`DestinationRule` affects `Deployment`/`Pod` with unmatched `workloadSelector`

bozaro commented 1 month ago

Is this the right place to submit this?

[X] This is not a security vulnerability or a crashing bug
[X] This is not a question about how to use Istio

Bug Description

I have two namespaces:

echo-server with echo server (xDS);
echo-client with echo service client (xDS).

Both client and server use proxyless xDS setup with grpc-agent sidecar.

In echo-server namespace I have DestinationRule and PeerAuthentication with enabling mTLS for echo service.

In this configuration echo-client works fine.

After creating another DestinationRule in echo-client namespace with host * and workloadSelector for unrelated Deployment (with exactly same trafficPolicy) echo-client lost mTLS setting for echo.echo-server.svc.cluster.local service.

Version

$ istioctl version
istioctl version
client version: 1.22.3
control plane version: 1.20.2
data plane version: 1.20.2 (509 proxies)

$ kubectl version
Client Version: v1.30.3
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.28.11-eks-db838b0

Additional Information

Resources looks like:

---
apiVersion: v1
kind: Service
metadata:
  name: echo
  namespace: echo-server
spec:
  type: ClusterIP
  clusterIP: None
  ports:
  - appProtocol: grpc
    port: 8888
    protocol: TCP
    targetPort: 8888
  selector:
    service: echo-server
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: echo
  namespace: echo-server
spec:
  host: 'echo'
  trafficPolicy:
    loadBalancer:
      simple: ROUND_ROBIN
    outlierDetection: {}
    tls:
      mode: ISTIO_MUTUAL
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: echo-foo
  namespace: echo-client
spec:
  host: '*'
  trafficPolicy:
    loadBalancer:
      simple: ROUND_ROBIN
    outlierDetection: {}
    tls:
      mode: ISTIO_MUTUAL
  workloadSelector:
    matchLabels:
      app.kubernetes.io/instance: echo-foo
      app.kubernetes.io/name: echo-foo
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app.kubernetes.io/instance: echo-client
    app.kubernetes.io/name: echo-client
  name: echo-client
  namespace: echo-client
spec:
  ...

howardjohn commented 3 weeks ago

Thanks for the report. This is definitely not looking correct

wulianglongrd commented 3 weeks ago

I can't reproduce this issue.

bozaro commented 2 weeks ago

The bug is that if there is a DestinationRule that matches the hostname in the current namespace (even if it does not match the workloadSelector), then the DestinationRule will not be searched in the namespace with the service: https://github.com/istio/istio/blob/a1ff4e10a8d39d51fe54af40cf4157043fce92ef/pilot/pkg/model/push_context.go#L1128-L1149

istio / istio