Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix port merge of kubernetes services in sidecar #50840

Merged
merged 4 commits into from
May 7, 2024
Merged

fix port merge of kubernetes services in sidecar #50840

merged 4 commits into from
May 7, 2024

Conversation

ramaraochavali
Copy link
Contributor

@ramaraochavali ramaraochavali commented May 3, 2024
edited by istio-policy-bot
Loading

K8s servie merge in sidecar is broken since #48896. When a sidecar is defined with two egress listeners pointing to two ports, the port merge does not happen

  egress:
  - hosts:
    - '*/foo.svc.cluster.local'
    port:
      name: tcp-port1
      number: 7443
      protocol: TCP
  - hosts:
    - '*/foo.svc.cluster.local'
    port:
      name: tcp-port2
      number: 7442
      protocol: TCP

With the above sidecar, the merged service will only have one port and hence only cluster is created.

  • Ambient
  • Configuration Infrastructure
  • Docs
  • Dual Stack
  • Installation
  • Networking
  • Performance and Scalability
  • Policies and Telemetry
  • Security
  • Test and Release
  • User Experience
  • Developer Infrastructure

@ramaraochavali
fix k8s service merge in sidecar
75280da 
Signed-off-by: Rama Chavali <[email protected]>
@ramaraochavali
add release notes
750e7cb 
Signed-off-by: Rama Chavali <[email protected]>
@ramaraochavali
rever unnecessary changes
2396027 
Signed-off-by: Rama Chavali <[email protected]>
@ramaraochavali ramaraochavali requested a review from a team as a code owner May 3, 2024 15:52
@istio-testing istio-testing added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label May 3, 2024
ramaraochavali
ramaraochavali commented May 3, 2024
View reviewed changes
pilot/pkg/model/sidecar_test.go
@@ -2060,56 +2076,6 @@ func TestCreateSidecarScope(t *testing.T) {
},
},
},
{
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test not relevant. Kubernetes service in the same namespace should be merged. The existing changed test verifies this behaviour

ramaraochavali
ramaraochavali commented May 3, 2024
View reviewed changes
pilot/pkg/model/sidecar_test.go
@@ -2201,7 +2167,7 @@ func TestCreateSidecarScope(t *testing.T) {
expectedServices: []*Service{
{
Hostname: "proxy",
Ports: port7443,
Ports: port744x,
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Again here, k8s service ports should be merged while taking precedence

@ramaraochavali
Copy link
Contributor Author

This broke our existing deployments after upgrade.

@hzxuzhonghu
Copy link
Member

can you describe how you merge svces in the egress listeners. As we can see in xds generator, sometimes we use services in egress listenrs, some times we use services in sidecarScope

@ramaraochavali
Copy link
Contributor Author

See this example

  egress:
  - hosts:
    - '*/foo.svc.cluster.local'
    port:
      name: tcp-port1
      number: 7443
      protocol: TCP
  - hosts:
    - '*/foo.svc.cluster.local'
    port:
      name: tcp-port2
      number: 7442
      protocol: TCP

It generates two listeners but only one cluster with outbound|7443||foo.svc.cluster.local. It does not generate cluster for 7442. This is broken in current release

hzxuzhonghu
hzxuzhonghu reviewed May 6, 2024
View reviewed changes
pilot/pkg/model/sidecar.go
if existing.Attributes.ServiceRegistry == provider.Kubernetes {
log.Debugf("Service %s/%s from registry %s ignored by %s/%s/%s", s.Attributes.Namespace, s.Hostname, s.Attributes.ServiceRegistry,
// We do not merge k8s service with any other services from other registries
if existing.Attributes.ServiceRegistry == provider.Kubernetes && s.Attributes.ServiceRegistry != provider.Kubernetes {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how could this occur two services in k8s have same fqdn

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

istio/pilot/pkg/model/sidecar.go

Line 426 in 044be69

sc.appendSidecarServices(servicesAdded, s)
- It can come from here if two egress listener select the same service with different port

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please try with this sidecar #50840 (comment)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see how this occur, it is the egress listener with generate intermeditae svc with only one port from the original k8s svc.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes and we need to merge at that end

hzxuzhonghu
hzxuzhonghu reviewed May 6, 2024
View reviewed changes
pilot/pkg/model/sidecar.go
log.Debugf("Service %s/%s from registry %s ignored by %s/%s/%s", existing.Attributes.Namespace, existing.Hostname, existing.Attributes.ServiceRegistry,
// newly created Services cannot take ownership unexpectedly. However, the Service is from Kubernetes it should
// take precedence over ones not. This prevents someone from "domain squatting" on the hostname before a Kubernetes Service is created.
if existing.Attributes.ServiceRegistry != provider.Kubernetes && s.Attributes.ServiceRegistry == provider.Kubernetes {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The above comment apply here

hzxuzhonghu
hzxuzhonghu reviewed May 6, 2024
View reviewed changes
Copy link
Member

@hzxuzhonghu hzxuzhonghu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add multiple sidecar egress listeners svc match test

pilot/pkg/model/sidecar.go
if existing.Attributes.ServiceRegistry == provider.Kubernetes {
log.Debugf("Service %s/%s from registry %s ignored by %s/%s/%s", s.Attributes.Namespace, s.Hostname, s.Attributes.ServiceRegistry,
// We do not merge k8s service with any other services from other registries
if existing.Attributes.ServiceRegistry == provider.Kubernetes && s.Attributes.ServiceRegistry != provider.Kubernetes {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see how this occur, it is the egress listener with generate intermeditae svc with only one port from the original k8s svc.

@ramaraochavali
Copy link
Contributor Author

Can you add multiple sidecar egress listeners svc match test

We already have that test

istio/pilot/pkg/model/sidecar_test.go

Line 2214 in 044be69

name: "multi-port-merge",
- it did not fail because we do not specify service registry attribute. I fixed it

@hzxuzhonghu
Copy link
Member

@ramaraochavali The test has service resides in different namespaces

@ramaraochavali
add one mpore test
2da0df4 
Signed-off-by: Rama Chavali <[email protected]>
@ramaraochavali
Copy link
Contributor Author

ramaraochavali commented May 6, 2024
edited
Loading

I do not think that really matters much because first service has all the ports and is in ns1 namespace- even that failed without this. Any way, I have added additional test

hzxuzhonghu
hzxuzhonghu approved these changes May 7, 2024
View reviewed changes
Copy link
Member

@hzxuzhonghu hzxuzhonghu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LG now

@ramaraochavali ramaraochavali added the cherrypick/release-1.22 Set this label on a PR to auto-merge it to the release-1.22 branch label May 7, 2024
@istio-testing istio-testing merged commit e66d1b8 into istio:master May 7, 2024
28 checks passed
@istio-testing istio-testing mentioned this pull request May 7, 2024
Merged
@istio-testing
Copy link
Collaborator

In response to a cherrypick label: new pull request created: #50887

@ramaraochavali ramaraochavali deleted the fix/sidecar_port branch May 7, 2024 09:43
luksa pushed a commit to luksa/istio that referenced this pull request Oct 14, 2024
Automator: merge upstream changes to openshift-service-mesh/istio@master
152fc5f 
* upstream/master:
  fix release-notes kind (istio#50906)
  discovery fake: allow kube-client override (istio#50896)
  change #none to none for use-waypoint (istio#50842)
  Update iptables image SHA (istio#50898)
  Update BASE_VERSION to master-2024-05-07T22-48-43 (istio#50897)
  Add some more useful logging around iptables selection in ambient CNI (istio#50891)
  Automator: update ztunnel@master in istio/istio@master (istio#50890)
  stop default for istio.io/waypoint-for in istioctl (istio#50889)
  Update integration README by adding a missing command-line flag and fixing typos (istio#50866)
  Automator: update proxy@master in istio/istio@master (istio#50888)
  fix port merge of kubernetes services in sidecar (istio#50840)
  bump proxy and ambient test (istio#50882)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hzxuzhonghu hzxuzhonghu hzxuzhonghu approved these changes

Assignees
No one assigned
Labels
cherrypick/release-1.22 Set this label on a PR to auto-merge it to the release-1.22 branch size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ramaraochavali @hzxuzhonghu @istio-testing