-
Notifications
You must be signed in to change notification settings - Fork 124
Depreciation of TrafficRoutes in favor of supporting Kubernetes Gateway API - WIP #249
Comments
For the proposed switch to Multiple An HTTPRoute can also define multiple We've focused mostly on |
I have some questions about how we need to handle Additionally, I'm currently of the opinion that |
Drive by comment from an Istio developer (speaking without consensus from Istio community) - IMO it should work like this: A Route is bound to a Service (TODO how exactly this fits in the API). What this means is "All requests to this Service should use this route". This should be identified by the Service IP. Once we have a route selected, we follow the standard route matching. For HTTP kind: HTTPRoute
parentRef:
- Service foo # TODO on syntax
hostname: [bar.com]
... This would mean Similar applies to SNI for TLSRoute. Note that this means that using Hostname with mesh would likely be pretty rare. It could maybe be useful for a service like, say, nginx that is doing its own vhost routing so you would call it with different Host headers, but definitely an exception. This is not what Istio is doing here, but I want to change it. Today Istio doesn't do any IP matching at all for HTTP, so everything is host header based. This has caused various issues described in https://docs.google.com/document/d/1NAccj8WyjBXOUsMdOHW9sWW6PeCnrIWpc3muBHd4Cs8/. |
I never thought about binding the route to service, but the more I think about it, the more it makes sense... I also agree that too much reliance on host headers likely leads to an inconsistent experience for users. SMI still has yet to answer the question "what is a service" in the spec, and the future parentRef API implementation may give us that. The natural question though is how to handle headless services, but I imagine we could develop a consistent spec for how mesh implementations should translate the headless service to its endpoint IPs for matching purposes. |
I only mentioned Service, but I think binding to "workload"/Pod also makes sense. For example, I could want to apply some route to all requests to a specific pod (again, matched by IP). Now no one really wants to select a single Pod probably, but there are ways to group pods (Headless service is a great example, or even something that says "Workloads of this Service" or some of the higher constructs like Deployment, etc. Or a custom type - lot of options). FWIW Today Istio doesn't even really handle traffic directly to pods (except in headless service, and even then pretty poorly), so all of this is pretty aspirational from our perspective. |
Yeah and on top of all of that, we need to make sure our solution handles the Gateway -> Mesh case smoothly. What does it look like for an HTTPRoute that has a parentRef of Gateway and a backendRef to service A and another HTTPRoute with a parentRef of Service A? Do we allow nested traffic splitting, one policy at ingress and then another policy at the mesh level? Lots of fun questions to tackle 😄 |
BTW @nicholasjackson the issue title has a wording error; it should start with “Deprecation”. |
This issue is to discuss the overlaps between SMI and Kubernetes Gateway API and the possibility that where there is an overlap SMI adopts Gateway API in replacement for its own resources concentrating purely on service mesh specific resources.
Gateway API Spec:
https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io
TrafficSpecs Comparison
The below example shows comparable functionality as could be implemented using SMI or Gateway spec, the core difference in this specification is that SMI TrafficTarget controls service to service authorization.
Notes:
The text was updated successfully, but these errors were encountered: