Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added ambient profile installation for istio #2822

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@hansinikarunarathne can you help here? We should allow to have multiple yamls in a single file separated by "---"

Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
release: istio
name: cluster-local-gateway-service-account
namespace: istio-system
---

Check warning on line 13 in common/istio-1-22/cluster-local-gateway/base/cluster-local-gateway.yaml

View workflow job for this annotation

GitHub Actions / format_YAML_files

13:1 [document-start] found forbidden document start "---"
apiVersion: apps/v1
kind: Deployment
metadata:
Expand Down Expand Up @@ -109,7 +109,7 @@
- name: ISTIO_META_WORKLOAD_NAME
value: cluster-local-gateway
- name: ISTIO_META_OWNER
value:
value:
kubernetes://apis/apps/v1/namespaces/istio-system/deployments/cluster-local-gateway
- name: ISTIO_META_MESH_ID
value: cluster.local
Expand Down Expand Up @@ -230,7 +230,7 @@
secret:
optional: true
secretName: istio-ingressgateway-ca-certs
---

Check warning on line 233 in common/istio-1-22/cluster-local-gateway/base/cluster-local-gateway.yaml

View workflow job for this annotation

GitHub Actions / format_YAML_files

233:1 [document-start] found forbidden document start "---"
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
Expand All @@ -249,7 +249,7 @@
matchLabels:
app: cluster-local-gateway
istio: cluster-local-gateway
---

Check warning on line 252 in common/istio-1-22/cluster-local-gateway/base/cluster-local-gateway.yaml

View workflow job for this annotation

GitHub Actions / format_YAML_files

252:1 [document-start] found forbidden document start "---"
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
Expand All @@ -269,7 +269,7 @@
- get
- watch
- list
---

Check warning on line 272 in common/istio-1-22/cluster-local-gateway/base/cluster-local-gateway.yaml

View workflow job for this annotation

GitHub Actions / format_YAML_files

272:1 [document-start] found forbidden document start "---"
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
Expand All @@ -287,7 +287,7 @@
subjects:
- kind: ServiceAccount
name: cluster-local-gateway-service-account
---

Check warning on line 290 in common/istio-1-22/cluster-local-gateway/base/cluster-local-gateway.yaml

View workflow job for this annotation

GitHub Actions / format_YAML_files

290:1 [document-start] found forbidden document start "---"
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
Expand All @@ -314,7 +314,7 @@
apiVersion: apps/v1
kind: Deployment
name: cluster-local-gateway
---

Check warning on line 317 in common/istio-1-22/cluster-local-gateway/base/cluster-local-gateway.yaml

View workflow job for this annotation

GitHub Actions / format_YAML_files

317:1 [document-start] found forbidden document start "---"
apiVersion: v1
kind: Service
metadata:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -11,4 +11,4 @@ spec:
app: cluster-local-gateway
istio: cluster-local-gateway
rules:
- {}
- {}
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,4 @@ apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: cluster-local-gateway
namespace: istio-system
namespace: istio-system
1 change: 0 additions & 1 deletion common/istio-1-22/istio-crds/base/crd.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -495,7 +495,7 @@
subresources:
status: {}

---

Check warning on line 498 in common/istio-1-22/istio-crds/base/crd.yaml

View workflow job for this annotation

GitHub Actions / format_YAML_files

498:1 [document-start] found forbidden document start "---"
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
Expand Down Expand Up @@ -5343,7 +5343,7 @@
subresources:
status: {}

---

Check warning on line 5346 in common/istio-1-22/istio-crds/base/crd.yaml

View workflow job for this annotation

GitHub Actions / format_YAML_files

5346:1 [document-start] found forbidden document start "---"
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
Expand Down Expand Up @@ -5653,7 +5653,7 @@
subresources:
status: {}

---

Check warning on line 5656 in common/istio-1-22/istio-crds/base/crd.yaml

View workflow job for this annotation

GitHub Actions / format_YAML_files

5656:1 [document-start] found forbidden document start "---"
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
Expand Down Expand Up @@ -6163,7 +6163,7 @@
subresources:
status: {}

---

Check warning on line 6166 in common/istio-1-22/istio-crds/base/crd.yaml

View workflow job for this annotation

GitHub Actions / format_YAML_files

6166:1 [document-start] found forbidden document start "---"
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
Expand Down Expand Up @@ -13060,4 +13060,3 @@
storage: true
subresources:
status: {}

Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# Penetration test enahncement: check port 15010 & 8080 in istiod: According to https://istio.io/latest/docs/ops/best-practices/security/#control-plane port 15010
# is not that problematic (only resource discovery). Other parts of the documentation also say| 15010 | GRPC | XDS and CA services (Plaintext, only for secure networks) |
# We have a secure network layer and only XDS is served.
# Port 8080 is not listed in the service and even if it would be somehow reachable by IP it only "offers read access".
# is not that problematic (only resource discovery). Other parts of the documentation also say| 15010 | GRPC | XDS and CA services (Plaintext, only for secure networks) |
# We have a secure network layer and only XDS is served.
# Port 8080 is not listed in the service and even if it would be somehow reachable by IP it only "offers read access".
# Nevertheless we set ENABLE_DEBUG_ON_HTTP=false do disable it entirely.
apiVersion: apps/v1
kind: Deployment
Expand Down
4 changes: 2 additions & 2 deletions common/istio-1-22/istio-install/base/x-forwarded-host.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -32,8 +32,8 @@ spec:
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.http.lua
typed_config:
name: envoy.filters.http.lua
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
inlineCode: |
function envoy_on_request(request_handle)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ metadata:
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true"
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-istio-admin: "true"
rules:
- apiGroups:
- apiGroups:
- istio.io
- networking.istio.io
resources: ["*"]
Expand Down
82 changes: 41 additions & 41 deletions common/istio-1-22/profile-overlay.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,47 +8,47 @@ spec:
probes: 3
components:
ingressGateways:
# Cluster-local gateway for KFServing
- enabled: true
name: cluster-local-gateway
# https://github.com/istio/istio/issues/19263#issuecomment-615833092
label:
app: cluster-local-gateway
istio: cluster-local-gateway
k8s:
env:
- name: ISTIO_META_ROUTER_MODE
value: sni-dnat
hpaSpec:
maxReplicas: 5
metrics:
- resource:
name: cpu
target:
type: Utilization
averageUtilization: 80
type: Resource
minReplicas: 1
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: cluster-local-gateway
resources:
limits:
cpu: 2000m
memory: 1024Mi
requests:
cpu: 100m
memory: 128Mi
service:
type: ClusterIP
ports:
- name: status-port
port: 15020
targetPort: 15020
- name: http2
port: 80
targetPort: 8080
# Cluster-local gateway for KFServing
- enabled: true
name: cluster-local-gateway
# https://github.com/istio/istio/issues/19263#issuecomment-615833092
label:
app: cluster-local-gateway
istio: cluster-local-gateway
k8s:
env:
- name: ISTIO_META_ROUTER_MODE
value: sni-dnat
hpaSpec:
maxReplicas: 5
metrics:
- resource:
name: cpu
target:
type: Utilization
averageUtilization: 80
type: Resource
minReplicas: 1
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: cluster-local-gateway
resources:
limits:
cpu: 2000m
memory: 1024Mi
requests:
cpu: 100m
memory: 128Mi
service:
type: ClusterIP
ports:
- name: status-port
port: 15020
targetPort: 15020
- name: http2
port: 80
targetPort: 8080

# Disable EgressGateway
egressGateways:
Expand Down
1 change: 0 additions & 1 deletion common/istio-1-22/profile.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -23,4 +23,3 @@ spec:
global:
configValidation: true
istioNamespace: istio-system

95 changes: 95 additions & 0 deletions common/istio-ambient-1-22/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
# Istio

## Upgrade Istio Manifests

Istio ships with an installer called `istioctl`, which is a deployment /
debugging / configuration management tool for Istio all in one package.
In this section, we explain how to upgrade our istio kustomize packages
by leveraging `istioctl`. Assuming the new version is `X.Y.Z` and the
old version is `X1.Y1.Z1`:

1. Make a copy of the old istio manifests tree, which will become the
kustomization for the new Istio version:

$ export MANIFESTS_SRC=<path/to/manifests/repo>
$ export ISTIO_OLD=$MANIFESTS_SRC/common/istio-X1-Y1
$ export ISTIO_NEW=$MANIFESTS_SRC/common/istio-X-Y
$ cp -a $ISTIO_OLD $ISTIO_NEW

2. Download `istioctl` for version `X.Y.Z`:

$ ISTIO_VERSION="X.Y.Z"
$ wget "https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux-amd64.tar.gz"
$ tar xvfz istio-${ISTIO_VERSION}-linux-amd64.tar.gz
# sudo mv istio-${ISTIO_VERSION}/bin/istioctl /usr/local/bin/istioctl

3. Use `istioctl` to generate an `IstioOperator` resource, the
CustomResource used to describe the Istio Control Plane:

$ cd $ISTIO_NEW
$ istioctl profile dump default > profile.yaml

---
**NOTE**

`istioctl` comes with a bunch of [predefined profiles](https://istio.io/latest/docs/setup/additional-setup/config-profiles/)
(`default`, `demo`, `minimal`, etc.). The `default` profile is installed by default.

---

4. Generate manifests and add them to their respective packages. We
will generate manifests using `istioctl`, the
`profile.yaml` file from upstream and the
`profile-overlay.yaml` file that contains our desired
changes:

$ export PATH="$MANIFESTS_SRC/scripts:$PATH"
$ cd $ISTIO_NEW
$ istioctl manifest generate --cluster-specific -f profile.yaml -f profile-overlay.yaml > dump.yaml
$ ./split-istio-packages -f dump.yaml
$ mv $ISTIO_NEW/crd.yaml $ISTIO_NEW/istio-crds/base
$ mv $ISTIO_NEW/install.yaml $ISTIO_NEW/istio-install/base
$ mv $ISTIO_NEW/cluster-local-gateway.yaml $ISTIO_NEW/cluster-local-gateway/base
$ rm dump.yaml

---
**NOTE**

`split-istio-packages` is a python script in the same folder as this file.
The `ruamel.yaml` version used is 0.16.12.

`--cluster-specific` is a flag that determines if a current K8s cluster context will be used to dynamically
detect default settings. Ensure you have a target cluster ready before running the above commands.
We set this flag because `istioctl manifest generate` generates manifest files with resources that are no
longer supported in Kubernetes 1.25 (`policy/v1beta1`). See: https://github.com/istio/istio/issues/41220

---

## Changes to Istio's upstream manifests

### Changes to the upstream IstioOperator profile

Changes to Istio's upstream profile `default` are the following:

- Add a `cluster-local-gateway` component for Kserve. Knative-local-gateway is now obsolete https://github.com/kubeflow/manifests/pull/2355/commits/adc00b804404ea08685a044ae595be0bed9adb59.
- Disable the EgressGateway component. We do not use it and it adds unnecessary complexity.

Those changes are captured in the [profile-overlay.yaml](profile-overlay.yaml)
file.

### Changes to the upstream manifests using kustomize

The Istio kustomizations make the following changes:

- Remove PodDisruptionBudget from `istio-install` and `cluster-local-gateway` kustomizations. See:
- https://github.com/istio/istio/issues/12602
- https://github.com/istio/istio/issues/24000
- Add EnvoyFilter for adding an `X-Forwarded-For` header in requests passing through the Istio Ingressgateway, inside the `istio-install` kustomization.
- Add Istio AuthorizationPolicy to allow all requests to the Istio Ingressgateway and the Istio cluster-local gateway.
- Add Istio AuthorizationPolicy in Istio's root namespace, so that sidecars deny traffic by default (explicit deny-by-default authorization model).
- Add Gateway CRs for the Istio Ingressgateway and the Istio cluster-local gateway, as `istioctl` stopped generating them in later versions.
- Add the istio-system namespace object to `istio-namespace`, as `istioctl` stopped generating it in later versions.
- Configure TCP KeepAlives.
- Disable tracing as it causes DNS breakdown. See:
https://github.com/istio/istio/issues/29898
- Set ENABLE_DEBUG_ON_HTTP=false according to https://istio.io/latest/docs/ops/best-practices/security/#control-plane
Loading
Loading