sidecar: filter service ports to VS ports #39067
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When constructing the SidecarScope, if a sidecar listed a dependency on a virtual service, istio would previously add a dependency for the sidecar on each transitive dependency of that virtual service, including all ports that each transitive dependency exposes. This change now filters the ports on those transitive dependencies down to only those to which the virtual service will route. This allows users to have services that expose hundreds of ports, but set a specific hostname for a specific subset of those ports using a virtual service, and istio will only propagate the configuration needed to route to that subset of ports. Change-Id: Id138a252de7d042f84093164a504e3a934dc8cf5 Reviewed-on: https://gerrit.musta.ch/c/public/istio/+/2948 Reviewed-by: Ying Zhu <ying.zhu@airbnb.com> Reviewed-by: Weibo He <weibo.he@airbnb.com>
|
😊 Welcome @ryan-smick! This is either your first contribution to the Istio istio repo, or it's been You can learn more about the Istio working groups, code of conduct, and contributing guidelines Thanks for contributing! Courtesy of your friendly welcome wagon. |
|
Hi @ryan-smick. Thanks for your PR. I'm waiting for a istio member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
howardjohn
reviewed
May 20, 2022
There was a problem hiding this comment.
Just skimmed and looks good overall, will leave to @hzxuzhonghu
pilot/pkg/model/sidecar.go
Outdated
| // A value of 0 in vsDestPorts is used as a sentinel to indicate a dependency | ||
| // on every port of the service. | ||
| if len(service.Ports) == 1 || len(vsDestPorts) == 0 || vsDestPorts.Contains(0) { | ||
| return service.DeepCopy() |
There was a problem hiding this comment.
Suggested change
| return service.DeepCopy() | |
| return service |
Can we either not copy or comment why we need to copy? Its not clear to me its needed/why
pilot/pkg/model/sidecar.go
Outdated
| func serviceMatchingVirtualServicePorts(service *Service, vsDestPorts sets.IntSet) *Service { | ||
| // A value of 0 in vsDestPorts is used as a sentinel to indicate a dependency | ||
| // on every port of the service. | ||
| if len(service.Ports) == 1 || len(vsDestPorts) == 0 || vsDestPorts.Contains(0) { |
There was a problem hiding this comment.
I don't think it matters much in practice, but is len(service.Ports) == 1 actually correct?
Imagine I have a Svc with port=1234 and a VS pointing to svc:5678. I think this would select the service?
There was a problem hiding this comment.
Yes, this would select the service in that case. You're right, I think this is probably incorrect, and should be fine to remove. Will update
| } | ||
|
|
||
| if len(foundPorts) > 0 { | ||
| sc := service.DeepCopy() |
There was a problem hiding this comment.
nit: we could probably reduce a copy when we end up with len(foundPorts) == len(sc.Ports)
|
/ok-to-test |
|
/test ? |
|
@hzxuzhonghu: The following commands are available to trigger required jobs:
The following commands are available to trigger optional jobs:
Use
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/test benchmark_istio |
|
/retest |
Remove extra unnecessary service copies when the ports we want to include for a service match all ports exposed on the service. Additionally, correct logic around selecting a service with a single port where that port may not match the VS destination port. Change-Id: I104646508a2ba6416a6a7fbd92f285d0173c93db Reviewed-on: https://gerrit.musta.ch/c/public/istio/+/3017 Reviewed-by: Douglas Jordan <douglas.jordan@airbnb.com> Reviewed-by: Ying Zhu <ying.zhu@airbnb.com>
hzxuzhonghu
approved these changes
May 24, 2022
|
/test integ-security-multicluster_istio |
airbnb-gerrit
pushed a commit
to airbnb/istio
that referenced
this pull request
May 31, 2022
* sidecar: filter service ports to VS ports When constructing the SidecarScope, if a sidecar listed a dependency on a virtual service, istio would previously add a dependency for the sidecar on each transitive dependency of that virtual service, including all ports that each transitive dependency exposes. This change now filters the ports on those transitive dependencies down to only those to which the virtual service will route. This allows users to have services that expose hundreds of ports, but set a specific hostname for a specific subset of those ports using a virtual service, and istio will only propagate the configuration needed to route to that subset of ports. * sidecar: remove extraneous copies Remove extra unnecessary service copies when the ports we want to include for a service match all ports exposed on the service. Additionally, correct logic around selecting a service with a single port where that port may not match the VS destination port. Change-Id: Id98b49ece7c7bbb698d90dfcac07d8f0d95fcfd8 Reviewed-on: https://gerrit.musta.ch/c/public/istio/+/3026 Reviewed-by: Ryan Smick <ryan.smick@airbnb.com>
airbnb-gerrit
pushed a commit
to airbnb/istio
that referenced
this pull request
Jun 3, 2022
There was a small bug in cherry-picking istio#39067. This CL correctly consumes the sets pkg. Note that sets was moved to the top level pkg in istio 1.14. Change-Id: I812a3baa2b7baed9f48eeeeb2990d0ecb47cf855 Reviewed-on: https://gerrit.musta.ch/c/public/istio/+/3073 Reviewed-by: Ryan Smick <ryan.smick@airbnb.com>
airbnb-gerrit
pushed a commit
to airbnb/istio
that referenced
this pull request
Jun 15, 2022
* pilot: correctly consume sets pkg There was a small bug in cherry-picking istio#39067. This CL correctly consumes the sets pkg. Note that sets was moved to the top level pkg in istio 1.14. * sidecar: filter service ports to VS ports When constructing the SidecarScope, if a sidecar listed a dependency on a virtual service, istio would previously add a dependency for the sidecar on each transitive dependency of that virtual service, including all ports that each transitive dependency exposes. This change now filters the ports on those transitive dependencies down to only those to which the virtual service will route. This allows users to have services that expose hundreds of ports, but set a specific hostname for a specific subset of those ports using a virtual service, and istio will only propagate the configuration needed to route to that subset of ports. * sidecar: remove extraneous copies Remove extra unnecessary service copies when the ports we want to include for a service match all ports exposed on the service. Additionally, correct logic around selecting a service with a single port where that port may not match the VS destination port. Change-Id: I083a7addebd20c8aa4b98ba26b55454e15f8d74e Reviewed-on: https://gerrit.musta.ch/c/public/istio/+/3133 Reviewed-by: Douglas Jordan <douglas.jordan@airbnb.com>
airbnb-gerrit
pushed a commit
to airbnb/istio
that referenced
this pull request
Aug 16, 2022
This CL patches commit 37ce3a5 from upstream istio into air-release-1.14.3 to fix the redis ACA issue. Original PR can be found here: istio#39067. The description from that PR is reproduced below. When constructing the SidecarScope, if a sidecar listed a dependency on a virtual service, istio will currently add a dependency for the sidecar on each transitive dependency of that virtual service, including all ports that each transitive dependency exposes. This change now filters the ports on those transitive dependencies down to only those to which the virtual service will route. This allows users to have services that expose hundreds of ports, but set a specific hostname for a specific subset of those ports using a virtual service, and istio will only propagate the configuration needed to route to that subset of ports. Change-Id: I9965a8a4c2d2921382310b721de545b4972b1aca Reviewed-on: https://gerrit.musta.ch/c/public/istio/+/3506 Reviewed-by: Weibo He <weibo.he@airbnb.com> Reviewed-by: Ying Zhu <ying.zhu@airbnb.com>
airbnb-gerrit
pushed a commit
to airbnb/istio
that referenced
this pull request
Sep 13, 2022
Apply the following list of patches to istio 1.14.4: * sidecar: filter service ports to VS ports (istio#39067) * istio: register init push context metric (istio#40049) * istio: add metric for debouncing (istio#40523) * istio: fix PILOT_ENABLE_RDS_CACHE flag not working (istio#40719) * istio: support inline multi-values header in authz header match (https://gerrit.musta.ch/c/public/istio/+/3622, not yet merged upstream) Change-Id: I69b861d884608dabad44db1fee03f66eb4b25ab2 Reviewed-on: https://gerrit.musta.ch/c/public/istio/+/3695 Reviewed-by: Ying Zhu <ying.zhu@airbnb.com> Reviewed-by: Weibo He <weibo.he@airbnb.com>
airbnb-gerrit
pushed a commit
to airbnb/istio
that referenced
this pull request
Oct 12, 2022
Apply the following list of patches to istio 1.14.5: * sidecar: filter service ports to VS ports (istio#39067) * istio: register init push context metric (istio#40049) * istio: add metric for debouncing (istio#40523) * istio: fix PILOT_ENABLE_RDS_CACHE flag not working (istio#40719) * istio: support inline multi-values header in authz header match (https://gerrit.musta.ch/c/public/istio/+/3622, not yet merged upstream) * istio: improve deep copy for ServiceAttribute (istio#40966) * avoid unnecessary copy virtual services for sidecar scope calculation (istio#41101) Change-Id: Ia4c9bfd619a0eb38c1a829bff2efbd21fd3b9cb2 Reviewed-on: https://gerrit.musta.ch/c/public/istio/+/3883 Reviewed-by: Ying Zhu <ying.zhu@airbnb.com> Reviewed-by: Weibo He <weibo.he@airbnb.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Please provide a description of this PR:
Fixes issue: #38725
When constructing the SidecarScope, if a sidecar listed a dependency
on a virtual service, istio will currently add a dependency for the
sidecar on each transitive dependency of that virtual service,
including all ports that each transitive dependency exposes. This
change now filters the ports on those transitive dependencies down
to only those to which the virtual service will route. This allows users
to have services that expose hundreds of ports, but set a specific
hostname for a specific subset of those ports using a virtual service,
and istio will only propagate the configuration needed to route to
that subset of ports.
@hzxuzhonghu @howardjohn
@yingzhuivy
Contins behavior changes for the propagation of envoy clusters to sidecars