Closed mathieu-benoit closed 1 year ago
Hi @liwenhao0810 - Could you please take a look at this request?
FWIK it might not always be true that all user namespaces are part of mesh, so the namespace level injection enforcement might not be always true. However bypassing sidecar injection would be as non-mesh namespaces' workloads shouldn't have this annotation either.
Here are my thoughts on this, here is the CUJ I think we should help our customers with:
As a customer, I'm using the ASM bundle to have Google telling me what I should do to have a proper, successful and secure setup for my Mesh in my GKE cluster.
First thing first, if I don't have properly set up my Namespaces
to be included in my Mesh, could you tell me please? And also how I should accomplish this? --> That's what the associated Constraint
/ConstraintTemplate
of this request is for.
That's what we illustrate in this tutorial at the very first step of setting the Constraints
.
Now comes the tricky parts with some thoughts about their resolution:
excludedNamespaces
is provided, there are may be more of them... let's figure them out for our customersistio-injection: disabled
label, I don't want to be warned --> fair enough, let's make this happen in our ConstraintTemplate
excludedNamespaces
list is for, now finding a way for our customers to customize that part is something I think we should provide. In addition to that, with the previous point, why not guide them by asking them to explicitly set the istio-injection: disabled
label to resolve this? There is also a combination of enforcementAction: dryrun
and strictnessLevel: Low
in order to make this Constraint
not blocking our customers but more being their advisor.Do you see other use-cases?
That's maybe the opportunity to have a custom K8sRequiredLabels
just for ASM which could have all the intelligence in its ConstraintTemplate
?
Let me know if that makes sense and what do you think about that. And let me know if you want we chat about that in 1:1 internally, more than happy to learn from you on this too.
Following up on this @liwenhao0810, any thoughts or feedback? Thanks!
Sorry lost tracking of this, thanks for reminding! I would agree with you this is a good idea to have this constraint to guide user.
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days
Is it planned to add a "require sidecar injection label on namespace"
Constraint
in the ASM bundle?Today there is the
1.1.2_asm-sidecar-injection
Constraint
allowing to avoid anyone by passing the sidecar proxy label, but there is noConstraint
forcing the namespaces in the Mesh to actually have the label.Here could be an option to achieve that in the ASM bundle?
Note: this is not working as-is as we need to find a way to have a
OR
and not aAND
with the 2 labels illustrated above.