KEP-3726: Add 'kubernetes.io/raw' as a standard app protocol #4106
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
kind/kep
|
For posterity, could we please get more of the context pulled in from the related bits into the PR description here? |
Done |
| @@ -180,6 +181,7 @@ type ServicePort struct { | |||
| // * 'kubernetes.io/h2c' - HTTP/2 over cleartext as described in https://www.rfc-editor.org/rfc/rfc7540 | |||
| // * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 | |||
| // * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 | |||
| // * 'kubernetes.io/raw' - Traffic to this port is the protocol value defined by this port's `protocol` field. (ie. TCP/UDP/SCTP) | |||
There was a problem hiding this comment.
Traffic to any port is the protocol defined by protocol. That's tautological. How about something like:
"Opaque traffic which should not be handled inspected further"
There was a problem hiding this comment.
That's not quite right either though @thockin. We still want the node OS (or container runtime sandbox, if it's something like gVisor) to process the lower layer stuff. But there's no application protocol on top.
I don't want anyone to misconstrue this as an opt-out from their security appliance and packet / flow inspection.
How about
| // * 'kubernetes.io/raw' - Traffic to this port is the protocol value defined by this port's `protocol` field. (ie. TCP/UDP/SCTP) | |
| // * 'kubernetes.io/raw' - Opaque application traffic; implementations should not apply special processing |
Gateway API GEP - kubernetes-sigs/gateway-api#1911 How can users specify their traffic to a service/endpointslice port is exactly what's specified in Then I saw that the standard protocol KEP had a clause about |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: dprotaso The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
I meant we should add text here explaining that sometimes implementations assume they can "sniff" the protocol and sometimes that causes problems and we don't want them to. What I am struggling with is why this is generic API and not |
|
Maybe You might want to validate at admission time that an app protocol has been declared I guess. Not sure how a null value here is different from opaque though. |
|
disclosure: not an ingress implementator For the Gateway GEP I could suggest that if the Thus having some constant to suggest that If we feel that this doesn't belong as a k8s standard protocol I can bring this to the Gateway folks for a discussion. |
|
FWIW as an implementation that does sniffing (but not the first - Linkerd
was as far as I know), the reason we added it was our onboarding guide was
something like:
1. Install service mesh
2. Go update all your port definitions, in every service, including third
party helm charts, etc
3. Enjoy service mesh-y features
Step (2) was a big big hurdle to adoption.
…On Wed, Jul 12, 2023 at 9:39 AM Dave Protasowski ***@***.***> wrote:
disclosure: not an ingress implementator
For the Gateway GEP *I could* suggest that if the appProtocol is not set
then assume target will accept traffic of as defined by protocol and
don't perform sniffing. But my guess is most users do not set appProtocol
so there is an advantage to some implementations performing this sniffing.
Thus having some constant to suggest that protocol should be interpreted
as absolute is what I'm trying to do.
If we feel that this doesn't belong as a standard protocol I can bring
this to the Gateway folks for a discussion.
—
Reply to this email directly, view it on GitHub
<#4106 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAEYGXP7ASGCW4Q3K423Z6LXP3HMXANCNFSM6AAAAAAZMCXY6A>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
What I am asking is - why is sniffing ever bad? Is that implementation-centric or actually fundamental? It feels like "raw" is a way to express "I know I am using istio, and I know istio is broken in this specific way, so let's disable that". |
Ah, good question. The main issue is that for some protocols (mysql, most commonly), its entirely broken: https://istio.io/latest/docs/ops/deployment/requirements/#server-first-protocols. There are also some more niche use cases where you already know its not HTTP so you why bother with the complexity, but I think that is mostly hypothetical |
|
So, in this case it really is "I know something about my implementation". But why do we want "raw" instead of "mysql" ? |
We could, but mysql is just one common case. I have seen maybe 10 different protocols that are "server first" in my experience, and I am sure there are more - so it can be challenging to keep up with. |
So assume I am a user who invents a new, bespoke protocol which is server-first. Istio obviously doesn't support me. If I am using istio and sniffing breaks, should I specify |
You could and that would work fine, but its not really portable which seems to be the goal of all of the protocol definitions, right? You could do Similarly for Granted, I could make the same argument about almost any |
If we define "standard" raw, and then some implementations get better at sniffing, we've created an attractive nuisance. Premature pessimization. "raw" is different from the rest - the others are affirmative statements, "raw" is not telling us what it IS, it's a bypass. That's why I am unsure |
My original definition was that "raw" meant look at the I think an alternative would be to specify IANA names for TCP, UDP, etc in the |
|
|
The challenge is to tell apart empty-by-intent from empty-by-default. Lots of clusters will have objects with no value specified for this field. |
The absence of an We're telling the end user "it's not your fault, but it is your problem -- you have to take action to clean up our mess". Yuck. I'm not against "raw", I just think it shouldn't be "kubernetes.io/raw". If mesh implementations want to agree on a common name, that's outside my purvey. |
|
I'm inferring that mesh vendors might agree on |
sorry, I have to make the joke 🥲 |
|
kubernetes.io/do-what-i-mean-not-what-i-said
…On Thu, Jul 13, 2023 at 1:27 AM Antonio Ojea ***@***.***> wrote:
We're telling the end user "it's not your fault, but it is your problem -- you have to take action to clean up our mess". Yuck.
sorry, I have to make the joke 🥲 kubernetes.io/mess
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
So after all this discussion, I think we say thanks, but no thanks to this one, right? |
|
Sounds good |
Upstream K8s folks did not want to add this constant. See: kubernetes/enhancements#4106
* Initial draft of GEP-1911 allowing end-users to specify backend protocols * fix tab vs spaces * indicate that per-protocol structs can be extended in the future * Add small intro * Address Candace's feedback * add an option to consider re-using Route resources * expand appProtocol based on findings * how would we configure certain protocols via appProtocol * rewrite doc to focus on supporting Kubernetes Standard Application Protocols * fix link * add back multiple protocols on the same port * change multiple protocol example to TCP/UDP which is what K8s supports * fix links * move alternate API under a detail block so people don't confuse that as the proposed API * add a compatability table * fix links * Drop raw support Upstream K8s folks did not want to add this constant. See: kubernetes/enhancements#4106 * tweak default protocol clause * tweak tables so columns are the same * limit multiplex protocols to just those supported by K8s (UDP/TCP for now) * tweak new appProtocol section - include an example of using a gateway api special prefix * label open questions explicitly * three kubernetes.io appProtocols * incompatible backend protocols make the backend invalid * add godoc to HTTPBackendRef explaining and invalid backend * drop alternative example because people keep commenting on it * Drop alternative mechanic that's used in GAMMA * address Nicks comments * add references to Google and AWS's approach to the problem * TLSConnectionPolicy => BackendTLSPolicy * address Rob's feedback * drop SCTP multiplexing question * absence of appProtocol doesn't mean implementations disable features * multiplexing UDP/TCP is optional * TLSRoute paired to non-TLS listener doesn't make sense * fix casing on some section titles * specific protocol support is optional * Update geps/gep-1911.md Co-authored-by: Rob Scott <rob.scott87@gmail.com> --------- Co-authored-by: Rob Scott <rob.scott87@gmail.com>
This PR is a continuation of #3996 - simplified diff is here 93d0269
kubernetes.io/rawas a standard app protocolThis is completing the follow up work outlined in the KEP-3726 update introduce here - #3912
Specifically
Motivation
Gateway API GEP - kubernetes-sigs/gateway-api#1911
Problem: How can users specify their traffic to a service/endpointslice port is exactly what's specified in protocol and automatic detection should be turned off.
I saw that the standard protocol KEP had a clause about raw - but it wasn't added.