Add analyzer for empty protocol and addresses in Service Entry#28664
Add analyzer for empty protocol and addresses in Service Entry#28664istio-testing merged 6 commits intoistio:masterfrom
Conversation
istio-policy-bot
added
area/networking
release-notes-none
google-cla
bot
added
the
cla: yes
istio-testing
added
size/L
|
Hi @zufardhiyaulhaq. Thanks for your PR. I'm waiting for a istio member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/ok-to-test |
istio-testing
added
ok-to-test
There was a problem hiding this comment.
What if Addresses is set but the Ports[*].Protocol is empty?
There was a problem hiding this comment.
if Addresses is set with Ports[*].Protocol is empty. It will not cause a cluster wide problem #27990 since we already have Addresses that match the traffic. CMIIW
There was a problem hiding this comment.
| description: "Addresses and Protocol is Empty in ServiceEntry." | |
| description: "Addresses or Protocol is empty in ServiceEntry." |
There was a problem hiding this comment.
I prefer with Addresses and Protocol is empty in ServiceEntry. since this analyzer match if Addresses and Protocol are empty.
There was a problem hiding this comment.
I think Addresses is optional but the user must set Protocol?
There was a problem hiding this comment.
miss documentation probably, please check @howardjohn comment #27990 (comment)
|
I get this lint error, should I change the struct to |
|
This should also be for |
can you explain the behaviour when we using TCP port in serviceentry? |
Yeah, basically the empty protocol means we set up listeners for TCP AND HTTP. The "tcp" part is what causes this issue of binding to all traffic on the port. So just TCP also has the same problem |
this only applies to ServiceEntry with empty |
|
@howardjohn should we create another code like |
|
I would use a single code to apply to anything that can cause this symptom. IMO, code should be based on the user impact (capture all traffic on port),not the cause (missing protocol vs tcp) |
istio-testing
added
the
needs-rebase
zufardhiyaulhaq
force-pushed
the
master
branch
from
4e09478 to
4b1f269
Compare
istio-testing
removed
the
needs-rebase
|
@howardjohn adding TCP check also. I am dividing into other code since I am following the current code that based on the cause |
zufardhiyaulhaq
requested review from
esnible,
howardjohn and
shamsher31
and removed request for
a team
|
Any update related to this folks? |
| - name: err | ||
| type: error | ||
|
|
||
| - name: "ServiceEntryMissingAddressesAndProtocol" |
There was a problem hiding this comment.
nit: Not sure we need two different messages for these - they are essentially identical
|
|
||
| if se.Addresses == nil { | ||
| for index, port := range se.Ports { | ||
| if port.Protocol == "TCP" { |
There was a problem hiding this comment.
I think you can combine this condition with the above function. So there will be 2 checks.
one with port.Protocol == "" and other with port.Protocol == "TCP" in one function?
There was a problem hiding this comment.
actually yes we can do that. do you have suggestions for the message in galley/pkg/config/analysis/msg/messages.yaml? actually, I am confused about how to create the message
cc @howardjohn
There was a problem hiding this comment.
@zufardhiyaulhaq To create a new message, edit messages.yaml. Then run go generate in the messages directory after setting $REPO_ROOT. I do this:
export REPO_ROOT=~/go/src/istio.io/istio
cd ~/go/src/istio.io/istio/galley/pkg/config/analysis/msg
go generate
There was a problem hiding this comment.
@esnible pardon me, not creating a new message. I mean the message format. currently, I am using two analyzer code (IST0134 and IST0135) to separate
- empty
Addressesand emptyProtocol - empty
AddresseswithProtocolTCP
@shamsher31 this is done
shamsher31
left a comment
shamsher31
left a comment
There was a problem hiding this comment.
Overall LGTM. I will let @esnible provide feedback on multiple messages.
|
can you review this PR @esnible? thanks |
|
Would it make sense to have a single warning? (I don’t know why empty protocol is allowed — our docs say protocol “MUST BE one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS.”) |
|
@esnible yes but we can still apply it directly. The behaviour with missing protocol is explained by @howardjohn in this thread #27990 (comment) I can refactor to match only protocol TCP without |
It is fine to keep this PR, with the check for empty Protocol, because it works. Combine the messages. |
|
/retest |
1 similar comment
|
/retest |
this is done @esnible |
|
should we add this rule to validationWebhook? |
7 participants
Issue related: #27990
Add warning analyzer for empty Protocol and Addresses in ServiceEntry object. Since if both empty, probably will cause a mesh wide error.
result:
[x] Configuration Infrastructure
[ ] Docs
[ ] Installation
[x] Networking
[ ] Performance and Scalability
[ ] Policies and Telemetry
[ ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
Pull Request Attributes
Please check any characteristics that apply to this pull request.
[x] Does not have any changes that may affect Istio users.