-
Notifications
You must be signed in to change notification settings - Fork 7.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Initial code for NetworkScope - filter outbound listener/routes #9361
Conversation
Codecov Report
@@ Coverage Diff @@
## release-1.1 #9361 +/- ##
==============================================
+ Coverage 63% 70% +7%
==============================================
Files 559 436 -123
Lines 51528 39652 -11876
==============================================
- Hits 32384 27492 -4892
+ Misses 17285 10911 -6374
+ Partials 1859 1249 -610
Continue to review full report at Codecov.
|
# example: '{"start_time": "%START_TIME%", "req_method": "%REQ(:METHOD)%"}' | ||
# Leave empty to use default log format | ||
accessLogFormat: '{{ .Values.global.proxy.accessLogFormat }}' | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
more bad merge?
// The list will be populated either from explicit declarations or using 'on-demand' | ||
// feature, before generation takes place. Each node may have a different list, based on | ||
// the requests handled by envoy. | ||
serviceDependencies []*Service |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A question: how this field can be updated? I can not find.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OnConnect
// egress and other mesh services to only hosts defined in same namespace or | ||
// 'admin' namespaces. Using services from any other namespaces will require the new NetworkScope | ||
// config. In most cases 'istio-system' should be included. | ||
NetworkScopes = os.Getenv("DEFAULT_NAMESPACE_DEPENDENCIES") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have more comments like format "ns1,ns2,ns3"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok ( this is a short-lived env - will be replaced by values.yaml before release - but should have comments)
// NodeMetadataNetwork defines the network the node belongs to. It is an optional metadata, | ||
// set at injection time. When set, the Endpoints returned to a note and not on same network | ||
// will be replaced with the gateway defined in the settings. | ||
NodeMetadataNetwork = "NETWORK" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I planed to do this kind of work 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sharing work is good :-)
@@ -734,6 +734,8 @@ func (c *Controller) AppendInstanceHandler(f func(*model.ServiceInstance, model. | |||
return nil | |||
} | |||
c.updateEDS(ep) | |||
|
|||
log.Debugf("Handle endpoint %s in namespace %s", ep.Name, ep.Namespace) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In c.updateEDS
there is already a log of this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove that looks good
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, it moved. Ok.
pilot/pkg/proxy/envoy/v2/ads.go
Outdated
// Not logging full request, can be very long. | ||
adsLog.Debugf("ADS:RDS: ACK %s %s (%s) %s %s", peerAddr, con.ConID, con.modelNode.ID, discReq.VersionInfo, discReq.ResponseNonce) | ||
// Already got a list of routes to watch and has same length as the request, this is an ack | ||
if discReq.ResponseNonce != "" { | ||
if discReq.ErrorDetail == nil && discReq.ResponseNonce != "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no need this
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
pilot/pkg/proxy/envoy/v2/ads.go
Outdated
@@ -511,11 +496,11 @@ func (s *DiscoveryServer) StreamAggregatedResources(stream ads.AggregatedDiscove | |||
sort.Strings(routes) | |||
sort.Strings(con.Routes) | |||
|
|||
if reflect.DeepEqual(con.Routes, routes) { | |||
if reflect.DeepEqual(con.Routes, routes) || len(routes) == 0 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no need too
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The 'ack' handling is pretty strange and may change with 'on-demand' - better to be safe.
My understanding is that 'on-demand' will use an ack that has only status code, doesn't include full routes. But I can move this to separate PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see it was moved up ( had to resolve some conflicts when merging - I think that's the old code.)
res = append(res, s) | ||
} | ||
} | ||
proxy.serviceDependencies = res |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since OnConnect
is only called once per proxy, IIUC, serviceDependencies
is set once and never updated.
Then this is not accurate.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Like, we create a ServiceEntry, how can this updated?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ack, will fix in separate PR ( I have a TODO in pushConnection )
/test istio-pilot-e2e-envoyv2-v1alpha3 |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: costinm, rshriram The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest |
/hold initConnectionNode--> OnConnect --> serviceDependencies set, but when no new proxy connect, then |
/hold cancel notice this https://github.com/istio/istio/pull/9361/files#diff-ee39cd332931ab6f8c10713ce3446d09R333 |
/test e2e-dashboard |
@costinm: The following tests failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Enable namespace isolation - the services used in generating outbound listeners and routes will
include only local namespace and explicitly defined imports.
This seems the simplest approach for the current code - we can optimize it further.
Separate PRs will add the import, once the API is finalized - but this setting can already be
used on larger clusters if most namespaces only receive requests from gateways.
For Clusters/EDS we'll build a list based on Listeners/Routes - in a separate PR.