openservicemesh · shashankram · Jun 18, 2021 · Jun 14, 2021 · Jun 14, 2021
diff --git a/charts/osm/README.md b/charts/osm/README.md
@@ -97,6 +97,7 @@ The following table lists the configurable parameters of the osm chart and their
 | OpenServiceMesh.image.registry | string | `"openservicemesh"` | Container image registry |
 | OpenServiceMesh.image.tag | string | `"v0.9.0"` | Container image tag |
 | OpenServiceMesh.imagePullSecrets | list | `[]` | `osm-controller` image pull secret |
+| OpenServiceMesh.inboundPortExclusionList | list | `[]` | Specifies a global list of ports to exclude from inbound traffic interception by the sidecar proxy. If specified, must be a list of positive integers. |
 | OpenServiceMesh.injector.podLabels | object | `{}` |  |
 | OpenServiceMesh.injector.replicaCount | int | `1` | Sidecar injector's replica count |
 | OpenServiceMesh.injector.resource | object | `{"limits":{"cpu":"0.5","memory":"64M"},"requests":{"cpu":"0.3","memory":"64M"}}` | Sidecar injector's container resource parameters |

diff --git a/charts/osm/crds/meshconfig.yaml b/charts/osm/crds/meshconfig.yaml
@@ -108,6 +108,13 @@ spec:
                         type: integer
                         minimum: 1
                         maximum: 65535
+                    inboundPortExclusionList:
+                      description: Global list of ports to exclude from inbound traffic interception by the sidecar proxy.
+                      type: array
+                      items:
+                        type: integer
+                        minimum: 1
+                        maximum: 65535
                     useHTTPSIngress:
                       description: Enable HTTPS ingress on the mesh
                       type: boolean

diff --git a/charts/osm/templates/preset-mesh-config.yaml b/charts/osm/templates/preset-mesh-config.yaml
@@ -15,6 +15,7 @@ spec:
     useHTTPSIngress: {{.Values.OpenServiceMesh.useHTTPSIngress}}
     enablePermissiveTrafficPolicyMode: {{.Values.OpenServiceMesh.enablePermissiveTrafficPolicy}}
     outboundPortExclusionList: {{.Values.OpenServiceMesh.outboundPortExclusionList}}
+    inboundPortExclusionList: {{.Values.OpenServiceMesh.inboundPortExclusionList}}
     outboundIPRangeExclusionList: {{.Values.OpenServiceMesh.outboundIPRangeExclusionList}}
   observability:
     enableDebugServer: {{.Values.OpenServiceMesh.enableDebugServer}}

diff --git a/charts/osm/values.schema.json b/charts/osm/values.schema.json
@@ -700,6 +700,23 @@
                         ]
                     ]
                 },
+                "inboundPortExclusionList": {
+                    "$id": "#/properties/OpenServiceMesh/properties/inboundPortExclusionList",
+                    "type": "array",
+                    "title": "The inboundPortExclusionList schema",
+                    "description": "Inbound port exluclusion list for sidecar traffic interception",
+                    "items": {
+                        "type": "integer",
+                        "minimum": 1,
+                        "maximum": 65535
+                    },
+                    "examples": [
+                        [
+                            6379,
+                            3315
+                        ]
+                    ]
+                },
                 "grafana": {
                     "$id": "#/properties/OpenServiceMesh/properties/grafana",
                     "type": "object",

diff --git a/charts/osm/values.yaml b/charts/osm/values.yaml
@@ -191,6 +191,10 @@ OpenServiceMesh:
   # If specified, must be a list of positive integers.
   outboundPortExclusionList: []
 
+  # -- Specifies a global list of ports to exclude from inbound traffic interception by the sidecar proxy.
+  # If specified, must be a list of positive integers.
+  inboundPortExclusionList: []
+
   #
   # -- OSM's sidecar injector parameters
   injector:

diff --git a/cmd/cli/namespace_ignore.go b/cmd/cli/namespace_ignore.go
@@ -11,6 +11,8 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/kubernetes"
+
+	"github.com/openservicemesh/osm/pkg/constants"
 )
 
 const namespaceIgnoreDescription = `
@@ -21,8 +23,6 @@ The command will not remove previously injected sidecars on pods belonging
 to the given namespaces.
 `
 
-const ignoreLabel = "openservicemesh.io/ignore"
-
 type namespaceIgnoreCmd struct {
 	out        io.Writer
 	namespaces []string
@@ -77,7 +77,7 @@ func (cmd *namespaceIgnoreCmd) run() error {
 			"%s": "true"
 		}
 	}
-}`, ignoreLabel)
+}`, constants.IgnoreLabel)
 
 		_, err := cmd.clientSet.CoreV1().Namespaces().Patch(ctx, ns, types.StrategicMergePatchType, []byte(patch), metav1.PatchOptions{}, "")
 		if err != nil {

diff --git a/cmd/cli/namespace_list.go b/cmd/cli/namespace_list.go
@@ -84,7 +84,7 @@ func (l *namespaceListCmd) run() error {
 		if !ok {
 			sidecarInjectionEnabled = "-" // not set
 		}
-		if _, ignored := ns.Labels[ignoreLabel]; ignored {
+		if _, ignored := ns.Labels[constants.IgnoreLabel]; ignored {
 			sidecarInjectionEnabled = "disabled (ignored)"
 		}
 

diff --git a/cmd/cli/namespace_list_test.go b/cmd/cli/namespace_list_test.go
@@ -68,7 +68,7 @@ func TestNamespaceList(t *testing.T) {
 						Name: "ns",
 						Labels: map[string]string{
 							constants.OSMKubeResourceMonitorAnnotation: "my-mesh",
-							ignoreLabel: "any value",
+							constants.IgnoreLabel:                      "any value",
 						},
 						Annotations: map[string]string{
 							constants.SidecarInjectionAnnotation: "enabled",

diff --git a/cmd/cli/namespace_test.go b/cmd/cli/namespace_test.go
@@ -703,7 +703,7 @@ var _ = Describe("Running the namespace ignore command", func() {
 		It("should correctly add an ignore label to the namespace", func() {
 			ns, err := fakeClientSet.CoreV1().Namespaces().Get(context.TODO(), testNamespace, metav1.GetOptions{})
 			Expect(err).ToNot(HaveOccurred())
-			Expect(ns.Labels[ignoreLabel]).To(Equal("true"))
+			Expect(ns.Labels[constants.IgnoreLabel]).To(Equal("true"))
 		})
 	})
 
@@ -738,11 +738,11 @@ var _ = Describe("Running the namespace ignore command", func() {
 		It("should correctly add an ignore label to the namespaces", func() {
 			ns, err := fakeClientSet.CoreV1().Namespaces().Get(context.TODO(), testNamespace, metav1.GetOptions{})
 			Expect(err).ToNot(HaveOccurred())
-			Expect(ns.Labels[ignoreLabel]).To(Equal("true"))
+			Expect(ns.Labels[constants.IgnoreLabel]).To(Equal("true"))
 
 			ns2, err := fakeClientSet.CoreV1().Namespaces().Get(context.TODO(), testNamespace2, metav1.GetOptions{})
 			Expect(err).ToNot(HaveOccurred())
-			Expect(ns2.Labels[ignoreLabel]).To(Equal("true"))
+			Expect(ns2.Labels[constants.IgnoreLabel]).To(Equal("true"))
 		})
 	})
 })

diff --git a/docs/example/manifests/meshconfig/mesh-config.yaml b/docs/example/manifests/meshconfig/mesh-config.yaml
@@ -18,6 +18,7 @@ spec:
     enableDebugServer: true
     prometheusScraping: true
     outboundPortExclusionList: []
+    inboundPortExclusionList: []
     outboundIPRangeExclusionList: []
     tracing:
       enable: false

diff --git a/pkg/apis/config/v1alpha1/mesh_config.go b/pkg/apis/config/v1alpha1/mesh_config.go
@@ -72,6 +72,9 @@ type TrafficSpec struct {
 	// OutboundPortExclusionList defines a global list of ports to exclude from outbound traffic interception by the sidecar proxy.
 	OutboundPortExclusionList []int `json:"outboundPortExclusionList,omitempty"`
 
+	// InboundPortExclusionList defines a global list of ports to exclude from inbound traffic interception by the sidecar proxy.
+	InboundPortExclusionList []int `json:"inboundPortExclusionList,omitempty"`
+
 	// UseHTTPSIngress defines a boolean indicating if HTTPS Ingress is enabled globally in the mesh.
 	UseHTTPSIngress bool `json:"useHTTPSIngress,omitempty"`
 

diff --git a/pkg/apis/config/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/config/v1alpha1/zz_generated.deepcopy.go
diff --git a/pkg/configurator/methods.go b/pkg/configurator/methods.go
@@ -156,6 +156,11 @@ func (c *Client) GetOutboundPortExclusionList() []int {
 	return c.getMeshConfig().Spec.Traffic.OutboundPortExclusionList
 }
 
+// GetInboundPortExclusionList returns the list of ports (positive integers) to exclude from inbound sidecar interception
+func (c *Client) GetInboundPortExclusionList() []int {
+	return c.getMeshConfig().Spec.Traffic.InboundPortExclusionList
+}
+
 // IsPrivilegedInitContainer returns whether init containers should be privileged
 func (c *Client) IsPrivilegedInitContainer() bool {
 	return c.getMeshConfig().Spec.Sidecar.EnablePrivilegedInitContainer

diff --git a/pkg/configurator/methods_test.go b/pkg/configurator/methods_test.go
@@ -327,6 +327,21 @@ func TestCreateUpdateConfig(t *testing.T) {
 				assert.Equal([]int{7070, 6080}, cfg.GetOutboundPortExclusionList())
 			},
 		},
+		{
+			name:                  "GetIboundPortExclusionList",
+			initialMeshConfigData: &v1alpha1.MeshConfigSpec{},
+			checkCreate: func(assert *tassert.Assertions, cfg Configurator) {
+				assert.Nil(cfg.GetInboundPortExclusionList())
+			},
+			updatedMeshConfigData: &v1alpha1.MeshConfigSpec{
+				Traffic: v1alpha1.TrafficSpec{
+					InboundPortExclusionList: []int{7070, 6080},
+				},
+			},
+			checkUpdate: func(assert *tassert.Assertions, cfg Configurator) {
+				assert.Equal([]int{7070, 6080}, cfg.GetInboundPortExclusionList())
+			},
+		},
 		{
 			name: "IsPrivilegedInitContainer",
 			initialMeshConfigData: &v1alpha1.MeshConfigSpec{

diff --git a/pkg/configurator/mock_client_generated.go b/pkg/configurator/mock_client_generated.go
diff --git a/pkg/configurator/types.go b/pkg/configurator/types.go
@@ -81,6 +81,9 @@ type Configurator interface {
 	// GetOutboundPortExclusionList returns the list of ports to exclude from outbound sidecar interception
 	GetOutboundPortExclusionList() []int
 
+	// GetInboundPortExclusionList returns the list of ports to exclude from inbound sidecar interception
+	GetInboundPortExclusionList() []int
+
 	// IsPrivilegedInitContainer determines whether init containers should be privileged
 	IsPrivilegedInitContainer() bool
 

diff --git a/pkg/constants/constants.go b/pkg/constants/constants.go
@@ -149,7 +149,7 @@ const (
 	OSMMeshConfig = "osm-mesh-config"
 )
 
-// Annotations used by the controller
+// Annotations used by the control plane
 const (
 	// SidecarInjectionAnnotation is the annotation used for sidecar injection
 	SidecarInjectionAnnotation = "openservicemesh.io/sidecar-injection"
@@ -158,6 +158,12 @@ const (
 	MetricsAnnotation = "openservicemesh.io/metrics"
 )
 
+// Labels used by the control plane
+const (
+	// IgnoreLabel is the label used to ignore a resource
+	IgnoreLabel = "openservicemesh.io/ignore"
+)
+
 // Annotations used for Metrics
 const (
 	// PrometheusScrapeAnnotation is the annotation used to configure prometheus scraping

diff --git a/pkg/ingress/client.go b/pkg/ingress/client.go
@@ -5,13 +5,17 @@ import (
 
 	networkingV1 "k8s.io/api/networking/v1"
 	networkingV1beta1 "k8s.io/api/networking/v1beta1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/selection"
 	"k8s.io/client-go/discovery"
 	"k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/cache"
 
 	"github.com/openservicemesh/osm/pkg/announcements"
 	"github.com/openservicemesh/osm/pkg/configurator"
+	"github.com/openservicemesh/osm/pkg/constants"
 	k8s "github.com/openservicemesh/osm/pkg/kubernetes"
 	"github.com/openservicemesh/osm/pkg/service"
 )
@@ -24,15 +28,21 @@ const (
 var candidateVersions = []string{networkingV1.SchemeGroupVersion.String(), networkingV1beta1.SchemeGroupVersion.String()}
 
 // NewIngressClient implements ingress.Monitor and creates the Kubernetes client to monitor Ingress resources.
-func NewIngressClient(kubeClient kubernetes.Interface, kubeController k8s.Controller, stop chan struct{}, cfg configurator.Configurator) (Monitor, error) {
+func NewIngressClient(kubeClient kubernetes.Interface, kubeController k8s.Controller, stop chan struct{}, _ configurator.Configurator) (Monitor, error) {
 	supportedIngressVersions, err := getSupportedIngressVersions(kubeClient.Discovery())
 	if err != nil {
 		log.Error().Err(err).Msgf("Error retrieving ingress API versions supported by k8s API server")
 		return nil, err
 	}
 
+	// Ignore ingresses that have the ignore label
+	ignoreLabel, _ := labels.NewRequirement(constants.IgnoreLabel, selection.DoesNotExist, nil)
+	option := informers.WithTweakListOptions(func(opt *metav1.ListOptions) {
+		opt.LabelSelector = ignoreLabel.String()
+	})
+
 	// Initialize the version specific ingress informers and caches
-	informerFactory := informers.NewSharedInformerFactory(kubeClient, k8s.DefaultKubeEventResyncInterval)
+	informerFactory := informers.NewSharedInformerFactoryWithOptions(kubeClient, k8s.DefaultKubeEventResyncInterval, option)
 	ingressEventTypes := k8s.EventTypes{
 		Add:    announcements.IngressAdded,
 		Update: announcements.IngressUpdated,
@@ -44,33 +54,33 @@ func NewIngressClient(kubeClient kubernetes.Interface, kubeController k8s.Contro
 		return kubeController.IsMonitoredNamespace(ns)
 	}
 
-	client := Client{
+	c := client{
 		cacheSynced:    make(chan interface{}),
 		kubeController: kubeController,
 	}
 
 	if v1Supported, ok := supportedIngressVersions[networkingV1.SchemeGroupVersion.String()]; ok && v1Supported {
-		client.informerV1 = informerFactory.Networking().V1().Ingresses().Informer()
-		client.cacheV1 = client.informerV1.GetStore()
-		client.informerV1.AddEventHandler(k8s.GetKubernetesEventHandlers("IngressV1", "Kubernetes", shouldObserve, ingressEventTypes))
+		c.informerV1 = informerFactory.Networking().V1().Ingresses().Informer()
+		c.cacheV1 = c.informerV1.GetStore()
+		c.informerV1.AddEventHandler(k8s.GetKubernetesEventHandlers("IngressV1", "Kubernetes", shouldObserve, ingressEventTypes))
 	}
 
 	if v1beta1Supported, ok := supportedIngressVersions[networkingV1beta1.SchemeGroupVersion.String()]; ok && v1beta1Supported {
-		client.informerV1beta1 = informerFactory.Networking().V1beta1().Ingresses().Informer()
-		client.cacheV1Beta1 = client.informerV1beta1.GetStore()
-		client.informerV1beta1.AddEventHandler(k8s.GetKubernetesEventHandlers("IngressV1beta1", "Kubernetes", shouldObserve, ingressEventTypes))
+		c.informerV1beta1 = informerFactory.Networking().V1beta1().Ingresses().Informer()
+		c.cacheV1Beta1 = c.informerV1beta1.GetStore()
+		c.informerV1beta1.AddEventHandler(k8s.GetKubernetesEventHandlers("IngressV1beta1", "Kubernetes", shouldObserve, ingressEventTypes))
 	}
 
-	if err := client.run(stop); err != nil {
+	if err := c.run(stop); err != nil {
 		log.Error().Err(err).Msg("Could not start Kubernetes Ingress client")
 		return nil, err
 	}
 
-	return client, nil
+	return c, nil
 }
 
 // run executes informer collection.
-func (c *Client) run(stop <-chan struct{}) error {
+func (c *client) run(stop <-chan struct{}) error {
 	log.Info().Msg("Ingress client started")
 
 	if c.informerV1 == nil && c.informerV1beta1 == nil {
@@ -107,7 +117,7 @@ func (c *Client) run(stop <-chan struct{}) error {
 }
 
 // GetIngressNetworkingV1beta1 returns the networking.k8s.io/v1beta1 ingress resources whose backends correspond to the service
-func (c Client) GetIngressNetworkingV1beta1(meshService service.MeshService) ([]*networkingV1beta1.Ingress, error) {
+func (c client) GetIngressNetworkingV1beta1(meshService service.MeshService) ([]*networkingV1beta1.Ingress, error) {
 	if c.cacheV1Beta1 == nil {
 		// The v1beta1 version is not served by the controller, return an empty list
 		return nil, nil
@@ -151,7 +161,7 @@ func (c Client) GetIngressNetworkingV1beta1(meshService service.MeshService) ([]
 }
 
 // GetIngressNetworkingV1 returns the networking.k8s.io/v1 ingress resources whose backends correspond to the service
-func (c Client) GetIngressNetworkingV1(meshService service.MeshService) ([]*networkingV1.Ingress, error) {
+func (c client) GetIngressNetworkingV1(meshService service.MeshService) ([]*networkingV1.Ingress, error) {
 	if c.cacheV1 == nil {
 		// The v1 version is not served by the controller, return an empty list
 		return nil, nil