search

istio / api

API definitions for the Istio project
Apache License 2.0
460 stars 558 forks source link

DestinationRule containing only proxyPotocol is rejected by admission webhook #3129

Closed feynmanliang closed 8 months ago

feynmanliang commented 8 months ago

(NOTE: This is used to report product bugs: To report a security vulnerability, please visit https://istio.io/about/security-vulnerabilities/ To ask questions about how to use Istio, please visit https://discuss.istio.io )

Bug description

When I specify a DestinationRule containing just a proxyProtocol directive:

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: foo
spec:
  host: foo.blueteam.svc.cluster.local
  trafficPolicy:
    proxyProtocol:
      version: "V1"

I encounter an admission webhook failure

DestinationRule/istio-system/mitmproxy dry-run failed: admission webhook "validation.istio.io" denied the request: configuration is invalid: traffic policy must have at least one field

Affected product area (please put an X in all that apply)

[x] Configuration Infrastructure [ ] Docs [ ] Installation [ ] Networking [ ] Performance and Scalability [ ] Policies and Telemetry [ ] Security [ ] Test and Release [ ] User Experience

Expected behavior

I expect the destinationrule to be successfully created, because the trafficPolicy is nonempty.

Steps to reproduce the bug

Create DestinationRule given above

Version (include the output of istioctl version --remote and kubectl version)

Istio 1.21.0 Client Version: v1.28.4 Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3 Server Version: v1.28.2

How was Istio installed?

Helm

Environment where bug was observed (cloud vendor, OS, etc)

Oracle Kuberenetes Engine

Additionally, please consider attaching a cluster state archive by attaching the dump file to this issue.

feynmanliang commented 8 months ago

My bad... I had swapped out my images to use chainguard and they have not yet updated to 1.21

howardjohn commented 8 months ago

My bad... I had swapped out my images to use chainguard and they have not yet updated to 1.21

Just a heads up, running mismatched images to install YAML (helm/istioctl/whatever) is not a support config and will break in many ways beyond this

feynmanliang commented 8 months ago

Got it, thanks for clarifying! I'd love to just use istio's images directly but the base images are full of CVEs. Our security policy prohibits this, which is why we use chainguard's distroless builds of istio https://images.chainguard.dev/directory/image/istio-proxy/versions

howardjohn commented 8 months ago

Istio also provides distroless images: https://istio.io/latest/docs/ops/configuration/security/harden-docker-images/. I have no problem with chainguard generally, but :latest with Istio is not a good idea. If you use the explicitly versioned ones (paid) then should be fine.

feynmanliang commented 8 months ago

Amazing, I had no idea! Thank you for sharing - really appreciate it.