configmap: option to not trust incoming tracing spans #7045
Conversation
k8s-ci-robot
added
cncf-cla: yes
|
Hi @timmysilv. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
size/M
k8s-ci-robot
removed
the
size/M
timmysilv
changed the title
k8s-ci-robot
added
the
size/S
rootfs/etc/nginx/template/nginx.tmpl
Outdated
| @@ -1092,6 +1092,9 @@ stream { | |||
| set $global_rate_limit_exceeding n; | |||
|
|
|||
| {{ buildOpentracingForLocation $all.Cfg.EnableOpentracing $location }} | |||
| {{ if not $all.Cfg.OpentracingTrustIncomingSpan }} | |||
There was a problem hiding this comment.
Is there a reason for this configuration to be global instead of location specific / per annotation?
There was a problem hiding this comment.
Nope. It could be added to buildOpentracingForLocation() and use the same logic as isOTSetInLoc && isOTEnabledInLoc if that's preferred, so there can be both global and location-specific settings.
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
|
/assign |
k8s-ci-robot
added
size/L
| {"globally enabled and enabled in location", true, true, &trueVal, loadOT}, | ||
| {"globally disabled and not enabled in location", false, false, nil, ""}, | ||
| {"globally disabled but enabled in location", false, true, &trueVal, loadOT}, | ||
| {"globally disabled, enabled in location but false", false, true, &trueVal, loadOT}, |
There was a problem hiding this comment.
deleted this line bc it was the same as the one before. Also added true, false, nil to each line since that results in the same behaviour as before this PR.
| @@ -1343,33 +1343,29 @@ func httpsListener(addresses []string, co string, tc config.TemplateConfig) []st | |||
| return out | |||
| } | |||
|
|
|||
| func buildOpentracingForLocation(isOTEnabled bool, location *ingress.Location) string { | |||
| func buildOpentracingForLocation(isOTEnabled bool, isOTTrustSet bool, location *ingress.Location) string { | |||
| isOTEnabledInLoc := location.Opentracing.Enabled | |||
| isOTSetInLoc := location.Opentracing.Set | |||
|
|
|||
| if isOTEnabled { | |||
| if isOTSetInLoc && !isOTEnabledInLoc { | |||
There was a problem hiding this comment.
I'm still trying to ramp up on this, but maybe... why we check isOTSetnLock and isOTEnabledInLoc, when isOTEnabledInLoc = false will always be false? And the default value is false anyway?
I would remove this and check only !isOTEnabledInLoc {return opentracing off; }
There was a problem hiding this comment.
The default for isOTEnabledInLoc is false, so this scenario means:
- OT is enabled globally
- There is an OT annotation present on the specific Ingress
- That annotation is set to false
The reason to check both is the (common) case where OT is enabled globally, and there is no annotation present on an Ingress. In that case the values will be: {isOTEnabled: true, isOTSetInLoc: false, isOTEnabledInLoc: false}, BUT it should be enabled in that location.
| } | ||
|
|
||
| return opc | ||
| } else if !isOTSetInLoc || !isOTEnabledInLoc { |
There was a problem hiding this comment.
Same here, I might be missing something but are we double checking things that might be a legacy behavior?
There was a problem hiding this comment.
Agreed, in this case we should be able to just check !isOTEnabledInLoc. If it's set and set to false, don't enable. And if it's not set, the default for this bool would be false anyway. Also don't enable.
| @@ -1094,7 +1094,7 @@ stream { | |||
| set $location_path {{ $ing.Path | escapeLiteralDollar | quote }}; | |||
| set $global_rate_limit_exceeding n; | |||
|
|
|||
| {{ buildOpentracingForLocation $all.Cfg.EnableOpentracing $location }} | |||
| {{ buildOpentracingForLocation $all.Cfg.EnableOpentracing $all.Cfg.OpentracingTrustIncomingSpan $location }} | |||
There was a problem hiding this comment.
I think the main difference here is:
Opentracing can be enabled globally, while we can or cannot enable trusting incoming span locally right?
So my question is: what is the behavior, as the cluster admin we wanna do? Leave this decision to the user? If so, this should be exclusively local (and we don't need to assess this here).
If we want to have precedence, than we need to have a configmap that explicits if we trust incoming span or not, and bypass the verification of the location
There was a problem hiding this comment.
This PR adds that configmap value. Without this PR (current state), all incoming spans are accepted as default behaviour. The change introduced here is the option to set a global "off" switch for that. The possible scenarios are:
- Spans are trusted globally, but certain backend/ingress owners decide they don't want to trust any spans
- Spans are not trusted globally, but certain backend/ingress owners decide that they do want to trust any spans
Seeing as we don't know every user of ingress-nginx, I'd prefer to keep it flexible. However, if you feel that there is a principle to be followed (for example, when trust is globally disabled then no one backend owner should have the right to enable it for just them), I am willing to change this PR to become more opinionated.
|
@timmysilv I'm really ok with this :) Just wondering what are the user stories: Should we block trusting span globally? Per user? both? Please just give me some context so we can decide the best approach together. |
|
@timmysilv friendly ping :) |
|
hi, sorry for the lack of clarity - I explained how this feature might be used by cluster owners and app owners in tandem in the inline comment responses. |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rikatz, timmysilv The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
* validate the sender of tracing spans * add location-specific setting
* validate the sender of tracing spans * add location-specific setting
What this PR does / why we need it:
nginx-opentracing allows a static configuration to not propagate incoming span headers. This gives the user the opportunity to choose whether to propagate the trace/span headers via configmap.
Types of changes
Which issue/s this PR fixes
How Has This Been Tested?
Checklist: