add support for configuring internal addresses #2312
Conversation
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
|
😊 Welcome @ramaraochavali! This is either your first contribution to the Istio api repo, or it's been You can learn more about the Istio working groups, code of conduct, and contributing guidelines Thanks for contributing! Courtesy of your friendly welcome wagon. |
There was a problem hiding this comment.
I was also looking at something like this - not sure what your use case is, but I am trying to simplify the configuration of 'egress gateway' by redirecting all non-internal addresses to the gateway. Still working on a RFC..
What I was thinking was to actually extend the existing 'networks'. In other words, a user may have a multi-network mesh, with each network having a set of 'internal cidr ranges' - and we already have a config to define that via MeshNetworks.fromCidr.
The equivalent of what you propose is using
default:
- fromCidr: ....
| @@ -1088,8 +1088,12 @@ message MeshConfig { | |||
| // Configuration of mTLS for traffic between workloads within the mesh. | |||
| TLSConfig mesh_mTLS = 63; | |||
|
|
|||
| // List of CIDR ranges that are treated as internal. If unset, then RFC1918 / RFC4193 | |||
| // IP addresses will be considered internal. | |||
| repeated string internal_addresses = 64; | |||
There was a problem hiding this comment.
But what happens if it is set ? Are those extras ?
There was a problem hiding this comment.
If this is set, the cidr range specified here would be considered as internal address instead of default one
There was a problem hiding this comment.
do we need set all clusters' pod cidrs(in a multi clusters mesh) here for best practice?
There was a problem hiding this comment.
Not for 'best practice' - it won't work otherwise... But I think if you add the ranges above it'll cover all the mesh.
There was a problem hiding this comment.
do we need set all clusters' pod cidrs(in a multi clusters mesh) here for best practice
No.
Yes. If we add the ranges above, it covers the entire mesh
|
On Tue, Apr 5, 2022 at 9:13 AM Rama Chavali ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In mesh/v1alpha1/config.proto
<#2312 (comment)>:
> @@ -1088,8 +1088,12 @@ message MeshConfig {
// Configuration of mTLS for traffic between workloads within the mesh.
TLSConfig mesh_mTLS = 63;
+ // List of CIDR ranges that are treated as internal. If unset, then RFC1918 / RFC4193
+ // IP addresses will be considered internal.
+ repeated string internal_addresses = 64;
If this is set, the cidr range specified here would be considered as
internal address instead of default one
Maybe add this to the doc, and list the IP4 and IP6 ranges that are set as
default ( so if the user wants to _add_ an extra network they don't
miss some of the ranges in RFC1918/...)
… Message ID: ***@***.***>
|
|
Can you elaborate how internal address is treated differently |
|
@hzxuzhonghu Envoy sets "x-envoy-internal" header and services can use it to decide whether the call is from internal mesh/public. That is a common usecase. |
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
|
@costinm That makes sense. I updated the comments. |
Why could not infer this from other headers? |
Which header? |
|
x-envoy-xxx |
which header? x-envoy-internal is the one which tells whether the address is internal or external and it is derived from xff (which is again based on this value) |
|
Oh, I misunderstood a little about the background. Since for istio internal mesh sidecar-sidecar communication, no xff is appended. only external-call --> gateway--> server, xff is generated. By looking at this header, could know if it is external |
|
Yes. |
|
@costinm @hzxuzhonghu Can you please approve if you don't have any further questions? |
There was a problem hiding this comment.
few remaining issues:
- please add the IP6 ranges as well to the doc - I bet users will forget to add them
- I think we need more discussion if we want to add this here, or use the existing 'networks', which define the ranges of pods in each internal network.
In a multi-network case the user shouldn't have to duplicate the ranges both here and in networks. The networks also has the benefit that it is also associating the ranges with network names, so I would prefer that - we can get the same behavior you have here by setting the fromRanges on the 'default' network with no API changes.
| @@ -1088,8 +1088,12 @@ message MeshConfig { | |||
| // Configuration of mTLS for traffic between workloads within the mesh. | |||
| TLSConfig mesh_mTLS = 63; | |||
|
|
|||
| // List of CIDR ranges that are treated as internal. If unset, then RFC1918 / RFC4193 | |||
| // IP addresses will be considered internal. | |||
| repeated string internal_addresses = 64; | |||
There was a problem hiding this comment.
Not for 'best practice' - it won't work otherwise... But I think if you add the ranges above it'll cover all the mesh.
If we go down this path - we need to change https://github.com/istio/api/blob/master/mesh/v1alpha1/network.proto#L53 to repeated. If you are OK with that, I can change that as well |
| @@ -1088,8 +1088,18 @@ message MeshConfig { | |||
| // Configuration of mTLS for traffic between workloads within the mesh. | |||
| TLSConfig mesh_mTLS = 63; | |||
|
|
|||
| // List of CIDR ranges that are treated as internal. If unset, then RFC1918 / RFC4193 | |||
There was a problem hiding this comment.
can you explain in the comments what the implications of "internal" are?
mesh/v1alpha1/config.proto
Outdated
| // List of CIDR ranges that are treated as internal. If unset, then RFC1918 / RFC4193 | ||
| // IP addresses will be considered internal. | ||
| // RFC 1918 defines the following address ranges as private, | ||
| // 10.0. 0.0/8 (addresses 10.0. 0.0 through 10.255. 255.255 inclusive) |
There was a problem hiding this comment.
nit: weird spacing in the IPs?
There was a problem hiding this comment.
yeah. Copied from RFC. Will correct
|
BTW - if you do make changes to the Networks proto, I would strongly
recommend
```
from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- ipBlock:
cidr: 1.1.1.0/24
-....
```
( copied from NetworkPolicy ) - instead of another variation. Will also
make it easier to write NetworkPolicies - I expect users will want to do
this as well
for 'in-depth' defence.
…On Fri, Apr 8, 2022 at 7:07 AM Costin Manolache ***@***.***> wrote:
Endpoints are already repeated.
- fromCidr: 1.1.1.0/24
- fromCidr: .....
I don't think making a fromCidr repeated is backward compatible, but we
could add a new one
endpoints:
fromCidrs:
- ....
- ....
How about getting the implementation with the current API, and sync in
next NetworkingWG - I think having a good way to
describe the IP ranges and networks is pretty important but may be time to
move it to a proper CRD and figure out how
it can be used with K8S Gateway attachment policy, etc.
Meanwhile - I don't think the feature you need is blocked by API change if
you use networks, just not ideal UX.
On Fri, Apr 8, 2022 at 1:06 AM Rama Chavali ***@***.***>
wrote:
> I think we need more discussion if we want to add this here, or use the
> existing 'networks', which define the ranges of pods in each internal
> network.
>
> If we go down this path - we need to change
> https://github.com/istio/api/blob/master/mesh/v1alpha1/network.proto#L53
> to repeated. If you are OK with that, I can change that as well
>
> —
> Reply to this email directly, view it on GitHub
> <#2312 (comment)>, or
> unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AAAUR2R2QZV27A4VNGWHPKTVD7SITANCNFSM5SSRZ7HQ>
> .
> You are receiving this because you were mentioned.Message ID:
> ***@***.***>
>
|
|
@costinm My preference would be to leave it here as it s mesh wide config and people running with single network do not have to worry about additional network config + even if we network it needs an API change. But I see your point about redundancy, but I expect people who use it for multi network cases, do not have to worry about it. And I am not sure where/how that |
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
|
Networks are also 'mesh wide', and it is fine to define a single network (
default ).
In reality "mesh config" is not 'mesh wide' - but specific to one revision
in one cluster - promoting the network description to CRD could make it
mesh wide,
and seems a generally useful feature. If multi-cluster code starts watching
them - we won't have to copy the same thing in all clusters and keep it in
sync.
There are other related use cases - for example non-Istio gateways that use
a dedicated IP range ( separate node pool, etc) and we 'trust' them using
L3 (assuming network security).
…On Fri, Apr 8, 2022 at 9:16 PM Rama Chavali ***@***.***> wrote:
@costinm <https://github.com/costinm> My preference would be to leave it
here as it s mesh wide config and people running with single network do not
have to worry about additional network config. But I see your point about
redundancy, but I expect people who use it for multi network cases, do not
have to worry about it. And I am not sure where/how that from_cidr is used.
@howardjohn <https://github.com/howardjohn> WDYT?
—
Reply to this email directly, view it on GitHub
<#2312 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAUR2SPMUTQSSCLKOZHI5TVEEAAPANCNFSM5SSRZ7HQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Are we still adding fields to MeshConfig or have frozen it to provide a way to migrate to the CRD? |
|
This is not for proxyConfig - Are you thinking it is for proxy config? |
|
We are trying to minimize additions to MeshConfig, and migrate to CRDs -
but still pragmatic. Sometimes it is ok to add an env variable or mesh
config and
get feedback, without pressure to get a CRD out fast.
…On Mon, Apr 11, 2022 at 2:39 AM Neeraj Poddar ***@***.***> wrote:
Are we still adding fields to MeshConfig or have frozen it to provide a
way to migrate to the CRD?
—
Reply to this email directly, view it on GitHub
<#2312 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAUR2RRH2AXQ7NG6MNX3FLVEPXMLANCNFSM5SSRZ7HQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
@costinm @howardjohn Please let me know your preference - I want to move forward with one way or other. I am not fully familiar with network use cases so I am good with what you think is best place to put this. But I would like to add API support for this |
|
My preference remains to use networks. It may not even require any API change - just a flag/env variable in Istiod to indicate that networks will be used to trigger this behavior. User will have to configure a network ('default') with all the ranges. They may also configured additional networks. All defined networks will be treated as internal, if this flag is set. |
|
I am fine with that. @howardjohn Are you good with that as well? |
|
Closing this in-favour of istio/istio#38801 |
|
Endpoints are already repeated.
- fromCidr: 1.1.1.0/24
- fromCidr: .....
I don't think making a fromCidr repeated is backward compatible, but we
could add a new one
endpoints:
fromCidrs:
- ....
- ....
How about getting the implementation with the current API, and sync in next
NetworkingWG - I think having a good way to
describe the IP ranges and networks is pretty important but may be time to
move it to a proper CRD and figure out how
it can be used with K8S Gateway attachment policy, etc.
Meanwhile - I don't think the feature you need is blocked by API change if
you use networks, just not ideal UX.
…On Fri, Apr 8, 2022 at 1:06 AM Rama Chavali ***@***.***> wrote:
I think we need more discussion if we want to add this here, or use the
existing 'networks', which define the ranges of pods in each internal
network.
If we go down this path - we need to change
https://github.com/istio/api/blob/master/mesh/v1alpha1/network.proto#L53
to repeated. If you are OK with that, I can change that as well
—
Reply to this email directly, view it on GitHub
<#2312 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAUR2R2QZV27A4VNGWHPKTVD7SITANCNFSM5SSRZ7HQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Envoy now supports configuring cidrs that should be treated as internal addresses https://github.com/envoyproxy/envoy/blob/main/api/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#L209.
This affects how Envoy treats incoming connections as internal or external. In some of envs, RFC 1918 is not followed for internal addresses.
This allows a mesh to configure internal addresses cidrs