diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index c1ff78b6d08d..9cb797e361f9 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -1,6 +1,6 @@ { "name": "istio build-tools", - "image": "gcr.io/istio-testing/build-tools:release-1.23-d82829888b6f4a2b2b2644fe481d72ced2e402aa", + "image": "gcr.io/istio-testing/build-tools:release-1.23-d2ac9017a4c8dfb928bbfddd064833427afc0524", "privileged": true, "remoteEnv": { "USE_GKE_GCLOUD_AUTH_PLUGIN": "True", diff --git a/Makefile.core.mk b/Makefile.core.mk index ab107d312a3c..0029d98187e7 100644 --- a/Makefile.core.mk +++ b/Makefile.core.mk @@ -49,7 +49,7 @@ endif export VERSION # Base version of Istio image to use -BASE_VERSION ?= 1.23-2024-09-04T19-02-13 +BASE_VERSION ?= 1.23-2024-09-17T19-01-11 ISTIO_BASE_REGISTRY ?= gcr.io/istio-release export GO111MODULE ?= on diff --git a/common/.commonfiles.sha b/common/.commonfiles.sha index 707827c206f8..3d9b53729a43 100644 --- a/common/.commonfiles.sha +++ b/common/.commonfiles.sha @@ -1 +1 @@ -e6bbccc51a140216fb669986e89602881002553d +037289f69e8291490f4c780762ecb07986d9998a diff --git a/common/scripts/setup_env.sh b/common/scripts/setup_env.sh index ac6f72b016a7..3b317b0e663d 100755 --- a/common/scripts/setup_env.sh +++ b/common/scripts/setup_env.sh @@ -75,7 +75,7 @@ fi TOOLS_REGISTRY_PROVIDER=${TOOLS_REGISTRY_PROVIDER:-gcr.io} PROJECT_ID=${PROJECT_ID:-istio-testing} if [[ "${IMAGE_VERSION:-}" == "" ]]; then - IMAGE_VERSION=release-1.23-d82829888b6f4a2b2b2644fe481d72ced2e402aa + IMAGE_VERSION=release-1.23-d2ac9017a4c8dfb928bbfddd064833427afc0524 fi if [[ "${IMAGE_NAME:-}" == "" ]]; then IMAGE_NAME=build-tools diff --git a/go.mod b/go.mod index a61ed9ba511f..8c2bd70ce9f9 100644 --- a/go.mod +++ b/go.mod @@ -19,7 +19,7 @@ require ( github.com/containernetworking/plugins v1.5.0 github.com/coreos/go-oidc/v3 v3.10.0 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc - github.com/docker/cli v26.1.4+incompatible + github.com/docker/cli v26.1.5+incompatible github.com/envoyproxy/go-control-plane v0.12.1-0.20240719165848-f888b4f71207 github.com/evanphx/json-patch/v5 v5.9.0 github.com/fatih/color v1.17.0 @@ -98,8 +98,8 @@ require ( gopkg.in/yaml.v2 v2.4.0 gopkg.in/yaml.v3 v3.0.1 helm.sh/helm/v3 v3.15.1 - istio.io/api v1.23.1-0.20240906150629-ba126bb830f0 - istio.io/client-go v1.23.1-0.20240906150928-c84358ed0e43 + istio.io/api v1.23.3-0.20241007150425-eb56b2cffca7 + istio.io/client-go v1.23.3-0.20241007150824-1455e2e0ee0a k8s.io/api v0.30.1 k8s.io/apiextensions-apiserver v0.30.1 k8s.io/apimachinery v0.30.1 @@ -135,7 +135,7 @@ require ( github.com/cyphar/filepath-securejoin v0.2.4 // indirect github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect github.com/docker/distribution v2.8.3+incompatible // indirect - github.com/docker/docker v26.1.4+incompatible // indirect + github.com/docker/docker v26.1.5+incompatible // indirect github.com/docker/docker-credential-helpers v0.8.1 // indirect github.com/emicklei/go-restful/v3 v3.12.0 // indirect github.com/envoyproxy/protoc-gen-validate v1.0.4 // indirect diff --git a/go.sum b/go.sum index fd6320327765..85cc85f40c8a 100644 --- a/go.sum +++ b/go.sum @@ -137,13 +137,13 @@ github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 h1:8UrgZ3GkP4i/CLijOJx79Yu+etly github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0= github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= -github.com/docker/cli v26.1.4+incompatible h1:I8PHdc0MtxEADqYJZvhBrW9bo8gawKwwenxRM7/rLu8= -github.com/docker/cli v26.1.4+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v26.1.5+incompatible h1:NxXGSdz2N+Ibdaw330TDO3d/6/f7MvHuiMbuFaIQDTk= +github.com/docker/cli v26.1.5+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= -github.com/docker/docker v26.1.4+incompatible h1:vuTpXDuoga+Z38m1OZHzl7NKisKWaWlhjQk7IDPSLsU= -github.com/docker/docker v26.1.4+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v26.1.5+incompatible h1:NEAxTwEjxV6VbBMBoGG3zPqbiJosIApZjxlbrG9q3/g= +github.com/docker/docker v26.1.5+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.8.1 h1:j/eKUktUltBtMzKqmfLB0PAgqYyMHOp5vfsD1807oKo= github.com/docker/docker-credential-helpers v0.8.1/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M= github.com/docker/go-units v0.3.3/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= @@ -1009,10 +1009,10 @@ helm.sh/helm/v3 v3.15.1/go.mod h1:fvfoRcB8UKRUV5jrIfOTaN/pG1TPhuqSb56fjYdTKXg= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -istio.io/api v1.23.1-0.20240906150629-ba126bb830f0 h1:utRdmZryJWw71X1flREUJFLk56QCl2JdVuP3xsvDcMI= -istio.io/api v1.23.1-0.20240906150629-ba126bb830f0/go.mod h1:QPSTGXuIQdnZFEm3myf9NZ5uBMwCdJWUvfj9ZZ+2oBM= -istio.io/client-go v1.23.1-0.20240906150928-c84358ed0e43 h1:/HbrtBiDEiTsQRrzkdcfNgKr+GUp/JFWc5U3ZL/QUmk= -istio.io/client-go v1.23.1-0.20240906150928-c84358ed0e43/go.mod h1:E08wpMtUulJk2tlWOCUVakjy1bKFxUNm22tM1R1QY0Y= +istio.io/api v1.23.3-0.20241007150425-eb56b2cffca7 h1:c8RwLi4qSqCn36t5B2WFkwRDY+qPZ1XhlLMEIoJDCcs= +istio.io/api v1.23.3-0.20241007150425-eb56b2cffca7/go.mod h1:QPSTGXuIQdnZFEm3myf9NZ5uBMwCdJWUvfj9ZZ+2oBM= +istio.io/client-go v1.23.3-0.20241007150824-1455e2e0ee0a h1:MZyree5xnOHalv93KgXLX9hb3EINj8EgLp7ztjWObos= +istio.io/client-go v1.23.3-0.20241007150824-1455e2e0ee0a/go.mod h1:Lfa3anzx7/kCOpcAciR+JiRMj/SYuzDcbXQDjkThnLg= k8s.io/api v0.18.2/go.mod h1:SJCWI7OLzhZSvbY7U8zwNl9UA4o1fizoug34OV/2r78= k8s.io/api v0.18.4/go.mod h1:lOIQAKYgai1+vz9J7YcDZwC26Z0zQewYOGWdyIPUUQ4= k8s.io/api v0.30.1 h1:kCm/6mADMdbAxmIh0LBjS54nQBE+U4KmbCfIkF5CpJY= diff --git a/istio.deps b/istio.deps index 71f20d16bab2..7a0a62118b09 100644 --- a/istio.deps +++ b/istio.deps @@ -4,13 +4,13 @@ "name": "PROXY_REPO_SHA", "repoName": "proxy", "file": "", - "lastStableSHA": "6c72b2179f5a58988b920a55b0be8346de3f7b35" + "lastStableSHA": "cbd889517ed13455bf2d88facc5685d958eb54a6" }, { "_comment": "", "name": "ZTUNNEL_REPO_SHA", "repoName": "ztunnel", "file": "", - "lastStableSHA": "3ead5b81415936e1d3d7f4e81b0d87178817b289" + "lastStableSHA": "906d9c34eb40703fe07a9d14e1bd09da2e370f61" } ] diff --git a/manifests/charts/istio-cni/templates/daemonset.yaml b/manifests/charts/istio-cni/templates/daemonset.yaml index 9b667c40eb9a..cf0dab5ca18a 100644 --- a/manifests/charts/istio-cni/templates/daemonset.yaml +++ b/manifests/charts/istio-cni/templates/daemonset.yaml @@ -76,6 +76,10 @@ spec: {{- if or .Values.cni.pullPolicy .Values.global.imagePullPolicy }} imagePullPolicy: {{ .Values.cni.pullPolicy | default .Values.global.imagePullPolicy }} {{- end }} + ports: + - containerPort: 15014 + name: metrics + protocol: TCP readinessProbe: httpGet: path: /readyz diff --git a/manifests/charts/istio-control/istio-discovery/files/kube-gateway.yaml b/manifests/charts/istio-control/istio-discovery/files/kube-gateway.yaml index f4d363323b68..976568854e1a 100644 --- a/manifests/charts/istio-control/istio-discovery/files/kube-gateway.yaml +++ b/manifests/charts/istio-control/istio-discovery/files/kube-gateway.yaml @@ -104,6 +104,9 @@ spec: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pilot/pkg/config/kube/gateway/testdata/deployment/cluster-ip.yaml b/pilot/pkg/config/kube/gateway/testdata/deployment/cluster-ip.yaml index 0c9279a36e68..e7a618e5c19b 100644 --- a/pilot/pkg/config/kube/gateway/testdata/deployment/cluster-ip.yaml +++ b/pilot/pkg/config/kube/gateway/testdata/deployment/cluster-ip.yaml @@ -134,6 +134,9 @@ spec: image: test/proxyv2:test name: istio-proxy ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pilot/pkg/config/kube/gateway/testdata/deployment/custom-class.yaml b/pilot/pkg/config/kube/gateway/testdata/deployment/custom-class.yaml index 88f7c05d3349..7d8d53a69e1c 100644 --- a/pilot/pkg/config/kube/gateway/testdata/deployment/custom-class.yaml +++ b/pilot/pkg/config/kube/gateway/testdata/deployment/custom-class.yaml @@ -131,6 +131,9 @@ spec: image: test/proxyv2:test name: istio-proxy ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pilot/pkg/config/kube/gateway/testdata/deployment/infrastructure-labels-annotations.yaml b/pilot/pkg/config/kube/gateway/testdata/deployment/infrastructure-labels-annotations.yaml index 6659c44a15f4..df10b4750f18 100644 --- a/pilot/pkg/config/kube/gateway/testdata/deployment/infrastructure-labels-annotations.yaml +++ b/pilot/pkg/config/kube/gateway/testdata/deployment/infrastructure-labels-annotations.yaml @@ -137,6 +137,9 @@ spec: image: test/proxyv2:test name: istio-proxy ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pilot/pkg/config/kube/gateway/testdata/deployment/kube-gateway-ambient-redirect-infra.yaml b/pilot/pkg/config/kube/gateway/testdata/deployment/kube-gateway-ambient-redirect-infra.yaml index edf860c90b24..a95f8d7daffd 100644 --- a/pilot/pkg/config/kube/gateway/testdata/deployment/kube-gateway-ambient-redirect-infra.yaml +++ b/pilot/pkg/config/kube/gateway/testdata/deployment/kube-gateway-ambient-redirect-infra.yaml @@ -131,6 +131,9 @@ spec: image: test/proxyv2:test name: istio-proxy ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pilot/pkg/config/kube/gateway/testdata/deployment/kube-gateway-ambient-redirect.yaml b/pilot/pkg/config/kube/gateway/testdata/deployment/kube-gateway-ambient-redirect.yaml index edf860c90b24..a95f8d7daffd 100644 --- a/pilot/pkg/config/kube/gateway/testdata/deployment/kube-gateway-ambient-redirect.yaml +++ b/pilot/pkg/config/kube/gateway/testdata/deployment/kube-gateway-ambient-redirect.yaml @@ -131,6 +131,9 @@ spec: image: test/proxyv2:test name: istio-proxy ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pilot/pkg/config/kube/gateway/testdata/deployment/manual-ip.yaml b/pilot/pkg/config/kube/gateway/testdata/deployment/manual-ip.yaml index 52102caf3d9f..dc1171b45153 100644 --- a/pilot/pkg/config/kube/gateway/testdata/deployment/manual-ip.yaml +++ b/pilot/pkg/config/kube/gateway/testdata/deployment/manual-ip.yaml @@ -131,6 +131,9 @@ spec: image: test/proxyv2:test name: istio-proxy ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pilot/pkg/config/kube/gateway/testdata/deployment/manual-sa.yaml b/pilot/pkg/config/kube/gateway/testdata/deployment/manual-sa.yaml index d3339d13386e..533430da8942 100644 --- a/pilot/pkg/config/kube/gateway/testdata/deployment/manual-sa.yaml +++ b/pilot/pkg/config/kube/gateway/testdata/deployment/manual-sa.yaml @@ -131,6 +131,9 @@ spec: image: test/proxyv2:test name: istio-proxy ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pilot/pkg/config/kube/gateway/testdata/deployment/multinetwork.yaml b/pilot/pkg/config/kube/gateway/testdata/deployment/multinetwork.yaml index 41a1612cef68..90e79ca67a87 100644 --- a/pilot/pkg/config/kube/gateway/testdata/deployment/multinetwork.yaml +++ b/pilot/pkg/config/kube/gateway/testdata/deployment/multinetwork.yaml @@ -138,6 +138,9 @@ spec: image: test/proxyv2:test name: istio-proxy ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pilot/pkg/config/kube/gateway/testdata/deployment/proxy-config-crd.yaml b/pilot/pkg/config/kube/gateway/testdata/deployment/proxy-config-crd.yaml index 1be186f0416d..b2e8c4423222 100644 --- a/pilot/pkg/config/kube/gateway/testdata/deployment/proxy-config-crd.yaml +++ b/pilot/pkg/config/kube/gateway/testdata/deployment/proxy-config-crd.yaml @@ -131,6 +131,9 @@ spec: image: test/proxyv2:test-distroless name: istio-proxy ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pilot/pkg/config/kube/gateway/testdata/deployment/simple.yaml b/pilot/pkg/config/kube/gateway/testdata/deployment/simple.yaml index 38ae13d94808..fb11ff36cb6e 100644 --- a/pilot/pkg/config/kube/gateway/testdata/deployment/simple.yaml +++ b/pilot/pkg/config/kube/gateway/testdata/deployment/simple.yaml @@ -137,6 +137,9 @@ spec: image: test/proxyv2:test name: istio-proxy ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pilot/pkg/model/cluster_local.go b/pilot/pkg/model/cluster_local.go index b31f05768217..b149ba6433ae 100644 --- a/pilot/pkg/model/cluster_local.go +++ b/pilot/pkg/model/cluster_local.go @@ -19,7 +19,6 @@ import ( "sync" "istio.io/istio/pkg/config/host" - "istio.io/istio/pkg/util/sets" ) var ( @@ -27,18 +26,22 @@ var ( defaultClusterLocalServices = []string{"kubernetes.default.svc"} ) -// ClusterLocalHosts is a map of host names or wildcard patterns which should only -// be made accessible from within the same cluster. +// ClusterLocalHosts is a map of host names or wildcard patterns which indicate +// whether a host be made accessible from within the same cluster or not. type ClusterLocalHosts struct { - specific sets.Set[host.Name] - wildcard sets.Set[host.Name] + specific map[host.Name]bool + wildcard map[host.Name]bool } // IsClusterLocal indicates whether the given host should be treated as a // cluster-local destination. func (c ClusterLocalHosts) IsClusterLocal(h host.Name) bool { - _, _, ok := MostSpecificHostMatch(h, c.specific, c.wildcard) - return ok + _, local, ok := MostSpecificHostMatch(h, c.specific, c.wildcard) + // Explicitly set clusterLocal to false if host is not found in clusterLocal settings + if !ok { + local = false + } + return local } // ClusterLocalProvider provides the cluster-local hosts. @@ -98,22 +101,15 @@ func (c *clusterLocalProvider) onMeshUpdated(e *Environment) { // Collect the cluster-local hosts. hosts := ClusterLocalHosts{ - specific: make(map[host.Name]struct{}, 0), - wildcard: make(map[host.Name]struct{}, 0), + specific: make(map[host.Name]bool), + wildcard: make(map[host.Name]bool), } + for _, serviceSettings := range e.Mesh().ServiceSettings { - if serviceSettings.GetSettings().GetClusterLocal() { - for _, h := range serviceSettings.GetHosts() { - hostname := host.Name(h) - if hostname.IsWildCarded() { - hosts.wildcard.Insert(hostname) - } else { - hosts.specific.Insert(hostname) - } - } - } else { - // Remove defaults if specified to be non-cluster-local. - for _, h := range serviceSettings.GetHosts() { + isClusterLocal := serviceSettings.GetSettings().GetClusterLocal() + for _, h := range serviceSettings.GetHosts() { + // If clusterLocal false, check to see if we should remove a default clusterLocal host. + if !isClusterLocal { for i, defaultClusterLocalHost := range defaultClusterLocalHosts { if len(defaultClusterLocalHost) > 0 { if h == string(defaultClusterLocalHost) || @@ -126,15 +122,25 @@ func (c *clusterLocalProvider) onMeshUpdated(e *Environment) { } } } + + // Add hosts with their clusterLocal setting to sets. + for _, h := range serviceSettings.GetHosts() { + hostname := host.Name(h) + if hostname.IsWildCarded() { + hosts.wildcard[hostname] = isClusterLocal + } else { + hosts.specific[hostname] = isClusterLocal + } + } } // Add any remaining defaults to the end of the list. for _, defaultClusterLocalHost := range defaultClusterLocalHosts { if len(defaultClusterLocalHost) > 0 { if defaultClusterLocalHost.IsWildCarded() { - hosts.wildcard.Insert(defaultClusterLocalHost) + hosts.wildcard[defaultClusterLocalHost] = true } else { - hosts.specific.Insert(defaultClusterLocalHost) + hosts.specific[defaultClusterLocalHost] = true } } } diff --git a/pilot/pkg/model/cluster_local_test.go b/pilot/pkg/model/cluster_local_test.go index 456e164b856c..ad76dbda3e8a 100644 --- a/pilot/pkg/model/cluster_local_test.go +++ b/pilot/pkg/model/cluster_local_test.go @@ -142,6 +142,123 @@ func TestIsClusterLocal(t *testing.T) { host: "s.ns3.svc.cluster.local", expected: false, }, + { + name: "global", + m: &meshconfig.MeshConfig{ + ServiceSettings: []*meshconfig.MeshConfig_ServiceSettings{ + { + Settings: &meshconfig.MeshConfig_ServiceSettings_Settings{ + ClusterLocal: true, + }, + Hosts: []string{ + "*", + }, + }, + }, + }, + host: "s.ns1.svc.cluster.local", + expected: true, + }, + { + name: "global with exclusion wildcard", + m: &meshconfig.MeshConfig{ + ServiceSettings: []*meshconfig.MeshConfig_ServiceSettings{ + { + Settings: &meshconfig.MeshConfig_ServiceSettings_Settings{ + ClusterLocal: true, + }, + Hosts: []string{ + "*", + }, + }, + { + Settings: &meshconfig.MeshConfig_ServiceSettings_Settings{ + ClusterLocal: false, + }, + Hosts: []string{ + "*.ns1.svc.cluster.local", + }, + }, + }, + }, + host: "s.ns1.svc.cluster.local", + expected: false, + }, + { + name: "global with exclusion specific", + m: &meshconfig.MeshConfig{ + ServiceSettings: []*meshconfig.MeshConfig_ServiceSettings{ + { + Settings: &meshconfig.MeshConfig_ServiceSettings_Settings{ + ClusterLocal: true, + }, + Hosts: []string{ + "*", + }, + }, + { + Settings: &meshconfig.MeshConfig_ServiceSettings_Settings{ + ClusterLocal: false, + }, + Hosts: []string{ + "service.ns1.svc.cluster.local", + }, + }, + }, + }, + host: "service.ns1.svc.cluster.local", + expected: false, + }, + { + name: "subdomain local with global", + m: &meshconfig.MeshConfig{ + ServiceSettings: []*meshconfig.MeshConfig_ServiceSettings{ + { + Settings: &meshconfig.MeshConfig_ServiceSettings_Settings{ + ClusterLocal: true, + }, + Hosts: []string{ + "*.cluster.local", + }, + }, + { + Settings: &meshconfig.MeshConfig_ServiceSettings_Settings{ + ClusterLocal: false, + }, + Hosts: []string{ + "*", + }, + }, + }, + }, + host: "echo.test.svc.cluster.local", + expected: true, + }, + { + name: "other domain non-local global", + m: &meshconfig.MeshConfig{ + ServiceSettings: []*meshconfig.MeshConfig_ServiceSettings{ + { + Settings: &meshconfig.MeshConfig_ServiceSettings_Settings{ + ClusterLocal: true, + }, + Hosts: []string{ + "*.cluster.local", + }, + }, + { + Settings: &meshconfig.MeshConfig_ServiceSettings_Settings{ + ClusterLocal: false, + }, + Hosts: []string{ + "*", + }, + }, + }, + }, + host: "otherdomain", + expected: false, + }, } for _, c := range cases { diff --git a/pkg/config/validation/agent/validation.go b/pkg/config/validation/agent/validation.go index ea21c4ff7384..2e52061c65cd 100644 --- a/pkg/config/validation/agent/validation.go +++ b/pkg/config/validation/agent/validation.go @@ -19,6 +19,7 @@ import ( "fmt" "net" "net/netip" + "regexp" "strconv" "strings" "time" @@ -43,7 +44,9 @@ const ( // nolint: revive connectTimeoutMax = time.Hour // nolint: revive - connectTimeoutMin = time.Millisecond + connectTimeoutMin = time.Millisecond + outboundHostPrefix = "outbound" + outboundHostNameFormat = "outbound_._._." ) var scope = log.RegisterScope("validation", "CRD validation debugging") @@ -673,6 +676,50 @@ func ValidateWildcardDomain(domain string) error { return nil } +// ValidateWildcardDomainForVirtualServiceBoundToGateway checks that a domain is a valid FQDN, but also allows wildcard prefixes. +// If it is an SNI domain, then it does a special validation where it allows a +// which matches outbound_._._. format +func ValidateWildcardDomainForVirtualServiceBoundToGateway(sni bool, domain string) error { + if err := CheckDNS1123Preconditions(domain); err != nil { + return err + } + + // check if its an auto generated domain, with outbound_ as a prefix. + if sni && strings.HasPrefix(domain, outboundHostPrefix+"_") { + // example of a valid domain: outbound_.80_._.e2e.foobar.mesh + trafficDirectionSuffix, port, hostname, err := parseAutoGeneratedSNIDomain(domain) + if err != nil { + return err + } + if trafficDirectionSuffix != outboundHostPrefix { + return fmt.Errorf("domain name %q invalid (label %q invalid)", domain, trafficDirectionSuffix) + } + match, _ := regexp.MatchString("([0-9].*)", port) + if !match { + return fmt.Errorf("domain name %q invalid (label %q invalid). should follow %s format", domain, port, outboundHostNameFormat) + } + match, _ = regexp.MatchString("([a-zA-Z].*)", hostname) + if !match { + return fmt.Errorf("domain name %q invalid (label %q invalid). should follow %s format", domain, hostname, outboundHostNameFormat) + } + return nil + } + return ValidateWildcardDomain(domain) +} + +// parseAutoGeneratedSNIDomain parses auto generated sni domains +// which are generated when using AUTO_PASSTHROUGH mode in envoy +func parseAutoGeneratedSNIDomain(domain string) (string, string, string, error) { + parts := strings.Split(domain, "_") + if len(parts) < 4 { + return "", "", "", fmt.Errorf("domain name %s invalid, should follow '%s' format", domain, outboundHostNameFormat) + } + trafficDirectionPrefix := parts[0] + port := strings.Trim(parts[1], ".") + hostname := strings.Trim(parts[3], ".") + return trafficDirectionPrefix, port, hostname, nil +} + // validate the trust domain format func ValidateTrustDomain(domain string) error { if len(domain) == 0 { diff --git a/pkg/config/validation/agent/validation_test.go b/pkg/config/validation/agent/validation_test.go index cee31bd50507..6c29432012d8 100644 --- a/pkg/config/validation/agent/validation_test.go +++ b/pkg/config/validation/agent/validation_test.go @@ -876,6 +876,79 @@ func TestValidateWildcardDomain(t *testing.T) { } } +func TestValidateWildcardDomainForVirtualServiceBoundToGateway(t *testing.T) { + tests := []struct { + name string + in string + sni bool + out string + }{ + {"empty", "", false, "empty"}, + {"too long", strings.Repeat("x", 256), false, "too long"}, + {"happy", strings.Repeat("x", 63), false, ""}, + {"wildcard", "*", false, ""}, + {"wildcard multi-segment", "*.bar.com", false, ""}, + {"wildcard single segment", "*foo", false, ""}, + {"wildcard prefix", "*foo.bar.com", false, ""}, + {"wildcard prefix dash", "*-foo.bar.com", false, ""}, + {"bad wildcard", "foo.*.com", false, "invalid"}, + {"bad wildcard", "foo*.bar.com", false, "invalid"}, + {"IP address", "1.1.1.1", false, "invalid"}, + {"SNI domain", "outbound_.80_._.e2e.foobar.mesh", true, ""}, + {"happy", "outbound.com", true, ""}, + {"invalid SNI domain", "neverbound_.80_._.e2e.foobar.mesh", true, "invalid"}, + {"invalid SNI domain", "outbound_.thisIsNotAPort_._.e2e.foobar.mesh", true, "invalid"}, + {"invalid SNI domain", "outbound_.80_._", true, "invalid"}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + err := ValidateWildcardDomainForVirtualServiceBoundToGateway(tt.sni, tt.in) + if err == nil && tt.out != "" { + t.Fatalf("ValidateWildcardDomain(%v) = nil, wanted %q", tt.in, tt.out) + } else if err != nil && tt.out == "" { + t.Fatalf("ValidateWildcardDomain(%v) = %v, wanted nil", tt.in, err) + } else if err != nil && !strings.Contains(err.Error(), tt.out) { + t.Fatalf("ValidateWildcardDomain(%v) = %v, wanted %q", tt.in, err, tt.out) + } + }) + } +} + +func TestParseAutoGeneratedSNIDomain(t *testing.T) { + tests := []struct { + name string + in string + trafficDirectionSuffix string + port string + hostname string + err string + }{ + {"invalid", "foobar.com", "", "", "", "domain name foobar.com invalid, should follow '" + outboundHostNameFormat + "' format"}, + {"valid", "outbound_.80_._.e2e.foobar.mesh", "outbound", "80", "e2e.foobar.mesh", ""}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + trafficDirectionSuffix, port, hostname, err := parseAutoGeneratedSNIDomain(tt.in) + if err == nil && tt.err != "" { + t.Fatalf("parseOutboundSNIDomain(%v) = nil, wanted %q", tt.in, tt.err) + } else if err != nil && tt.err == "" { + t.Fatalf("parseOutboundSNIDomain(%v) = %v, wanted nil", tt.in, err) + } else if err != nil && !strings.Contains(err.Error(), tt.err) { + t.Fatalf("parseOutboundSNIDomain(%v) = %v, wanted %q", tt.in, err, tt.err) + } + if trafficDirectionSuffix != tt.trafficDirectionSuffix { + t.Fatalf("parseOutboundSNIDomain(%v) = %v, wanted %q", tt.in, trafficDirectionSuffix, tt.trafficDirectionSuffix) + } + if port != tt.port { + t.Fatalf("parseOutboundSNIDomain(%v) = %v, wanted %q", tt.in, port, tt.port) + } + if hostname != tt.hostname { + t.Fatalf("parseOutboundSNIDomain(%v) = %v, wanted %q", tt.in, hostname, tt.hostname) + } + }) + } +} + func TestValidateTrustDomain(t *testing.T) { tests := []struct { name string diff --git a/pkg/config/validation/validation.go b/pkg/config/validation/validation.go index 8830500777a2..fe0750c36094 100644 --- a/pkg/config/validation/validation.go +++ b/pkg/config/validation/validation.go @@ -1611,13 +1611,8 @@ var ValidateVirtualService = RegisterValidateFunc("ValidateVirtualService", appliesToMesh = true } else { errs = AppendValidation(errs, validateGatewayNames(virtualService.Gateways, gatewaySemantics)) - for _, gatewayName := range virtualService.Gateways { - if gatewayName == constants.IstioMeshGateway { - appliesToMesh = true - } else { - appliesToGateway = true - } - } + appliesToGateway = isGateway(virtualService) + appliesToMesh = !appliesToGateway } if !appliesToGateway { @@ -1639,7 +1634,13 @@ var ValidateVirtualService = RegisterValidateFunc("ValidateVirtualService", allHostsValid := true for _, virtualHost := range virtualService.Hosts { - if err := agent.ValidateWildcardDomain(virtualHost); err != nil { + var err error + if appliesToGateway { + err = agent.ValidateWildcardDomainForVirtualServiceBoundToGateway(isSniHost(virtualService), virtualHost) + } else { + err = agent.ValidateWildcardDomain(virtualHost) + } + if err != nil { if !netutil.IsValidIPAddress(virtualHost) { errs = AppendValidation(errs, err) allHostsValid = false @@ -1716,6 +1717,26 @@ func assignExactOrPrefix(exact, prefix string) string { return "" } +func isSniHost(context *networking.VirtualService) bool { + for _, tls := range context.Tls { + for _, match := range tls.Match { + if len(match.SniHosts) > 0 { + return true + } + } + } + return false +} + +func isGateway(context *networking.VirtualService) bool { + for _, gatewayName := range context.Gateways { + if gatewayName == constants.IstioMeshGateway { + return false + } + } + return true +} + // genMatchHTTPRoutes build the match rules into struct OverlappingMatchValidationForHTTPRoute // based on particular HTTPMatchRequest, according to comments on https://github.com/istio/istio/pull/32701 // only support Match's port, method, authority, headers, query params and nonheaders for now. @@ -2084,7 +2105,13 @@ func validateTLSMatch(match *networking.TLSMatchAttributes, context *networking. } func validateSniHost(sniHost string, context *networking.VirtualService) (errs Validation) { - if err := agent.ValidateWildcardDomain(sniHost); err != nil { + var err error + if isGateway(context) { + err = agent.ValidateWildcardDomainForVirtualServiceBoundToGateway(true, sniHost) + } else { + err = agent.ValidateWildcardDomain(sniHost) + } + if err != nil { // Could also be an IP if netutil.IsValidIPAddress(sniHost) { errs = AppendValidation(errs, WrapWarning(fmt.Errorf("using an IP address (%q) goes against SNI spec and most clients do not support this", sniHost))) diff --git a/pkg/config/validation/validation_test.go b/pkg/config/validation/validation_test.go index 2da62a28a840..d06b2cae05ee 100644 --- a/pkg/config/validation/validation_test.go +++ b/pkg/config/validation/validation_test.go @@ -2023,6 +2023,26 @@ func TestValidateVirtualService(t *testing.T) { }}, }}, }, valid: true}, + {name: "allow sni based domains", in: &networking.VirtualService{ + Hosts: []string{"outbound_.15010_._.istiod.istio-system.svc.cluster.local"}, + Gateways: []string{"ns1/gateway"}, + Tls: []*networking.TLSRoute{ + { + Match: []*networking.TLSMatchAttributes{ + { + SniHosts: []string{"outbound_.15010_._.istiod.istio-system.svc.cluster.local"}, + }, + }, + Route: []*networking.RouteDestination{ + { + Destination: &networking.Destination{ + Host: "istio.istio-system.svc.cluster.local", + }, + }, + }, + }, + }, + }, valid: true}, {name: "duplicate hosts", in: &networking.VirtualService{ Hosts: []string{"*.foo.bar", "*.bar"}, Http: []*networking.HTTPRoute{{ diff --git a/pkg/kube/inject/testdata/inputs/custom-template.yaml.40.template.gen.yaml b/pkg/kube/inject/testdata/inputs/custom-template.yaml.40.template.gen.yaml index 4a4abdeb1793..70008defb4ce 100644 --- a/pkg/kube/inject/testdata/inputs/custom-template.yaml.40.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/custom-template.yaml.40.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/default.template.gen.yaml b/pkg/kube/inject/testdata/inputs/default.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/default.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/default.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/enable-core-dump.yaml.5.template.gen.yaml b/pkg/kube/inject/testdata/inputs/enable-core-dump.yaml.5.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/enable-core-dump.yaml.5.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/enable-core-dump.yaml.5.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/hello-existing-cncf-networks-json.yaml.16.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello-existing-cncf-networks-json.yaml.16.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/hello-existing-cncf-networks-json.yaml.16.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello-existing-cncf-networks-json.yaml.16.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/hello-existing-cncf-networks.yaml.15.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello-existing-cncf-networks.yaml.15.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/hello-existing-cncf-networks.yaml.15.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello-existing-cncf-networks.yaml.15.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/hello-image-pull-secret.yaml.11.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello-image-pull-secret.yaml.11.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/hello-image-pull-secret.yaml.11.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello-image-pull-secret.yaml.11.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/hello-openshift-custom-injection.yaml.48.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello-openshift-custom-injection.yaml.48.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/hello-openshift-custom-injection.yaml.48.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello-openshift-custom-injection.yaml.48.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/hello-openshift.yaml.47.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello-openshift.yaml.47.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/hello-openshift.yaml.47.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello-openshift.yaml.47.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/hello-probes-noProxyHoldApplication-ProxyConfig.yaml.20.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello-probes-noProxyHoldApplication-ProxyConfig.yaml.20.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/hello-probes-noProxyHoldApplication-ProxyConfig.yaml.20.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello-probes-noProxyHoldApplication-ProxyConfig.yaml.20.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/hello-probes.yaml.18.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello-probes.yaml.18.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/hello-probes.yaml.18.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello-probes.yaml.18.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.0.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.0.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/hello.yaml.0.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello.yaml.0.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.1.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.1.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/hello.yaml.1.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello.yaml.1.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.10.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.10.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/hello.yaml.10.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello.yaml.10.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.12.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.12.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/hello.yaml.12.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello.yaml.12.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.13.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.13.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/hello.yaml.13.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello.yaml.13.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.14.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.14.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/hello.yaml.14.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello.yaml.14.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.17.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.17.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/hello.yaml.17.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello.yaml.17.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.3.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.3.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/hello.yaml.3.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello.yaml.3.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.4.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.4.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/hello.yaml.4.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello.yaml.4.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/kubevirtInterfaces.yaml.9.template.gen.yaml b/pkg/kube/inject/testdata/inputs/kubevirtInterfaces.yaml.9.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/kubevirtInterfaces.yaml.9.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/kubevirtInterfaces.yaml.9.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/merge-probers.yaml.43.template.gen.yaml b/pkg/kube/inject/testdata/inputs/merge-probers.yaml.43.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/merge-probers.yaml.43.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/merge-probers.yaml.43.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/proxy-override-runas.yaml.34.template.gen.yaml b/pkg/kube/inject/testdata/inputs/proxy-override-runas.yaml.34.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/proxy-override-runas.yaml.34.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/proxy-override-runas.yaml.34.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/status_params.yaml.8.template.gen.yaml b/pkg/kube/inject/testdata/inputs/status_params.yaml.8.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/status_params.yaml.8.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/status_params.yaml.8.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/traffic-params.yaml.7.template.gen.yaml b/pkg/kube/inject/testdata/inputs/traffic-params.yaml.7.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/traffic-params.yaml.7.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/traffic-params.yaml.7.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/releasenotes/notes/48368.yaml b/releasenotes/notes/48368.yaml new file mode 100644 index 000000000000..59d87018a303 --- /dev/null +++ b/releasenotes/notes/48368.yaml @@ -0,0 +1,8 @@ +apiVersion: release-notes/v2 +kind: bug-fix +area: installation +issue: +- 48368 +releaseNotes: + - | + **Fixed** kube-virt-related rules not being removed by istio-clean-iptables tool. diff --git a/releasenotes/notes/52367.yaml b/releasenotes/notes/52367.yaml new file mode 100644 index 000000000000..6b6bacc4ee5b --- /dev/null +++ b/releasenotes/notes/52367.yaml @@ -0,0 +1,7 @@ +apiVersion: release-notes/v2 +kind: bug-fix +area: traffic-management +issue: [] +releaseNotes: +- | + **Fixed** Support clusterLocal host exclusions for multi-cluster. diff --git a/releasenotes/notes/53184.yaml b/releasenotes/notes/53184.yaml new file mode 100644 index 000000000000..f21e3fefe425 --- /dev/null +++ b/releasenotes/notes/53184.yaml @@ -0,0 +1,16 @@ +apiVersion: release-notes/v2 +kind: bug-fix +area: telemetry + +# issue is a list of GitHub issues resolved in this note. +issue: [] + +docs: [] + +releaseNotes: +- | + **Fixed** Added the metrics port in the daemonset containers spec of the istio-cni chart. + +upgradeNotes: [] + +securityNotes: [] \ No newline at end of file diff --git a/releasenotes/notes/53351.yaml b/releasenotes/notes/53351.yaml new file mode 100644 index 000000000000..b4ff9aaf788f --- /dev/null +++ b/releasenotes/notes/53351.yaml @@ -0,0 +1,16 @@ +apiVersion: release-notes/v2 +kind: bug-fix +area: telemetry + +# issue is a list of GitHub issues resolved in this note. +issue: [] + +docs: [] + +releaseNotes: +- | + **Fixed** Added the metrics port in the kube-gateway containers spec of the istio-discovery chart. + +upgradeNotes: [] + +securityNotes: [] \ No newline at end of file diff --git a/samples/bookinfo/src/details/Dockerfile b/samples/bookinfo/src/details/Dockerfile index 25d784c44666..20acf9e73a9e 100644 --- a/samples/bookinfo/src/details/Dockerfile +++ b/samples/bookinfo/src/details/Dockerfile @@ -15,7 +15,7 @@ FROM ruby:3.3.0-slim WORKDIR /opt/microservices -COPY Gemfile /opt/microservices/ +COPY Gemfile Gemfile.lock /opt/microservices/ RUN bundle install COPY details.rb /opt/microservices/ diff --git a/samples/bookinfo/src/details/Gemfile.lock b/samples/bookinfo/src/details/Gemfile.lock index c6fc5ba24bea..c8c5704d22ee 100644 --- a/samples/bookinfo/src/details/Gemfile.lock +++ b/samples/bookinfo/src/details/Gemfile.lock @@ -1,7 +1,7 @@ GEM remote: https://rubygems.org/ specs: - webrick (1.8.1) + webrick (1.8.2) PLATFORMS aarch64-linux @@ -12,4 +12,4 @@ DEPENDENCIES webrick (~> 1.7) BUNDLED WITH - 2.5.10 + 2.5.3 diff --git a/samples/httpbin/httpbin-vault.yaml b/samples/httpbin/httpbin-vault.yaml index 0e5bb87e41e5..89cf73ff346e 100644 --- a/samples/httpbin/httpbin-vault.yaml +++ b/samples/httpbin/httpbin-vault.yaml @@ -53,6 +53,8 @@ spec: name: httpbin # Same as found in Dockerfile's CMD but using an unprivileged port command: + - pipenv + - run - gunicorn - -b - 0.0.0.0:8080 diff --git a/samples/httpbin/httpbin.yaml b/samples/httpbin/httpbin.yaml index cb64cf33b639..f0061801ef23 100644 --- a/samples/httpbin/httpbin.yaml +++ b/samples/httpbin/httpbin.yaml @@ -58,6 +58,8 @@ spec: name: httpbin # Same as found in Dockerfile's CMD but using an unprivileged port command: + - pipenv + - run - gunicorn - -b - 0.0.0.0:8080 diff --git a/tests/integration/pilot/ingress_test.go b/tests/integration/pilot/ingress_test.go index 86023a9a9b98..633bc04425ee 100644 --- a/tests/integration/pilot/ingress_test.go +++ b/tests/integration/pilot/ingress_test.go @@ -637,79 +637,6 @@ spec: }) }) - // TODO we could add istioctl as well, but the framework adds a bunch of stuff beyond just `istioctl install` - // that mess with certs, multicluster, etc - t.NewSubTest("helm").Run(func(t framework.TestContext) { - gatewayNs := namespace.NewOrFail(t, t, namespace.Config{Prefix: "custom-gateway-helm", Inject: inject}) - d := filepath.Join(t.TempDir(), "gateway-values.yaml") - rev := "" - if t.Settings().Revisions.Default() != "" { - rev = t.Settings().Revisions.Default() - } - os.WriteFile(d, []byte(fmt.Sprintf(` -revision: %v -gateways: - istio-ingressgateway: - name: custom-gateway-helm - injectionTemplate: gateway - type: ClusterIP # LoadBalancer is slow and not necessary for this tests - autoscaleMax: 1 - resources: - requests: - cpu: 10m - memory: 40Mi - labels: - istio: custom-gateway-helm -`, rev)), 0o644) - cs := t.Clusters().Default().(*kubecluster.Cluster) - h := helm.New(cs.Filename()) - // Install ingress gateway chart - if err := h.InstallChart("ingress", filepath.Join(env.IstioSrc, "manifests/charts/gateways/istio-ingress"), gatewayNs.Name(), - d, helmtest.Timeout); err != nil { - t.Fatal(err) - } - retry.UntilSuccessOrFail(t, func() error { - _, err := kubetest.CheckPodsAreReady(kubetest.NewPodFetch(cs, gatewayNs.Name(), "istio=custom-gateway-helm")) - return err - }, retry.Timeout(time.Minute*2), retry.Delay(time.Millisecond*500)) - _ = t.ConfigIstio().YAML(gatewayNs.Name(), fmt.Sprintf(`apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: app -spec: - selector: - istio: custom-gateway-helm - servers: - - port: - number: 80 - name: http - protocol: HTTP - hosts: - - "*" ---- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: app -spec: - hosts: - - "*" - gateways: - - app - http: - - route: - - destination: - host: %s - port: - number: 80 -`, apps.A.Config().ClusterLocalFQDN())).Apply(apply.NoCleanup) - apps.B[0].CallOrFail(t, echo.CallOptions{ - Port: echo.Port{ServicePort: 80}, - Scheme: scheme.HTTP, - Address: fmt.Sprintf("custom-gateway-helm.%s.svc.cluster.local", gatewayNs.Name()), - Check: check.OK(), - }) - }) t.NewSubTest("helm-simple").Run(func(t framework.TestContext) { gatewayNs := namespace.NewOrFail(t, t, namespace.Config{Prefix: "custom-gateway-helm", Inject: inject}) d := filepath.Join(t.TempDir(), "gateway-values.yaml") @@ -717,7 +644,7 @@ spec: if t.Settings().Revisions.Default() != "" { rev = t.Settings().Revisions.Default() } - os.WriteFile(d, []byte(fmt.Sprintf(` + gatewayValues := fmt.Sprintf(` revision: %q service: type: ClusterIP # LoadBalancer is slow and not necessary for this tests @@ -727,7 +654,11 @@ resources: requests: cpu: 10m memory: 40Mi -`, rev)), 0o644) +`, rev) + if t.Settings().OpenShift { + gatewayValues += "\nplatform: openshift" + } + os.WriteFile(d, []byte(gatewayValues), 0o644) cs := t.Clusters().Default().(*kubecluster.Cluster) h := helm.New(cs.Filename()) // Install ingress gateway chart diff --git a/tests/integration/pilot/testdata/external-forward-proxy-deployment.yaml b/tests/integration/pilot/testdata/external-forward-proxy-deployment.yaml index 97ac361be8dc..d27c9d892f2c 100644 --- a/tests/integration/pilot/testdata/external-forward-proxy-deployment.yaml +++ b/tests/integration/pilot/testdata/external-forward-proxy-deployment.yaml @@ -12,10 +12,12 @@ spec: labels: app: external-forward-proxy spec: + {{ if not .OpenShift }} securityContext: runAsUser: 65534 runAsGroup: 65534 fsGroup: 65534 + {{ end }} containers: - name: external-forward-proxy image: envoyproxy/envoy:v1.21.0 diff --git a/tests/integration/pilot/tunneling_test.go b/tests/integration/pilot/tunneling_test.go index a50d601a27dc..4db0190e5f8e 100644 --- a/tests/integration/pilot/tunneling_test.go +++ b/tests/integration/pilot/tunneling_test.go @@ -112,7 +112,9 @@ func TestTunnelingOutboundTraffic(t *testing.T) { externalNs := apps.External.Namespace.Name() applyForwardProxyConfigMaps(ctx, externalNs) - ctx.ConfigIstio().File(externalNs, "testdata/external-forward-proxy-deployment.yaml").ApplyOrFail(ctx) + ctx.ConfigIstio().EvalFile(externalNs, map[string]any{ + "OpenShift": ctx.Settings().OpenShift, + }, "testdata/external-forward-proxy-deployment.yaml").ApplyOrFail(ctx) applyForwardProxyService(ctx, externalNs) externalForwardProxyIPs, err := i.PodIPsFor(ctx.Clusters().Default(), externalNs, "app=external-forward-proxy") if err != nil { diff --git a/tools/istio-clean-iptables/pkg/cmd/cleanup.go b/tools/istio-clean-iptables/pkg/cmd/cleanup.go index 5a3c1a9c4ab5..680233b64064 100644 --- a/tools/istio-clean-iptables/pkg/cmd/cleanup.go +++ b/tools/istio-clean-iptables/pkg/cmd/cleanup.go @@ -15,6 +15,10 @@ package cmd import ( + "fmt" + "net/netip" + "os" + "istio.io/istio/tools/istio-clean-iptables/pkg/config" "istio.io/istio/tools/istio-iptables/pkg/builder" common "istio.io/istio/tools/istio-iptables/pkg/capture" @@ -37,6 +41,42 @@ type IptablesCleaner struct { ipt6V *dep.IptablesVersion } +type NetworkRange struct { + IsWildcard bool + CIDRs []netip.Prefix + HasLoopBackIP bool +} + +func separateV4V6(cidrList string) (NetworkRange, NetworkRange, error) { + if cidrList == "*" { + return NetworkRange{IsWildcard: true}, NetworkRange{IsWildcard: true}, nil + } + ipv6Ranges := NetworkRange{} + ipv4Ranges := NetworkRange{} + for _, ipRange := range types.Split(cidrList) { + ipp, err := netip.ParsePrefix(ipRange) + if err != nil { + _, err = fmt.Fprintf(os.Stderr, "Ignoring error for bug compatibility with istio-iptables: %s\n", err.Error()) + if err != nil { + return ipv4Ranges, ipv6Ranges, err + } + continue + } + if ipp.Addr().Is4() { + ipv4Ranges.CIDRs = append(ipv4Ranges.CIDRs, ipp) + if ipp.Addr().IsLoopback() { + ipv4Ranges.HasLoopBackIP = true + } + } else { + ipv6Ranges.CIDRs = append(ipv6Ranges.CIDRs, ipp) + if ipp.Addr().IsLoopback() { + ipv6Ranges.HasLoopBackIP = true + } + } + } + return ipv4Ranges, ipv6Ranges, nil +} + func NewIptablesCleaner(cfg *config.Config, iptV, ipt6V *dep.IptablesVersion, ext dep.Dependencies) *IptablesCleaner { return &IptablesCleaner{ ext: ext, @@ -85,6 +125,35 @@ func removeOldChains(cfg *config.Config, ext dep.Dependencies, iptV *dep.Iptable flushAndDeleteChains(ext, iptV, constants.NAT, chains) } +func cleanupKubeVirt(cfg *config.Config, ext dep.Dependencies, iptV *dep.IptablesVersion, iptV6 *dep.IptablesVersion) { + cleanupFunc := func(iptVer *dep.IptablesVersion, rangeInclude NetworkRange) { + if rangeInclude.IsWildcard { + // Wildcard specified. Redirect all remaining outbound traffic to Envoy. + for _, internalInterface := range types.Split(cfg.KubeVirtInterfaces) { + DeleteRule(ext, iptVer, constants.PREROUTING, constants.NAT, "-i", internalInterface, "-j", constants.ISTIOREDIRECT) + } + } else if len(rangeInclude.CIDRs) > 0 { + // User has specified a non-empty list of cidrs to be redirected to Envoy. + for _, cidr := range rangeInclude.CIDRs { + for _, internalInterface := range types.Split(cfg.KubeVirtInterfaces) { + DeleteRule(ext, iptVer, constants.PREROUTING, constants.PREROUTING, constants.NAT, "-i", internalInterface, + "-d", cidr.String(), "-j", constants.ISTIOREDIRECT) + } + } + } + // cleanup short circuit + for _, internalInterface := range types.Split(cfg.KubeVirtInterfaces) { + DeleteRule(ext, iptVer, constants.PREROUTING, constants.NAT, "-i", internalInterface, "-j", constants.RETURN) + } + } + + ipv4RangesInclude, ipv6RangesInclude, err := separateV4V6(cfg.OutboundIPRangesInclude) + if err == nil { + cleanupFunc(iptV, ipv4RangesInclude) + cleanupFunc(iptV6, ipv6RangesInclude) + } +} + // cleanupDNSUDP removes any IPv4/v6 UDP rules. // TODO BML drop `HandleDSNUDP` and friends, no real need to tread UDP rules specially // or create unique abstractions for them @@ -116,6 +185,8 @@ func (c *IptablesCleaner) Run() { }() // clean v4/v6 + // cleanup kube-virt-related jumps + cleanupKubeVirt(c.cfg, c.ext, c.iptV, c.ipt6V) // Remove chains (run once per v4/v6) removeOldChains(c.cfg, c.ext, c.iptV) removeOldChains(c.cfg, c.ext, c.ipt6V) diff --git a/tools/istio-clean-iptables/pkg/cmd/cleanup_test.go b/tools/istio-clean-iptables/pkg/cmd/cleanup_test.go index 8544c8d46cef..73f20542978d 100644 --- a/tools/istio-clean-iptables/pkg/cmd/cleanup_test.go +++ b/tools/istio-clean-iptables/pkg/cmd/cleanup_test.go @@ -74,6 +74,20 @@ func TestIptables(t *testing.T) { cfg.OwnerGroupsExclude = "888,ftp" }, }, + { + "ipnets-with-kube-virt-interfaces", + func(cfg *config.Config) { + cfg.KubeVirtInterfaces = "eth1,eth2" + cfg.OutboundIPRangesInclude = "10.0.0.0/8" + }, + }, + { + "kube-virt-interfaces", + func(cfg *config.Config) { + cfg.KubeVirtInterfaces = "eth1,eth2" + cfg.OutboundIPRangesInclude = "*" + }, + }, { "inbound-interception-mode", func(cfg *config.Config) { diff --git a/tools/istio-clean-iptables/pkg/cmd/testdata/ipnets-with-kube-virt-interfaces.golden b/tools/istio-clean-iptables/pkg/cmd/testdata/ipnets-with-kube-virt-interfaces.golden new file mode 100644 index 000000000000..1ca3ff0fdc11 --- /dev/null +++ b/tools/istio-clean-iptables/pkg/cmd/testdata/ipnets-with-kube-virt-interfaces.golden @@ -0,0 +1,54 @@ +iptables -t PREROUTING -D PREROUTING nat -i eth1 -d 10.0.0.0/8 -j ISTIO_REDIRECT +iptables -t PREROUTING -D PREROUTING nat -i eth2 -d 10.0.0.0/8 -j ISTIO_REDIRECT +iptables -t PREROUTING -D nat -i eth1 -j RETURN +iptables -t PREROUTING -D nat -i eth2 -j RETURN +ip6tables -t PREROUTING -D nat -i eth1 -j RETURN +ip6tables -t PREROUTING -D nat -i eth2 -j RETURN +iptables -t nat -D PREROUTING -p tcp -j ISTIO_INBOUND +iptables -t mangle -D PREROUTING -p tcp -j ISTIO_INBOUND +iptables -t nat -D OUTPUT -p tcp -j ISTIO_OUTPUT +iptables -t nat -F ISTIO_OUTPUT +iptables -t nat -X ISTIO_OUTPUT +iptables -t nat -F ISTIO_INBOUND +iptables -t nat -X ISTIO_INBOUND +iptables -t mangle -F ISTIO_INBOUND +iptables -t mangle -X ISTIO_INBOUND +iptables -t mangle -F ISTIO_DIVERT +iptables -t mangle -X ISTIO_DIVERT +iptables -t mangle -F ISTIO_TPROXY +iptables -t mangle -X ISTIO_TPROXY +iptables -t nat -F ISTIO_REDIRECT +iptables -t nat -X ISTIO_REDIRECT +iptables -t nat -F ISTIO_IN_REDIRECT +iptables -t nat -X ISTIO_IN_REDIRECT +iptables -t nat -F ISTIO_OUTPUT +iptables -t nat -X ISTIO_OUTPUT +ip6tables -t nat -D PREROUTING -p tcp -j ISTIO_INBOUND +ip6tables -t mangle -D PREROUTING -p tcp -j ISTIO_INBOUND +ip6tables -t nat -D OUTPUT -p tcp -j ISTIO_OUTPUT +ip6tables -t nat -F ISTIO_OUTPUT +ip6tables -t nat -X ISTIO_OUTPUT +ip6tables -t nat -F ISTIO_INBOUND +ip6tables -t nat -X ISTIO_INBOUND +ip6tables -t mangle -F ISTIO_INBOUND +ip6tables -t mangle -X ISTIO_INBOUND +ip6tables -t mangle -F ISTIO_DIVERT +ip6tables -t mangle -X ISTIO_DIVERT +ip6tables -t mangle -F ISTIO_TPROXY +ip6tables -t mangle -X ISTIO_TPROXY +ip6tables -t nat -F ISTIO_REDIRECT +ip6tables -t nat -X ISTIO_REDIRECT +ip6tables -t nat -F ISTIO_IN_REDIRECT +ip6tables -t nat -X ISTIO_IN_REDIRECT +ip6tables -t nat -F ISTIO_OUTPUT +ip6tables -t nat -X ISTIO_OUTPUT +iptables -t nat -D OUTPUT -p udp -j ISTIO_OUTPUT +iptables -t raw -D OUTPUT -p udp -j ISTIO_OUTPUT +ip6tables -t nat -D OUTPUT -p udp -j ISTIO_OUTPUT +ip6tables -t raw -D OUTPUT -p udp -j ISTIO_OUTPUT +iptables -t raw -F ISTIO_OUTPUT +iptables -t raw -X ISTIO_OUTPUT +iptables -t nat -F ISTIO_OUTPUT +iptables -t nat -X ISTIO_OUTPUT +iptables-save +ip6tables-save \ No newline at end of file diff --git a/tools/istio-clean-iptables/pkg/cmd/testdata/kube-virt-interfaces.golden b/tools/istio-clean-iptables/pkg/cmd/testdata/kube-virt-interfaces.golden new file mode 100644 index 000000000000..0215b6efc82e --- /dev/null +++ b/tools/istio-clean-iptables/pkg/cmd/testdata/kube-virt-interfaces.golden @@ -0,0 +1,56 @@ +iptables -t PREROUTING -D nat -i eth1 -j ISTIO_REDIRECT +iptables -t PREROUTING -D nat -i eth2 -j ISTIO_REDIRECT +iptables -t PREROUTING -D nat -i eth1 -j RETURN +iptables -t PREROUTING -D nat -i eth2 -j RETURN +ip6tables -t PREROUTING -D nat -i eth1 -j ISTIO_REDIRECT +ip6tables -t PREROUTING -D nat -i eth2 -j ISTIO_REDIRECT +ip6tables -t PREROUTING -D nat -i eth1 -j RETURN +ip6tables -t PREROUTING -D nat -i eth2 -j RETURN +iptables -t nat -D PREROUTING -p tcp -j ISTIO_INBOUND +iptables -t mangle -D PREROUTING -p tcp -j ISTIO_INBOUND +iptables -t nat -D OUTPUT -p tcp -j ISTIO_OUTPUT +iptables -t nat -F ISTIO_OUTPUT +iptables -t nat -X ISTIO_OUTPUT +iptables -t nat -F ISTIO_INBOUND +iptables -t nat -X ISTIO_INBOUND +iptables -t mangle -F ISTIO_INBOUND +iptables -t mangle -X ISTIO_INBOUND +iptables -t mangle -F ISTIO_DIVERT +iptables -t mangle -X ISTIO_DIVERT +iptables -t mangle -F ISTIO_TPROXY +iptables -t mangle -X ISTIO_TPROXY +iptables -t nat -F ISTIO_REDIRECT +iptables -t nat -X ISTIO_REDIRECT +iptables -t nat -F ISTIO_IN_REDIRECT +iptables -t nat -X ISTIO_IN_REDIRECT +iptables -t nat -F ISTIO_OUTPUT +iptables -t nat -X ISTIO_OUTPUT +ip6tables -t nat -D PREROUTING -p tcp -j ISTIO_INBOUND +ip6tables -t mangle -D PREROUTING -p tcp -j ISTIO_INBOUND +ip6tables -t nat -D OUTPUT -p tcp -j ISTIO_OUTPUT +ip6tables -t nat -F ISTIO_OUTPUT +ip6tables -t nat -X ISTIO_OUTPUT +ip6tables -t nat -F ISTIO_INBOUND +ip6tables -t nat -X ISTIO_INBOUND +ip6tables -t mangle -F ISTIO_INBOUND +ip6tables -t mangle -X ISTIO_INBOUND +ip6tables -t mangle -F ISTIO_DIVERT +ip6tables -t mangle -X ISTIO_DIVERT +ip6tables -t mangle -F ISTIO_TPROXY +ip6tables -t mangle -X ISTIO_TPROXY +ip6tables -t nat -F ISTIO_REDIRECT +ip6tables -t nat -X ISTIO_REDIRECT +ip6tables -t nat -F ISTIO_IN_REDIRECT +ip6tables -t nat -X ISTIO_IN_REDIRECT +ip6tables -t nat -F ISTIO_OUTPUT +ip6tables -t nat -X ISTIO_OUTPUT +iptables -t nat -D OUTPUT -p udp -j ISTIO_OUTPUT +iptables -t raw -D OUTPUT -p udp -j ISTIO_OUTPUT +ip6tables -t nat -D OUTPUT -p udp -j ISTIO_OUTPUT +ip6tables -t raw -D OUTPUT -p udp -j ISTIO_OUTPUT +iptables -t raw -F ISTIO_OUTPUT +iptables -t raw -X ISTIO_OUTPUT +iptables -t nat -F ISTIO_OUTPUT +iptables -t nat -X ISTIO_OUTPUT +iptables-save +ip6tables-save \ No newline at end of file diff --git a/tools/istio-clean-iptables/pkg/config/config.go b/tools/istio-clean-iptables/pkg/config/config.go index f11c8606b23e..192aaa68d9be 100644 --- a/tools/istio-clean-iptables/pkg/config/config.go +++ b/tools/istio-clean-iptables/pkg/config/config.go @@ -49,6 +49,8 @@ type Config struct { OwnerGroupsExclude string `json:"OUTBOUND_OWNER_GROUPS_EXCLUDE"` InboundInterceptionMode string `json:"INBOUND_INTERCEPTION_MODE"` InboundTProxyMark string `json:"INBOUND_TPROXY_MARK"` + OutboundIPRangesInclude string `json:"OUTBOUND_IPRANGES_INCLUDE"` + KubeVirtInterfaces string `json:"KUBE_VIRT_INTERFACES"` } func (c *Config) String() string { @@ -69,6 +71,8 @@ func (c *Config) Print() { fmt.Printf("DNS_SERVERS=%s,%s\n", c.DNSServersV4, c.DNSServersV6) fmt.Printf("OUTBOUND_OWNER_GROUPS_INCLUDE=%s\n", c.OwnerGroupsInclude) fmt.Printf("OUTBOUND_OWNER_GROUPS_EXCLUDE=%s\n", c.OwnerGroupsExclude) + fmt.Printf("OUTBOUND_IP_RANGES_INCLUDE=%s\n", c.OutboundIPRangesInclude) + fmt.Printf("KUBE_VIRT_INTERFACES=%s\n", c.KubeVirtInterfaces) fmt.Println("") }