Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sourceLabels not working in ambient mode #51565

Open
2 tasks done
zhxjdwh opened this issue Jun 13, 2024 · 1 comment
Open
2 tasks done

sourceLabels not working in ambient mode #51565

zhxjdwh opened this issue Jun 13, 2024 · 1 comment
Labels
area/ambient Issues related to ambient mesh area/networking

Comments

@zhxjdwh
Copy link

zhxjdwh commented Jun 13, 2024
edited by istio-policy-bot

Is this the right place to submit this?

  • This is not a security vulnerability or a crashing bug
  • This is not a question about how to use Istio

Bug Description

When I use sidecar mode, the sourceLabels is working well.
But if I use ambient mode, the sourceLabels will match all request, work as default route.

reproduce

  1. Install Istio
 kubectl get crd gateways.gateway.networking.k8s.io &> /dev/null || \
  { kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd/experimental?ref=v1.1.0" | kubectl apply -f -; }

istioctl install --set profile=ambient --skip-confirmation

kubectl label namespace default istio.io/dataplane-mode=ambient

istioctl x waypoint apply --enroll-namespace --wait
  1. Install Demo application
kind: Deployment
apiVersion: apps/v1
metadata:
  name: netshoot
  namespace: default
  labels:
    app: netshoot
spec:
  replicas: 1
  selector:
    matchLabels:
      app: netshoot
  template:
    metadata:
      name: netshoot
      labels:
        app: netshoot
    spec:
      containers:
        - name: netshoot
          image: nicolaka/netshoot
          command:
            - nc
          args:
            - '-l'
            - '8080'
          resources: {}
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
          imagePullPolicy: Always
          securityContext:
            privileged: false
      restartPolicy: Always
      terminationGracePeriodSeconds: 30
      dnsPolicy: ClusterFirst
      securityContext: {}
      schedulerName: default-scheduler
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 25%
      maxSurge: 25%
  revisionHistoryLimit: 10
  progressDeadlineSeconds: 600


---
kind: Deployment
apiVersion: apps/v1
metadata:
  name: httpecho-v1
  namespace: default
  labels:
    app: httpecho
    version: v1
spec:
  replicas: 1
  selector:
    matchLabels:
      app: httpecho
      version: v1
  template:
    metadata:
      name: httpecho-v1
      creationTimestamp: null
      labels:
        app: httpecho
        version: v1
    spec:
      containers:
        - name: httpecho-v1
          image: hashicorp/http-echo:latest
          command:
            - /http-echo
          args:
            - '-text="echo-v1"'
          resources: {}
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
          imagePullPolicy: Always
          securityContext:
            privileged: false
      restartPolicy: Always
      terminationGracePeriodSeconds: 30
      dnsPolicy: ClusterFirst
      securityContext: {}
      schedulerName: default-scheduler
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 25%
      maxSurge: 25%
  revisionHistoryLimit: 10
  progressDeadlineSeconds: 600
---

kind: Deployment
apiVersion: apps/v1
metadata:
  name: httpecho-v2
  namespace: default
  labels:
    app: httpecho
    version: v2
spec:
  replicas: 1
  selector:
    matchLabels:
      app: httpecho
      version: v2
  template:
    metadata:
      name: httpecho-v2
      creationTimestamp: null
      labels:
        app: httpecho
        version: v2
    spec:
      containers:
        - name: httpecho-v2
          image: hashicorp/http-echo:latest
          command:
            - /http-echo
          args:
            - '-text="echo-v2"'
          resources: {}
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
          imagePullPolicy: Always
          securityContext:
            privileged: false
      restartPolicy: Always
      terminationGracePeriodSeconds: 30
      dnsPolicy: ClusterFirst
      securityContext: {}
      schedulerName: default-scheduler
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 25%
      maxSurge: 25%
  revisionHistoryLimit: 10
  progressDeadlineSeconds: 600

---

kind: Deployment
apiVersion: apps/v1
metadata:
  name: httpecho-v3
  namespace: default
  labels:
    app: httpecho
    version: v3
spec:
  replicas: 1
  selector:
    matchLabels:
      app: httpecho
      version: v3
  template:
    metadata:
      name: httpecho-v3
      creationTimestamp: null
      labels:
        app: httpecho
        version: v3
    spec:
      containers:
        - name: httpecho-v3
          image: hashicorp/http-echo:latest
          command:
            - /http-echo
          args:
            - '-text="echo-v3"'
          resources: {}
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
          imagePullPolicy: Always
          securityContext:
            privileged: false
      restartPolicy: Always
      terminationGracePeriodSeconds: 30
      dnsPolicy: ClusterFirst
      securityContext: {}
      schedulerName: default-scheduler
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 25%
      maxSurge: 25%
  revisionHistoryLimit: 10
  progressDeadlineSeconds: 600

---
kind: Service
apiVersion: v1
metadata:
  name: httpecho
  namespace: default
  labels:
    app: httpecho
spec:
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 5678
  selector:
    app: httpecho
  type: ClusterIP
  ipFamilies:
    - IPv4
  ipFamilyPolicy: SingleStack
  internalTrafficPolicy: Cluster

--- 
kind: Service
apiVersion: v1
metadata:
  name: httpecho-v1
  namespace: default
  labels:
    app: httpecho
    version: v1
spec:
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 5678
  selector:
    app: httpecho
    version: v1
  type: ClusterIP
  ipFamilies:
    - IPv4
  ipFamilyPolicy: SingleStack
  internalTrafficPolicy: Cluster

--- 
kind: Service
apiVersion: v1
metadata:
  name: httpecho-v2
  namespace: default
  labels:
    app: httpecho
    version: v2
spec:
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 5678
  selector:
    app: httpecho
    version: v2
  type: ClusterIP
  ipFamilies:
    - IPv4
  ipFamilyPolicy: SingleStack
  internalTrafficPolicy: Cluster


--- 
kind: Service
apiVersion: v1
metadata:
  name: httpecho-v3
  namespace: default
  labels:
    app: httpecho
    version: v3
spec:
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 5678
  selector:
    app: httpecho
    version: v3
  type: ClusterIP
  ipFamilies:
    - IPv4
  ipFamilyPolicy: SingleStack
  internalTrafficPolicy: Cluster
  1. Create VirtualServices and Destination Rules
kind: VirtualService
apiVersion: networking.istio.io/v1beta1
metadata:
  name: httpecho
  namespace: default
spec:
  hosts:
    - httpecho.default.svc.cluster.local
  http:
    - match:
        - sourceLabels:
            should_not_match_this_v1: nothing
      route:
        - destination:
            host: httpecho.default.svc.cluster.local
            subset: v1
    - route:
        - destination:
            host: httpecho.default.svc.cluster.local
            subset: v2

---

kind: DestinationRule
apiVersion: networking.istio.io/v1beta1
metadata:
  name: httpecho
  namespace: default
spec:
  host: httpecho.default.svc.cluster.local
  subsets:
    - name: v1
      labels:
        version: v1
    - name: v2
      labels:
        version: v2
    - name: v3
      labels:
        version: v3
  1. Test in netshoot container
    According to the virtualservice definination, requests should routes to "echo-v2" instead of "echo-v1"
netshoot-5556b6c97b-qb25h:~# curl httpecho.default.svc.cluster.local
"echo-v1"
netshoot-5556b6c97b-qb25h:~# curl httpecho.default.svc.cluster.local
"echo-v1"
netshoot-5556b6c97b-qb25h:~# curl httpecho.default.svc.cluster.local
"echo-v1"
netshoot-5556b6c97b-qb25h:~# curl httpecho.default.svc.cluster.local
"echo-v1"
netshoot-5556b6c97b-qb25h:~# curl httpecho.default.svc.cluster.local
"echo-v1"
netshoot-5556b6c97b-qb25h:~# curl httpecho.default.svc.cluster.local
"echo-v1"
netshoot-5556b6c97b-qb25h:~# curl httpecho.default.svc.cluster.local
"echo-v1"

Version

./istioctl version
client version: 1.22.1
control plane version: 1.22.1
data plane version: 1.22.1 (2 proxies)

kubectl version
Client Version: v1.28.3-eks-e71965b
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.28.9-eks-036c24b

Additional Information

No response
@istio-policy-bot istio-policy-bot added area/ambient Issues related to ambient mesh area/networking labels Jun 13, 2024
@howardjohn
Copy link
Member

Thanks for the report. One note, with ambient Gateway API is the tested and recommended approach to routing (https://preliminary.istio.io/latest/docs/releases/feature-stages/#ambient).

SourceLabels will never work in ambient. Maybe we should make it so they just never apply instead of always apply, though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/ambient Issues related to ambient mesh area/networking
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@howardjohn @zhxjdwh @istio-policy-bot