scoping options already: PILOT_SCOPE_GATEWAY_TO_NAMESPACE or use new Kubernetes Gateway API which has this as default

Would try this end to end along with sidecar scoping and get back. But wouldn't it simplify the configuration a lot when we have this supported out of the box, while using discovery selectors? Ideally we don't want to configure additional sidecar config to limit the CRD scope.

[emike922]

This might also be useful as an option to lock down certain CR discovery settings that cannot be overridden by the user (default mesh-wide sidecar w/o workload selector in root namespace is easily overridden by another sidecar if I understand correctly)

[SpecialYang]

We have implemented this feature in production but by little dirty way. We can deploy multiple istiod instances in one K8s cluster for tenant case. These istiod instances can not only locate at individual namespaces, but also locate at the same namespace isolated by labels of CR.

Part of code changes like below.

Server.

if alifeatures.WatchResourcesByNamespaceForPrimaryCluster != "" {
	informerOptions := kubelib.InformerOptions{
		WatchedNamespace: alifeatures.WatchResourcesByNamespaceForPrimaryCluster,
		Label:            alifeatures.WatchResourcesByLabelForPrimaryCluster,
	}
	s.kubeClient, err = kubelib.NewClientWithInformerOptions(kubelib.NewClientConfigForRestConfig(kubeRestConfig), informerOptions)
} else {
	s.kubeClient, err = kubelib.NewClient(kubelib.NewClientConfigForRestConfig(kubeRestConfig))
}

KubeClient.

func NewClientWithInformerOptions(clientConfig clientcmd.ClientConfig, options InformerOptions) (*client, error) {
	var c client
	var err error
	clientFactory := newClientFactory(clientConfig)
	c.clientFactory = clientFactory
	c.config, err = clientFactory.ToRESTConfig()
	if err != nil {
		return nil, err
	}
	c.restClient, err = clientFactory.RESTClient()
	if err != nil {
		return nil, err
	}
	c.discoveryClient, err = clientFactory.ToDiscoveryClient()
	if err != nil {
		return nil, err
	}
	c.mapper = restmapper.NewDeferredDiscoveryRESTMapper(memory.NewMemCacheClient(c.discoveryClient))
	c.Interface, err = kubernetes.NewForConfig(c.config)
	c.kube = c.Interface
	if err != nil {
		return nil, err
	}
	c.kubeInformer = informers.NewSharedInformerFactoryWithOptions(c.Interface, resyncInterval, informers.WithNamespace(options.WatchedNamespace))
	c.metadata, err = metadata.NewForConfig(c.config)
	if err != nil {
		return nil, err
	}
	c.metadataInformer = metadatainformer.NewFilteredSharedInformerFactory(c.metadata, resyncInterval, options.WatchedNamespace, nil)
	c.dynamic, err = dynamic.NewForConfig(c.config)
	if err != nil {
		return nil, err
	}
	c.dynamicInformer = dynamicinformer.NewFilteredDynamicSharedInformerFactory(c.dynamic, resyncInterval, options.WatchedNamespace, nil)
	c.istio, err = istioclient.NewForConfig(c.config)
	if err != nil {
		return nil, err
	}
	if options.Label != "" {
		c.istioInformer = istioinformer.NewSharedInformerFactoryWithOptions(c.istio, resyncInterval, istioinformer.WithNamespace(options.WatchedNamespace), istioinformer.WithTweakListOptions(func(listOpts *metav1.ListOptions) {
			listOpts.LabelSelector = options.Label
		}))
	} else {
		c.istioInformer = istioinformer.NewSharedInformerFactoryWithOptions(c.istio, resyncInterval, istioinformer.WithNamespace(options.WatchedNamespace))
	}
	c.gatewayapi, err = gatewayapiclient.NewForConfig(c.config)
	if err != nil {
		return nil, err
	}
	if options.Label != "" {
		c.gatewayapiInformer = gatewayapiinformer.NewSharedInformerFactoryWithOptions(c.gatewayapi, resyncInterval, gatewayapiinformer.WithNamespace(options.WatchedNamespace), gatewayapiinformer.WithTweakListOptions(func(listOpts *metav1.ListOptions) {
			listOpts.LabelSelector = options.Label
		}))
	} else {
		c.gatewayapiInformer = gatewayapiinformer.NewSharedInformerFactoryWithOptions(c.gatewayapi, resyncInterval, gatewayapiinformer.WithNamespace(options.WatchedNamespace))
	}
	c.mcsapis, err = mcsapisClient.NewForConfig(c.config)
	if err != nil {
		return nil, err
	}
	if options.Label != "" {
		c.mcsapisInformers = mcsapisInformer.NewSharedInformerFactoryWithOptions(c.mcsapis, resyncInterval, mcsapisInformer.WithNamespace(options.WatchedNamespace), mcsapisInformer.WithTweakListOptions(func(listOpts *metav1.ListOptions) {
			listOpts.LabelSelector = options.Label
		}))
	} else {
		c.mcsapisInformers = mcsapisInformer.NewSharedInformerFactoryWithOptions(c.mcsapis, resyncInterval, mcsapisInformer.WithNamespace(options.WatchedNamespace))
	}
	c.extSet, err = kubeExtClient.NewForConfig(c.config)
	if err != nil {
		return nil, err
	}
	return &c, nil
}

[howardjohn]

lister: cache.NewGenericLister(h.informer.GetIndexer(), schema.Resource().GroupVersionResource().GroupResource())

can we do this?

[hzxuzhonghu]

Definitely we can implement it in theory, but I think currently it is enough to use

NewGenericLister does not provide much benefit to our case

[howardjohn]

Why not? It makes the code much simpler as we do not need to do the weird indexer operations we have replaced it with, and is standard k8s practice

[hzxuzhonghu]

As you can see with generic lister for clusterscoped resource, we need to handle differently. however with underlying indexer, we do not need to care about it, that is why I believe this way is more simple

[hzxuzhonghu]

Actually, all the indexer related code are in pkg/kube, the fiteredInformer does only provide Get List interface.

[howardjohn]

I am not sure how it's simpler. The lister requires 1 single if statement here - the indexer approach has like 50 lines of added complexity throughout the PR of more complex error handling, type casting, and still has the if for namespaces but at each List call instead of in one single place

Listers are the Kubernetes standard for his to list objects, I don't see a compelling reason to move away from that. It also seems unrelated to the rest of the PR.

[hzxuzhonghu]

GenericLister returns runtime.Object, which also need type cast, error handling. I do not have strong preference though

[howardjohn]

yes but we don't need this: https://github.com/istio/istio/pull/36639/files#diff-eff3d408ac506e9395b51f480c999a588f9fa408e392ce77506f25ceae00d6a1R328

and we now have to do:

	item, _, err := h.informer.GetIndexer().GetByKey(KeyFunc(namespace, name))
	if item == nil || err != nil {

instead of just

	obj, err := h.lister(namespace).Get(name)
	if err != nil {

[howardjohn]

overall it's looking right but it's changing a lot of unrelated things which I think add complexity

[howardjohn]

nit: no need for if, the result is the same

[howardjohn]

still applicable but not blocking

[howardjohn]

what is this for?

[hzxuzhonghu]

This is to filter out namespaces, which is useful for namespace controller

[howardjohn]

Its not used in this PR, right? Just the future?

In the namespace controllre PR we discussed making a FilterObject(obj Object) and FilterNamespace(namespace string). Instead of doing all the type casting, etc. This is more explicit API

[hzxuzhonghu]

removed

[howardjohn]

lgtm, we can followup on the rest

[howardjohn]

still applicable but not blocking

[howardjohn]

nit: use metav1.NamespaceAll

[howardjohn]

same comment about reducing if

[hzxuzhonghu]

c.opts.DiscoveryNamespacesFilter can be nil, this can be optimized later, because we need to filter namespace string as well

[howardjohn]

do we want to protect this with the feature flag?