Closed apo-ger closed 4 months ago
Hi @apo-ger, thanks for opening this issue, I'm happy to collaborate with you on this, this requires a feature track doc, see mechanics in https://github.com/knative/community/blob/main/mechanics/FEATURE-TRACKS.md.
Hello @pierDipi, thank you for offering to help! Here is our first iteration on the feature track doc: https://docs.google.com/document/d/1Y9BukjzUxfl920KltVtH4L5gta0pHOt5NEsLqdgZNY4/edit?pli=1#heading=h.pl50sgewlr05
Feel free to take a look and let us know your thoughts regarding the proposed approach.
Thanks @apo-ger for creating the document, I left some comments there.
Hello @pierDipi! Thank you for the comments. I've included here and in the feature doc our latest findings.
We have validated that currently all three available KafkaChannel
implementations suffer from the same issue, they do not work with Istio
and strict mTLS
mode, as they use an externalName
service underneath to route events.
Knative Eventing KafkaChannel
: https://github.com/knative-sandbox/eventing-kafka-broker//control-plane/pkg/reconciler/channel/channel.go#L627-L657
Consolidated KafkaChannel
: https://github.com/knative-sandbox/eventing-kafka/pkg/channel/consolidated/reconciler/controller/kafkachannel.go#L495-L538
Distributed KafkaChannel
: https://github.com/knative-sandbox/eventing-kafka/pkg/channel/distributed/controller/kafkachannel/channel.go#L56-L159
We have seen the following path for delivering an event when using a MT channel-based
broker with KafkaChannels
underneath:
client/producer -> broker-ingress -> kafka-ch-receiver -> Kafka -> kafka-ch-dispatcher -> broker-filter -> subscriber/consumer
The communication between broker-ingress
and kafka-ch-receiver
breaks when strict mTLS
is enabled as the broker-ingress is trying to reach the receiver via an externalName
service
Produced Error when trying to hit the broker from a curl Pod with an Istio sidecar:
root@curl:/ ]$ curl -X POST -v -H "content-type: application/json" -H "ce-specversion: 1.0" \
-H "ce-source: my/curl/command" -H "ce-type: my.demo.event" -H "ce-id: 0815" \
-d '{"value":"Hello Knative"}' http://broker-ingress.knative-eventing.svc.cluster.local/kubeflow-user-example-com/default
> POST /kubeflow-user-example-com/default HTTP/1.1
> User-Agent: curl/7.35.0
> Host: broker-ingress.knative-eventing.svc.cluster.local
> Accept: */*
> content-type: application/json
> ce-specversion: 1.0
> ce-source: my/curl/command
> ce-type: my.demo.event
> ce-id: 0815
> Content-Length: 25
>
< HTTP/1.1 503 Service Unavailable
< allow: POST, OPTIONS
< date: Mon, 12 Dec 2022 17:29:17 GMT
< content-length: 0
< x-envoy-upstream-service-time: 31
< server: envoy
In addition, we found that externalName
services need to have port mappings configured in order to work properly with Istio
and strict mTLS
. See relative issues/PRs:
This PR has resolved this issue for the InMemoryChannel
implementation, but we need to do the same for the underlying externalName
services of a KafkaChannel
implementation.
externalName
services must have port mappings configured. We could extend the existing core channel reconcilers to add the appropriate port mappings.DestinationRule
)MESH_MODE
setting (off by default) to control wether we operate in a mesh or not. This setting can be enabled/disabled via a ConfigMap.This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Reopen the issue with /reopen
. Mark the issue as
fresh by adding the comment /remove-lifecycle stale
.
/remove-lifecycle stale
We're running e2e tests for non channel components with istio in https://github.com/knative-sandbox/eventing-istio. We're missing some updates on the feature track based on the comments and discussions and then we could start implementing it
/triage accepted
I did an initial iteration for the implementation of this feature in https://github.com/knative-sandbox/eventing-istio/pull/16
@apo-ger I don't have access to the document anymore, can you please make it for public comment again?
It's useful for us to not lose our decision context using those feature track documents
hey @pierDipi, unfortunately @apo-ger and I no longer work at Arrikto. Most probably they have completely disabled/removed the initial gdrive we had use for this document.
Thankfully I have a latest copy of that document in my personal drive https://docs.google.com/document/d/1SFcFWblIfQE-KV05EKvI16E8goBOVs4SMqZ4YqIZs3A/edit?usp=sharing
The above document though is missing the comment history, but at least we still have the context
Thanks @kimwnasptd, I made a copy for the Knative drive workspace https://docs.google.com/document/d/1p4OdOUFaWw7g4xQKtJIR6ml8bBOqKJxw700xc2pX4Co/edit
Problem Currently, @kimwnasptd and I are trying to setup Knative Eventing with strict mTLS, as part of Kubeflow. The main issue we bumped into is the fact that someone needs to manually create DestinationRules/VirtualServices https://github.com/knative/eventing/pull/6283 https://github.com/istio/istio/issues/13193#issuecomment-482995169 https://github.com/istio/istio/issues/24886#issuecomment-648218564.
It could help adopters of Knative Eventing, that have a requirement for strict mTLS, if there would be an option in the Eventing Controller to create the required Istio resources.
Persona: Event Producers
Without strict mTLS we can't have any AuthorizationPolicies to control who can talk to the broker-ingress and filter https://github.com/knative/eventing/issues/6175.
Thus in a multi-user environment, like Kubeflow, everyone would be able to create events for all user namespaces.
Additional context (optional) We understand that Knative Eventing no-longer has a dependency on Istio (https://github.com/knative/eventing/issues/294).
But, this means that the logic of creating the necessary resources for Knative Eventing to work with mTLS falls down to end users. We believe the Eventing Controller should:
This way we'll avoid duplication of effort for adopters of Knative Eventing, where every one of us will need to rewrite this logic.
We would like to help in this effort, if you agree with our proposal.