Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(xds): auto reachable services based on MeshTrafficPermission #8125

Merged
merged 32 commits into from
Oct 27, 2023
Merged

feat(xds): auto reachable services based on MeshTrafficPermission #8125

merged 32 commits into from
Oct 27, 2023

Conversation

jakubdyszkiewicz
Copy link
Contributor

@jakubdyszkiewicz jakubdyszkiewicz commented Oct 24, 2023
edited
Loading

Checklist prior to review

This PR introduces auto reachable services based on MeshTrafficPermission described here #8084

I introduced a concept of reachable services graph which is just an interface in "core" xds_context package and default implementation that any service can reach any other service. Then in MTP plugin I created implementation based on MTP which is wired up in bootstrap. This way we avoid cyclic dependency and dependency on plugins, MTP, matching in xds_context.

At first, I created graph of service to service, but then we figured out that subset (MeshSubset / MeshServiceSubset) support is quite critical therefore the graph keeps list of rules for every service which can be evaluated by every DPP. This means that we support subsets fully in from section. In top level target ref it's impossible to support all subsets because client won't know which instance of the server it will reach. therefore we decided to support only predefined tags that we know are autogenerated and stable for all instances (which is k8s.kuma.io/*). We could have supported any common tag between instances but it would then require to call replaceSubsets function for every single service.

This is opt-in experimental feature.

It is not fully clear what is the impact on perf here. We will investigate this.

Existing reachable services takes precedence over the graph.

Todo as a follow-up

  • A way to inspect generated graph, possibly with inspect endpoints.
  • Link to relevant issue as well as docs and UI issues --
  • This will not break child repos: it doesn't hardcode values (.e.g "kumahq" as a image registry) and it will work on Windows, system specific functions like syscall.Mkfifo have equivalent implementation on the other OS --
  • Tests (Unit test, E2E tests, manual test on universal and k8s) --
    • Don't forget ci/ labels to run additional/fewer tests
  • Do you need to update UPGRADE.md? --
  • Does it need to be backported according to the backporting policy? (this GH action will add "backport" label based on these file globs, if you want to prevent it from adding the "backport" label use no-backport-autolabel label) --

jakubdyszkiewicz and others added 25 commits October 20, 2023 17:18
@jakubdyszkiewicz
reachable servies graph
769cf1b 
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
@jakubdyszkiewicz
graph
5a7282b 
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
@jakubdyszkiewicz
first step of refactor
ee29b07 
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
@jakubdyszkiewicz
change svc arg
4fb6a1d 
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
@jakubdyszkiewicz
move to rules in graph
77561f1 
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
@jakubdyszkiewicz
graph with config
46fe644 
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
@jakubdyszkiewicz
comments
1d0fdcc 
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
@jakubdyszkiewicz
make check
b0680ae 
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
@jakubdyszkiewicz
refactor addfrom
79e9b90 
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
@jakubdyszkiewicz
comments
15ab697 
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
@jakubdyszkiewicz
refactor to avoid direct dependency on plugins and matching in xds co…
93cecfd 
…ntext

Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
@jakubdyszkiewicz
restore dependency on xds_context for matchers
133d4c4 
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
@jakubdyszkiewicz
restore placement of kube tags
2f07ed9 
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
@jakubdyszkiewicz
simplify names in pkg and add test for service candidates
aacd204 
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
@jakubdyszkiewicz
make check
e43d3b2 
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
@slonka
feat(reachableservices): add e2e test
f8c9346 
Signed-off-by: slonka <slonka@users.noreply.github.com>
@slonka
feat(reachableservices): parametrize
5b55020 
Signed-off-by: slonka <slonka@users.noreply.github.com>
@jakubdyszkiewicz
rename candidates
917c60f 
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
@slonka
feat(reachableservices): use kumactl to get inspect to get cluster info
455f92a 
Signed-off-by: slonka <slonka@users.noreply.github.com>
@slonka
feat(reachableservices): use CollectResponse
e6a90c6 
Signed-off-by: slonka <slonka@users.noreply.github.com>
@slonka
feat(reachableservices): use ExitCode
a45df0c 
Signed-off-by: slonka <slonka@users.noreply.github.com>
@jakubdyszkiewicz
Merge pull request #2 from slonka/rs-graph-e2e
013b6cb 
feat(xds): rs graph e2e
@jakubdyszkiewicz
make check
847af89 
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
@jakubdyszkiewicz
Merge remote-tracking branch 'upstream/master' into rs-graph
484bce9 
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
@jakubdyszkiewicz
make check
d4a268c 
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
@jakubdyszkiewicz jakubdyszkiewicz mentioned this pull request Oct 25, 2023
Merged
5 tasks
@jakubdyszkiewicz
Merge remote-tracking branch 'upstream/master' into rs-graph
ece901c 
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
@jakubdyszkiewicz
make check
1782593 
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
@jakubdyszkiewicz jakubdyszkiewicz marked this pull request as ready for review October 25, 2023 10:19
@jakubdyszkiewicz jakubdyszkiewicz requested a review from a team as a code owner October 25, 2023 10:19
@jakubdyszkiewicz jakubdyszkiewicz requested review from lobkovilya and lukidzi and removed request for a team October 25, 2023 10:19
@jakubdyszkiewicz
add support for zone ingress
73900e0 
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
@jakubdyszkiewicz
support cross mesh
9002c7a 
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
@jakubdyszkiewicz
handle subsets better
3067ce4 
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
@jakubdyszkiewicz
rename and add the test
0c33d19 
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
@jakubdyszkiewicz
static reachable services takes precedence
31492be 
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
@jakubdyszkiewicz jakubdyszkiewicz merged commit ed1be22 into kumahq:master Oct 27, 2023
5 checks passed
@jakubdyszkiewicz jakubdyszkiewicz deleted the rs-graph branch October 27, 2023 12:23
This was referenced Oct 30, 2023
Closed
Closed
@slonka slonka mentioned this pull request Nov 6, 2023
Closed
@BrewTestBot BrewTestBot mentioned this pull request Nov 15, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@slonka slonka slonka left review comments

@lobkovilya lobkovilya lobkovilya approved these changes

@lukidzi lukidzi Awaiting requested review from lukidzi lukidzi is a code owner automatically assigned from kumahq/kuma-maintainers

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jakubdyszkiewicz @slonka @lobkovilya