Introduce option for Istio support #6596
Comments
|
Hi @apo-ger, thanks for opening this issue, I'm happy to collaborate with you on this, this requires a feature track doc, see mechanics in https://github.com/knative/community/blob/main/mechanics/FEATURE-TRACKS.md. |
|
Hello @pierDipi, thank you for offering to help! Here is our first iteration on the feature track doc: Feel free to take a look and let us know your thoughts regarding the proposed approach. |
|
Thanks @apo-ger for creating the document, I left some comments there. |
|
Hello @pierDipi! Thank you for the comments. I've included here and in the feature doc our latest findings. We have validated that currently all three available
First issueWe have seen the following path for delivering an event when using a The communication between Deployed resources
apiVersion: v1
kind: ConfigMap
metadata:
name: kafka-channel
namespace: knative-eventing
data:
channel-template-spec: |
apiVersion: messaging.knative.dev/v1beta1
kind: KafkaChannel
spec:
numPartitions: 3
replicationFactor: 1
apiVersion: eventing.knative.dev/v1
kind: Broker
metadata:
annotations:
eventing.knative.dev/broker.class: MTChannelBasedBroker
eventing.knative.dev/creator: kubernetes-admin
eventing.knative.dev/lastModifier: kubernetes-admin
creationTimestamp: "2022-12-22T15:54:33Z"
generation: 1
name: default
namespace: kubeflow-user-example-com
resourceVersion: "7417993"
uid: 3b554be4-7bbd-4345-9ebb-0e7073b361e8
spec:
config:
apiVersion: v1
kind: ConfigMap
name: kafka-channel
namespace: knative-eventing
status:
address:
url: http://broker-ingress.knative-eventing.svc.cluster.local/kubeflow-user-example-com/default
annotations:
knative.dev/channelAPIVersion: messaging.knative.dev/v1beta1
knative.dev/channelAddress: http://default-kne-trigger-kn-channel.kubeflow-user-example-com.svc.cluster.local
knative.dev/channelKind: KafkaChannel
knative.dev/channelName: default-kne-trigger
conditions:
- lastTransitionTime: "2022-12-22T15:54:34Z"
status: "True"
type: Addressable
- lastTransitionTime: "2022-12-22T15:54:34Z"
message: No dead letter sink is configured.
reason: DeadLetterSinkNotConfigured
severity: Info
status: "True"
type: DeadLetterSinkResolved
- lastTransitionTime: "2022-12-22T15:54:34Z"
status: "True"
type: FilterReady
- lastTransitionTime: "2022-12-22T15:54:34Z"
status: "True"
type: IngressReady
- lastTransitionTime: "2022-12-22T15:54:34Z"
status: "True"
type: Ready
- lastTransitionTime: "2022-12-22T15:54:34Z"
status: "True"
type: TriggerChannelReady
observedGeneration: 1
apiVersion: messaging.knative.dev/v1beta1
kind: KafkaChannel
metadata:
annotations:
eventing.knative.dev/scope: cluster
messaging.knative.dev/subscribable: v1
creationTimestamp: "2022-12-22T15:54:33Z"
finalizers:
- kafkachannels.messaging.knative.dev
generation: 2
labels:
eventing.knative.dev/broker: default
eventing.knative.dev/brokerEverything: "true"
name: default-kne-trigger
namespace: kubeflow-user-example-com
ownerReferences:
- apiVersion: eventing.knative.dev/v1
blockOwnerDeletion: true
controller: true
kind: Broker
name: default
uid: 3b554be4-7bbd-4345-9ebb-0e7073b361e8
resourceVersion: "7418018"
uid: 4b8ab66a-2815-44de-96b8-4ad4c65ca101
spec:
numPartitions: 3
replicationFactor: 1
retentionDuration: PT168H
subscribers:
- generation: 1
replyUri: http://broker-ingress.knative-eventing.svc.cluster.local/kubeflow-user-example-com/default
subscriberUri: http://broker-filter.knative-eventing.svc.cluster.local/triggers/kubeflow-user-example-com/message-dumper-trigger/3ef7d7cc-681c-4676-a5f9-292e8b25599b
uid: 07931388-bca1-4a94-8d29-0b8103a65380
status:
address:
url: http://default-kne-trigger-kn-channel.kubeflow-user-example-com.svc.cluster.local
conditions:
- lastTransitionTime: "2022-12-22T15:54:34Z"
status: "True"
type: Addressable
- lastTransitionTime: "2022-12-22T15:54:33Z"
reason: Config map knative-eventing/kafka-channel-channels-subscriptions updated
status: "True"
type: ConfigMapUpdated
- lastTransitionTime: "2022-12-22T15:54:33Z"
status: "True"
type: ConfigParsed
- lastTransitionTime: "2022-12-22T15:54:33Z"
status: "True"
type: DataPlaneAvailable
- lastTransitionTime: "2022-12-22T15:54:34Z"
status: "True"
type: ProbeSucceeded
- lastTransitionTime: "2022-12-22T15:54:34Z"
status: "True"
type: Ready
- lastTransitionTime: "2022-12-22T15:54:33Z"
reason: Topic knative-messaging-kafka.kubeflow-user-example-com.default-kne-trigger
created
status: "True"
type: TopicReady
observedGeneration: 2
subscribers:
- observedGeneration: 1
ready: "True"
uid: 07931388-bca1-4a94-8d29-0b8103a65380
apiVersion: v1
kind: Service
metadata:
creationTimestamp: "2022-12-22T15:54:33Z"
labels:
messaging.knative.dev/role: kafka-channel
name: default-kne-trigger-kn-channel
namespace: kubeflow-user-example-com
ownerReferences:
- apiVersion: messaging.knative.dev/v1beta1
blockOwnerDeletion: true
controller: true
kind: KafkaChannel
name: default-kne-trigger
uid: 4b8ab66a-2815-44de-96b8-4ad4c65ca101
resourceVersion: "7417973"
uid: c7f2bea6-e688-4cd1-bf87-c03a23404c56
spec:
externalName: kafka-channel-ingress.knative-eventing.svc.cluster.local
sessionAffinity: None
type: ExternalName
status:
loadBalancer: {}Produced Error when trying to hit the broker from a curl Pod with an Istio sidecar: root@curl:/ ]$ curl -X POST -v -H "content-type: application/json" -H "ce-specversion: 1.0" \
-H "ce-source: my/curl/command" -H "ce-type: my.demo.event" -H "ce-id: 0815" \
-d '{"value":"Hello Knative"}' http://broker-ingress.knative-eventing.svc.cluster.local/kubeflow-user-example-com/default
> POST /kubeflow-user-example-com/default HTTP/1.1
> User-Agent: curl/7.35.0
> Host: broker-ingress.knative-eventing.svc.cluster.local
> Accept: */*
> content-type: application/json
> ce-specversion: 1.0
> ce-source: my/curl/command
> ce-type: my.demo.event
> ce-id: 0815
> Content-Length: 25
>
< HTTP/1.1 503 Service Unavailable
< allow: POST, OPTIONS
< date: Mon, 12 Dec 2022 17:29:17 GMT
< content-length: 0
< x-envoy-upstream-service-time: 31
< server: envoySecond issueIn addition, we found that
This PR has resolved this issue for the Solution Proposal
|
…6789) The reasoning as per the comment was that you cannot have istio sidecar when it needs to talk with the API Server but that is not true, pods can talk to the API Server even with istio sidecar injected. For example, I'm injecting a sidecar in eventing-istio for PingSource adapter or Kafka controller and they both work fine. Part of #6596 <!-- Please include the 'why' behind your changes if no issue exists --> ## Proposed Changes <!-- Please categorize your changes: - 🎁 Add new feature - 🐛 Fix bug - 🧹 Update or clean up current behavior - 🗑️ Remove feature or internal logic --> - Set sidecar.istio.io/inject to true for API Server Source adapters ### Pre-review Checklist <!-- If these boxes are not checked, you will be asked to complete these requirements or explain why they do not apply to your PR. --> - [ ] **At least 80% unit test coverage** - [ ] **E2E tests** for any new behavior - [ ] **Docs PR** for any user-facing impact - [ ] **Spec PR** for any new API feature - [ ] **Conformance test** for any change to the spec **Release Note** <!-- 📄 If this change has user-visible impact, write a release note in the block below. Include the string "action required" if additional action is required of users switching to the new release, for example in case of a breaking change. Write as if you are speaking to users, not other Knative contributors. If this change has no user-visible impact, no release note is needed. --> ```release-note Set sidecar.istio.io/inject to true for API Server Source adapter pods. ``` Signed-off-by: Pierangelo Di Pilato <[email protected]>
…native#6789) The reasoning as per the comment was that you cannot have istio sidecar when it needs to talk with the API Server but that is not true, pods can talk to the API Server even with istio sidecar injected. For example, I'm injecting a sidecar in eventing-istio for PingSource adapter or Kafka controller and they both work fine. Part of knative#6596 <!-- Please include the 'why' behind your changes if no issue exists --> ## Proposed Changes <!-- Please categorize your changes: - 🎁 Add new feature - 🐛 Fix bug - 🧹 Update or clean up current behavior - 🗑️ Remove feature or internal logic --> - Set sidecar.istio.io/inject to true for API Server Source adapters ### Pre-review Checklist <!-- If these boxes are not checked, you will be asked to complete these requirements or explain why they do not apply to your PR. --> - [ ] **At least 80% unit test coverage** - [ ] **E2E tests** for any new behavior - [ ] **Docs PR** for any user-facing impact - [ ] **Spec PR** for any new API feature - [ ] **Conformance test** for any change to the spec **Release Note** <!-- 📄 If this change has user-visible impact, write a release note in the block below. Include the string "action required" if additional action is required of users switching to the new release, for example in case of a breaking change. Write as if you are speaking to users, not other Knative contributors. If this change has no user-visible impact, no release note is needed. --> ```release-note Set sidecar.istio.io/inject to true for API Server Source adapter pods. ``` Signed-off-by: Pierangelo Di Pilato <[email protected]>
|
This issue is stale because it has been open for 90 days with no |
github-actions
bot
added
the
lifecycle/stale
|
/remove-lifecycle stale We're running e2e tests for non channel components with istio in https://github.com/knative-sandbox/eventing-istio. |
knative-prow
bot
removed
the
lifecycle/stale
|
/triage accepted |
knative-prow
bot
added
the
triage/accepted
|
I did an initial iteration for the implementation of this feature in knative-extensions/eventing-istio#16 |
|
@apo-ger I don't have access to the document anymore, can you please make it for public comment again? It's useful for us to not lose our decision context using those feature track documents |
|
hey @pierDipi, unfortunately @apo-ger and I no longer work at Arrikto. Most probably they have completely disabled/removed the initial gdrive we had use for this document. Thankfully I have a latest copy of that document in my personal drive The above document though is missing the comment history, but at least we still have the context |
|
Thanks @kimwnasptd, I made a copy for the Knative drive workspace https://docs.google.com/document/d/1p4OdOUFaWw7g4xQKtJIR6ml8bBOqKJxw700xc2pX4Co/edit |
github-project-automation
bot
moved this from In Progress
to Done
in Eventing WG Roadmap
Problem
Currently, @kimwnasptd and I are trying to setup Knative Eventing with strict mTLS, as part of Kubeflow. The main issue we bumped into is the fact that someone needs to manually create DestinationRules/VirtualServices #6283 istio/istio#13193 (comment) istio/istio#24886 (comment).
It could help adopters of Knative Eventing, that have a requirement for strict mTLS, if there would be an option in the Eventing Controller to create the required Istio resources.
Persona:
Event Producers
Without strict mTLS we can't have any AuthorizationPolicies to control who can talk to the broker-ingress and filter #6175.
Thus in a multi-user environment, like Kubeflow, everyone would be able to create events for all user namespaces.
Additional context (optional)
We understand that Knative Eventing no-longer has a dependency on Istio (#294).
But, this means that the logic of creating the necessary resources for Knative Eventing to work with mTLS falls down to end users. We believe the Eventing Controller should:
This way we'll avoid duplication of effort for adopters of Knative Eventing, where every one of us will need to rewrite this logic.
We would like to help in this effort, if you agree with our proposal.
The text was updated successfully, but these errors were encountered: