Comments (4)
kyessenov
commented on June 23, 2024
I wouldn't call it a bug, we haven't implemented source-based filtering. I would rule against env variables since those cannot be changed without a pod restart. You're folding service definition into pod definition, which is an OK practice, but not the common case.
Regarding eventual consistency - isn't that inherent to the distributed proxy mesh? All operations are asynchronous and we need feedback loops for good usability, where the remote agent reports back on the success or failure of the operation.
Regarding source-based filtering - so is the basic problem how do we enforce that "only service a v1 can talk to service b v1"? This is impossible with the current defaulting rule "a can talk to b". We need to revoke the default rule to begin with.
from pilot.
kyessenov
commented on June 23, 2024
Let's say you want to apply that rule at the client-side by overriding the default rule. Each proxy instance carries a list of instances it belongs to (including service versions). Then it can match the source field against the list of instances and apply only if it matches. The missing piece is enumerating all service versions from the rules (since those are declared dynamically by rules) so we can attach the list of service versions to each proxy instance.
from pilot.
kyessenov
commented on June 23, 2024
pr #225
from pilot.
kyessenov
commented on June 23, 2024
Can I close this?
from pilot.
Related Issues (20)
- istioctl not defaulting ns to "default" HOT 1
- Sidecar injection with mutating webhooks HOT 4
- Tests :Sidecar injection with mutating webhooks HOT 3
- Istio injection is not working for modified Deployments. HOT 6
- Ingress with host network HOT 1
- Request Headers Route Rule with composite services does not work HOT 1
- handling service registry client errors HOT 3
- Redirecting all ingress http traffic to https HOT 1
- Relational database adapter for Pilot config store HOT 10
- Diego BBS adapter for Pilot platform data HOT 12
- bazel 0.7 - make setup fails with bazel error on macOS HOT 12
- Use readable cluster names in stats HOT 4
- Build fails on Intel for Istioctl(pilot) HOT 14
- destination.labels is ignored in weighted rule HOT 4
- fails to create mixer configs when namespace field is empty
- Compute Envoy config eagerly rather than on-demand HOT 33
- istioctl kube-inject doesn't work when my pod has 2 containers HOT 2
- Add a script to query pilot for proxy configurations HOT 1
- gRPC-web HOT 1
- How to access the external services when istio with sidecar injected. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pilot.