Initial code for NetworkScope - filter outbound listener/routes #9361
Conversation
istio-testing
added
the
do-not-merge/work-in-progress
istio-testing
added
the
needs-rebase
Codecov Report
@@ Coverage Diff @@
## release-1.1 #9361 +/- ##
==============================================
+ Coverage 63% 70% +7%
==============================================
Files 559 436 -123
Lines 51528 39652 -11876
==============================================
- Hits 32384 27492 -4892
+ Misses 17285 10911 -6374
+ Partials 1859 1249 -610
Continue to review full report at Codecov.
|
istio-testing
removed
the
needs-rebase
| # example: '{"start_time": "%START_TIME%", "req_method": "%REQ(:METHOD)%"}' | ||
| # Leave empty to use default log format | ||
| accessLogFormat: '{{ .Values.global.proxy.accessLogFormat }}' | ||
|
|
| // The list will be populated either from explicit declarations or using 'on-demand' | ||
| // feature, before generation takes place. Each node may have a different list, based on | ||
| // the requests handled by envoy. | ||
| serviceDependencies []*Service |
There was a problem hiding this comment.
A question: how this field can be updated? I can not find.
| // egress and other mesh services to only hosts defined in same namespace or | ||
| // 'admin' namespaces. Using services from any other namespaces will require the new NetworkScope | ||
| // config. In most cases 'istio-system' should be included. | ||
| NetworkScopes = os.Getenv("DEFAULT_NAMESPACE_DEPENDENCIES") |
There was a problem hiding this comment.
Have more comments like format "ns1,ns2,ns3"
There was a problem hiding this comment.
Ok ( this is a short-lived env - will be replaced by values.yaml before release - but should have comments)
| // NodeMetadataNetwork defines the network the node belongs to. It is an optional metadata, | ||
| // set at injection time. When set, the Endpoints returned to a note and not on same network | ||
| // will be replaced with the gateway defined in the settings. | ||
| NodeMetadataNetwork = "NETWORK" |
There was a problem hiding this comment.
I planed to do this kind of work 👍
There was a problem hiding this comment.
Sharing work is good :-)
| @@ -734,6 +734,8 @@ func (c *Controller) AppendInstanceHandler(f func(*model.ServiceInstance, model. | |||
| return nil | |||
| } | |||
| c.updateEDS(ep) | |||
|
|
|||
| log.Debugf("Handle endpoint %s in namespace %s", ep.Name, ep.Namespace) | |||
There was a problem hiding this comment.
In c.updateEDS there is already a log of this.
pilot/pkg/proxy/envoy/v2/ads.go
Outdated
| // Not logging full request, can be very long. | ||
| adsLog.Debugf("ADS:RDS: ACK %s %s (%s) %s %s", peerAddr, con.ConID, con.modelNode.ID, discReq.VersionInfo, discReq.ResponseNonce) | ||
| // Already got a list of routes to watch and has same length as the request, this is an ack | ||
| if discReq.ResponseNonce != "" { | ||
| if discReq.ErrorDetail == nil && discReq.ResponseNonce != "" { |
pilot/pkg/proxy/envoy/v2/ads.go
Outdated
| @@ -511,11 +496,11 @@ func (s *DiscoveryServer) StreamAggregatedResources(stream ads.AggregatedDiscove | |||
| sort.Strings(routes) | |||
| sort.Strings(con.Routes) | |||
|
|
|||
| if reflect.DeepEqual(con.Routes, routes) { | |||
| if reflect.DeepEqual(con.Routes, routes) || len(routes) == 0 { | |||
There was a problem hiding this comment.
The 'ack' handling is pretty strange and may change with 'on-demand' - better to be safe.
My understanding is that 'on-demand' will use an ack that has only status code, doesn't include full routes. But I can move this to separate PR.
There was a problem hiding this comment.
I see it was moved up ( had to resolve some conflicts when merging - I think that's the old code.)
| res = append(res, s) | ||
| } | ||
| } | ||
| proxy.serviceDependencies = res |
There was a problem hiding this comment.
Since OnConnect is only called once per proxy, IIUC, serviceDependencies is set once and never updated.
Then this is not accurate.
There was a problem hiding this comment.
Like, we create a ServiceEntry, how can this updated?
There was a problem hiding this comment.
Ack, will fix in separate PR ( I have a TODO in pushConnection )
|
/test istio-pilot-e2e-envoyv2-v1alpha3 |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: costinm, rshriram The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/retest |
|
/hold initConnectionNode--> OnConnect --> serviceDependencies set, but when no new proxy connect, then |
|
/hold cancel notice this https://github.com/istio/istio/pull/9361/files#diff-ee39cd332931ab6f8c10713ce3446d09R333 |
|
/test e2e-dashboard |
|
@costinm: The following tests failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Enable namespace isolation - the services used in generating outbound listeners and routes will
include only local namespace and explicitly defined imports.
This seems the simplest approach for the current code - we can optimize it further.
Separate PRs will add the import, once the API is finalized - but this setting can already be
used on larger clusters if most namespaces only receive requests from gateways.
For Clusters/EDS we'll build a list based on Listeners/Routes - in a separate PR.