Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multi-Istio deployments in same k8s cluster #31115

Closed
l8huang opened this issue Feb 26, 2021 · 3 comments
Closed

Multi-Istio deployments in same k8s cluster #31115

l8huang opened this issue Feb 26, 2021 · 3 comments
Labels
area/networking feature/Multi-control-plane issues related with multi-control-plane support in a cluster kind/enhancement lifecycle/automatically-closed Indicates a PR or issue that has been closed automatically. lifecycle/stale Indicates a PR or issue hasn't been manipulated by an Istio team member for a while

Comments

@l8huang
Copy link
Contributor

l8huang commented Feb 26, 2021
edited

Describe the feature request

After issue #26679 resolved, istiod can be configured to watch a subset of namespaces in a k8s cluster by using meshConfig.discoverySelectors. But for deploying multi-istio in a k8s cluster, there are still some gaps:

  • namespace controller injects ConfigMap istio-root-ca-cert to namespaces, need to scoping it to the namespaces which are part of mesh managed by one Istio deployment, otherwise, it would override istio-root-ca-cert injected by another Istiod deployment.
  • mutating/validating webhook should be configured to run on an object based on which Istio deployment manages its namespace.
  • secrets controller watches all namespaces currently, it should also be configured to avoid trigger XDS push unnecessarily when a Secret doesn't belong to a Istio deployment. This is not mandatory, but better to have.

PR #29802 implemented a DiscoveryNamespacesFilter, which can be reused by namespace controller and secrets controller, but looks like a different set of namespace selectors should be defined, because "discovery - namespaces watched by Istio" and "namespaces in a mesh" are different concept.

Per my understanding, another namespace selector("meshNamespaceSelectors"?) in MeshConfig should be defined and items listed above should be modified accordingly. Please correct me if I misunderstand anything.

Describe alternatives you've considered

[ ] Docs
[ ] Installation
[X] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[ ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure

[] Multi Cluster
[ ] Virtual Machine
[X] Multi Control Plane

Additional context
@istio-policy-bot istio-policy-bot added area/networking feature/Multi-control-plane issues related with multi-control-plane support in a cluster kind/enhancement labels Feb 26, 2021
@liamawhite
Copy link
Member

I think you would also need to filter out Istio CRs to avoid cross-contamination. i.e. If I create a service entry with exportTo: ['*'] in a namespace not managed by a given mesh, it shouldn't appear in Envoys for that mesh. Having spoken to @harveyxia, #29802 doesn't ignore Istio resources created in a given namespace.

@istio-policy-bot istio-policy-bot added the lifecycle/stale Indicates a PR or issue hasn't been manipulated by an Istio team member for a while label Dec 27, 2021
@istio-policy-bot istio-policy-bot added the lifecycle/automatically-closed Indicates a PR or issue that has been closed automatically. label Jan 12, 2022
@hzxuzhonghu hzxuzhonghu reopened this Jan 12, 2022
@hzxuzhonghu hzxuzhonghu mentioned this issue Jan 12, 2022
Merged
@istio-policy-bot istio-policy-bot removed the lifecycle/stale Indicates a PR or issue hasn't been manipulated by an Istio team member for a while label Jan 12, 2022
@liuxu623 liuxu623 mentioned this issue Jan 19, 2022
Closed
@liuxu623 liuxu623 mentioned this issue Jan 28, 2022
Closed
@istio-policy-bot istio-policy-bot added the lifecycle/stale Indicates a PR or issue hasn't been manipulated by an Istio team member for a while label Jul 11, 2022
@istio-policy-bot
Copy link

🚧 This issue or pull request has been closed due to not having had activity from an Istio team member since 2022-01-12. If you feel this issue or pull request deserves attention, please reopen the issue. Please see this wiki page for more information. Thank you for your contributions.

Created by the issue and PR lifecycle manager.

@kfaseela
Copy link
Member

FYI: #41198 has been merged

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/networking feature/Multi-control-plane issues related with multi-control-plane support in a cluster kind/enhancement lifecycle/automatically-closed Indicates a PR or issue that has been closed automatically. lifecycle/stale Indicates a PR or issue hasn't been manipulated by an Istio team member for a while
Projects
None yet
Milestone
No milestone
5 participants
@l8huang @kfaseela @hzxuzhonghu @liamawhite @istio-policy-bot