Add controls around injected headers #2240
Conversation
howardjohn
added
the
release-notes-none
howardjohn
requested review from
ericvn,
linsun,
louiscryan,
nrjpoddar and
smawson
as code owners
istio-testing
added
the
size/S
|
cc @jacob-delgado @nrjpoddar @costinm @hzxuzhonghu @ramaraochavali you all probably have opinions here |
istio-testing
added
the
needs-rebase
|
cc @nrjpoddar any thoughts? |
|
This feels like it belongs to VirtualService for more fine grained control. |
I suppose you mean https://istio.io/latest/docs/ops/configuration/traffic-management/network-topologies/#configuring-x-forwarded-client-cert-headers? There is some overlap for sure but I think it's useful to have config here. This is an on/off switch that applies to sidecar+gateway, then at gateway you can additionally control how it works if it's "on"?
|
Currently, for gateway XFCC is default ON IIRC. Are we going to preserve that behvaior? |
Yes. From the proto |
|
I am more concerned about the default behavior - I don't think users should start having to write configs to get correct and expected behavior.
I don't mind fine tuning this via API - but I don't think this is a MeshConfig/global option, obviously inside the mesh some Before adding a 1st class API - I would check what other proxy servers do about this, and how it would fit with the k8s gateway API. But I doubt a lot of users will ask for this if default behaviour is correct. |
|
Not sure we can really change the defaults due to backwards compatibility is the main concern |
|
Yes, backward compat is a concern in a lot of areas - we do need some
mechanism to migrate to the new behavior, but it doesn't have to be
a first class, long-term-support API, it's just intended for safe
transition.
My personal preference is to use the migration to the new K8S Gateway model
to fix all bad behaviors in Istio - this one, various things you
discussed in the doc on original dst, automatic mTLS verification, etc.
This can be done by creating a Gateway class mesh in a namespace
to 'opt-in' to the new behavior ( and replace user-driven namespace
annotation as well ).
We can also use an env variable ( injection and annotations makes it easy
to add this, and they are meant for this kind of migrations).
MeshConfig is problematic because it's global ( per-revision actually ),
and set on install/upgrade. Also once we add it there - will be hard
to take out.
…On Tue, Apr 26, 2022 at 10:27 AM John Howard ***@***.***> wrote:
Not sure we can really change the defaults due to backwards compatibility
is the main concern
—
Reply to this email directly, view it on GitHub
<#2240 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAUR2RNEZDJ3LIPZFTOBGTVHARPVANCNFSM5N3ZZMHA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
@nrjpoddar for gateway, I think the correct default behavior is to filter out XFCC from incoming requests, unless gateway topology is used. And to generate XFCC if the gateway terminates mTLS. Gateway topology will determine if XFCC is forwarded or not, like Forwarded and other internal headers. I can't think any good reason to have a different behavior in a gateway. Working on a doc to formalize this (identity delegation), should have it for next week. |
This is actually largely my goal of this PR :-) I want to get to the point where someone turns on some option ("use new stuff", for a lack of a better name), we also turn all of this on. But I don't think we otherwise can just automatically do it because:
|
I think it is better to have to individual fields for the most common headers in the HeaderSpecifier that allows to enable/disable or set value for example server header can have a string and requestid can have an extension like UUID etc.... |
I do like making it future-proof but I also can't really see us making them configurable personally... those seem like pretty niche cases? |
howardjohn
force-pushed
the
mesh/stip-internal
branch
from
33249a1 to
5b2fb4b
Compare
istio-testing
removed
the
needs-rebase
|
message ProxyHeaders { I think a message like above would be more readable and help us expand later if needed instead of an enum. |
mesh/v1alpha1/proxy.proto
Outdated
| repeated HeaderSpecifier proxy_headers = 37; | ||
|
|
||
| enum HeaderSpecifier { | ||
| NO_HEADERS = 0; |
There was a problem hiding this comment.
That's strange - empty list means all, a list with NO_HEADERS means none ?
There was a problem hiding this comment.
agreed - may make sense to ask users to explicitly list the headers they want to remove from the default.
I mostly agree - but no "envoy" in the API please since it should be moved to the vendor-neutral K8S Gateway policy. Since ambient is L4 and doesn't add headers - would it make sense to just drop this PR, which is on ProxyConfig, and |
|
@linsun Can you take another look? I think this would be great if it makes it to 1.19. |
|
LGTM left a few clarification qs. Another q - how do I control if it is inbound or outbound? |
You don't. Most of the headers only apply in one direction and are documented in the comments. |
Thanks, I found only 1 place was not clear, otherwise it was clear. |
|
@howardjohn let me know when this is ready to be approved, didn't want to approve it if you have a few minor clarifications in mind. |
howardjohn
force-pushed
the
mesh/stip-internal
branch
from
d0a10a8 to
f419368
Compare
|
/cherrypick release-1.19 |
|
@howardjohn: new pull request created: #2902 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Hello, i've just stumbled across this - because we've noticed envoy headers being sent to external services (MESH_EXTERNAL). I'm struggling to follow the PR to be honest... but in 1.19.1 this still is the case. Is there a way to stop this, without me adding |
|
@Stono The defaults have not changed, you have to manually change the default proxy config to get an effect. |
|
@howardjohn , I am not understanding how can the customer remove the "server: istio-envoy" from the response header. Can you please help in that? |
proxyHeaders:
server:
disabled: true |
This PR adds controls to which headers should be added to
requests/responses. This solves (most of)
istio/istio#17635, a common feature request.
A prototype is implemented in istio/istio#37215.
Open questions:
config
strange config like
[REQUEST_ID, REQUEST_ID]but that can justrejected