New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
multi-network: fix eastwest gateway endpoint filtering #38762
Conversation
@stevenctl can you also update this test to include a Count > 1? This test passing in multi-network actually relies on |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It needs a test
I think this makes sense, will let the others that commented take a look as well |
Change-Id: I8395c8272bb6ba4b79b663194102852a739400b9
Change-Id: I3b9ca40346467c91d479f0d91c8d5c813f3898c4
Change-Id: I2cb8653f4cbd20f78c2f25c9ac7d6fa983dff2c8
d8f1313
to
07ea28d
Compare
Change-Id: I045946df16e54fe49f7a6a5103d9cafa446474af
Change-Id: I074b4145eac7fe8d7ce967f3a149fb94be5427a6
Nathan's PR added tests. This PR removed the need for the global DestinationRule |
What;'s the behavior with tls disabled before and after? IIUC, for east-west gateway the cluster will include cluster local endpoints. |
This makes it so TLS disabled in DR doesn't affect passthrough gateways (the endpoint will remain). That DR based filtering makes it so clients can't send plaintext that will inevitably fail since we require TLS/SNI. If a server is plaintext, we still remove the endpoint from the gateway. |
Network local, non plaintext endpoints. |
Looks good |
In response to a cherrypick label: #38762 failed to apply on top of branch "release-1.13":
|
In response to a cherrypick label: new issue created for failed cherrypick: #39226 |
In response to a cherrypick label: #38762 failed to apply on top of branch "release-1.13":
|
In response to a cherrypick label: new issue created for failed cherrypick: #39227 |
In response to a cherrypick label: #38762 failed to apply on top of branch "release-1.14":
|
In response to a cherrypick label: new issue created for failed cherrypick: #39228 |
In response to a cherrypick label: #38762 failed to apply on top of branch "release-1.14":
|
In response to a cherrypick label: new issue created for failed cherrypick: #39229 |
* multi-network: prevent eastwest gateway endpoint filtering Change-Id: I8395c8272bb6ba4b79b663194102852a739400b9 * rel note Change-Id: I4f34b1f47ddf976fa9417a63c3a4331a76f2b613 * skip check for 500s Change-Id: I3b9ca40346467c91d479f0d91c8d5c813f3898c4 * multiple calls per-cluster Change-Id: I2cb8653f4cbd20f78c2f25c9ac7d6fa983dff2c8 * remove global dr workaround Change-Id: I045946df16e54fe49f7a6a5103d9cafa446474af * remove old tests Change-Id: I074b4145eac7fe8d7ce967f3a149fb94be5427a6
* multi-network: prevent eastwest gateway endpoint filtering Change-Id: I8395c8272bb6ba4b79b663194102852a739400b9 * rel note Change-Id: I4f34b1f47ddf976fa9417a63c3a4331a76f2b613 * skip check for 500s Change-Id: I3b9ca40346467c91d479f0d91c8d5c813f3898c4 * multiple calls per-cluster Change-Id: I2cb8653f4cbd20f78c2f25c9ac7d6fa983dff2c8 * remove global dr workaround Change-Id: I045946df16e54fe49f7a6a5103d9cafa446474af * remove old tests Change-Id: I074b4145eac7fe8d7ce967f3a149fb94be5427a6
* multi-network: prevent eastwest gateway endpoint filtering Change-Id: I8395c8272bb6ba4b79b663194102852a739400b9 * rel note Change-Id: I4f34b1f47ddf976fa9417a63c3a4331a76f2b613 * skip check for 500s Change-Id: I3b9ca40346467c91d479f0d91c8d5c813f3898c4 * multiple calls per-cluster Change-Id: I2cb8653f4cbd20f78c2f25c9ac7d6fa983dff2c8 * remove global dr workaround Change-Id: I045946df16e54fe49f7a6a5103d9cafa446474af * remove old tests Change-Id: I074b4145eac7fe8d7ce967f3a149fb94be5427a6
* multi-network: prevent eastwest gateway endpoint filtering Change-Id: I8395c8272bb6ba4b79b663194102852a739400b9 * rel note Change-Id: I4f34b1f47ddf976fa9417a63c3a4331a76f2b613 * skip check for 500s Change-Id: I3b9ca40346467c91d479f0d91c8d5c813f3898c4 * multiple calls per-cluster Change-Id: I2cb8653f4cbd20f78c2f25c9ac7d6fa983dff2c8 * remove global dr workaround Change-Id: I045946df16e54fe49f7a6a5103d9cafa446474af * remove old tests Change-Id: I074b4145eac7fe8d7ce967f3a149fb94be5427a6
@stevenctl this seems to have broken TestAuthz_EgressGateway, leading to the flakes related to that test in #39255. Specifically, calls will fail when they follow the path I tried forcibly adding a DR to the apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: test-egress
namespace: istio-system
spec:
host: "istio-egressgateway.istio-system.svc.cluster.local"
trafficPolicy:
portLevelSettings:
- port:
number: 443
tls:
mode: ISTIO_MUTUAL ... but it had no effect (still no endpoints for the egress gateway SNI route). I locally rolled back this change and it works fine. |
I opened #39330 |
…#38762) (istio#39274)" This reverts commit 3997d57.
…#38762) (istio#39275)" This reverts commit 097fed9.
I think this fixes/helps with #38704
Gateways care about server settings only (authn, and tlsMode labels) when doing this filtering.
We will filter out servers that we don't think accept mTLS (DISABLED or tlsMode: none). If a client somehow sent non-mTLS traffic, they would have to spoof SNI and then the server would deny them anyway.