search

istio / istio

Connect, secure, control, and observe services.
https://istio.io
Apache License 2.0
36.17k stars 7.79k forks source link

`DestinationRule` affects `Deployment`/`Pod` with unmatched `workloadSelector` #52691

Open bozaro opened 3 months ago

bozaro commented 3 months ago

Is this the right place to submit this?

Bug Description

I have two namespaces:

Both client and server use proxyless xDS setup with grpc-agent sidecar.

In echo-server namespace I have DestinationRule and PeerAuthentication with enabling mTLS for echo service.

In this configuration echo-client works fine.

After creating another DestinationRule in echo-client namespace with host * and workloadSelector for unrelated Deployment (with exactly same trafficPolicy) echo-client lost mTLS setting for echo.echo-server.svc.cluster.local service.

Version

$ istioctl version
istioctl version
client version: 1.22.3
control plane version: 1.20.2
data plane version: 1.20.2 (509 proxies)

$ kubectl version
Client Version: v1.30.3
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.28.11-eks-db838b0

Additional Information

Resources looks like:

---
apiVersion: v1
kind: Service
metadata:
  name: echo
  namespace: echo-server
spec:
  type: ClusterIP
  clusterIP: None
  ports:
  - appProtocol: grpc
    port: 8888
    protocol: TCP
    targetPort: 8888
  selector:
    service: echo-server
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: echo
  namespace: echo-server
spec:
  host: 'echo'
  trafficPolicy:
    loadBalancer:
      simple: ROUND_ROBIN
    outlierDetection: {}
    tls:
      mode: ISTIO_MUTUAL
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: echo-foo
  namespace: echo-client
spec:
  host: '*'
  trafficPolicy:
    loadBalancer:
      simple: ROUND_ROBIN
    outlierDetection: {}
    tls:
      mode: ISTIO_MUTUAL
  workloadSelector:
    matchLabels:
      app.kubernetes.io/instance: echo-foo
      app.kubernetes.io/name: echo-foo
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app.kubernetes.io/instance: echo-client
    app.kubernetes.io/name: echo-client
  name: echo-client
  namespace: echo-client
spec:
  ...
howardjohn commented 3 months ago

Thanks for the report. This is definitely not looking correct

wulianglongrd commented 3 months ago

I can't reproduce this issue.

bozaro commented 3 months ago

The bug is that if there is a DestinationRule that matches the hostname in the current namespace (even if it does not match the workloadSelector), then the DestinationRule will not be searched in the namespace with the service: https://github.com/istio/istio/blob/a1ff4e10a8d39d51fe54af40cf4157043fce92ef/pilot/pkg/model/push_context.go#L1128-L1149

istio-policy-bot commented 1 week ago

🧭 This issue or pull request has been automatically marked as stale because it has not had activity from an Istio team member since 2024-08-23. It will be closed on 2024-12-06 unless an Istio team member takes action. Please see this wiki page for more information. Thank you for your contributions.

Created by the issue and PR lifecycle manager.