kuma-website icon indicating copy to clipboard operation
kuma-website copied to clipboard

Published 20 hours ago verified publisher icon kumahq

Limitation when apply TrafficPermission, FaultInjection and RateLimit on ZoneEgress

Open lobkovilya opened this issue 2 years ago • 18 comments

What happened?

Policies such as Fault Injections, Rate Limit, and Traffic Permissions support arbitrary tags in Destination, but we lose this information if placing policies in the map just by Service's name. Example:

type: ExternalService
mesh: default
name: es-v1
tags:
  kuma.io/service: my-external-service
  version: v1

type: ExternalService
mesh: default
name: es-v2
tags:
  kuma.io/service: my-external-service
  version: v2

type: FaultInjection
mesh: default
name: fi1
destinations:
- match:
   kuma.io/service: my-external-service
   version: v1
...

type: FaultInjection
mesh: default
name: fi2
destinations:
- match:
   kuma.io/service: my-external-service
   version: v2
...

Then we'll build a map: "my-external-service" -> ["fi1", "fi2"] And lately, we'll place fi1 and fi2 on all fault injections filter chains for my-external-service (in external_services_generator.go)

lobkovilya avatar Mar 15 '22 12:03 lobkovilya

Triage: We need to document this limitation. What's the behaviour with ExternalService without ZoneEgress? Should just disallow externalService with arbitrary tags?

Seems like we need tags for metadata info so let's just document this limitation.

lahabana avatar Mar 15 '22 15:03 lahabana

This issue was inactive for 30 days it will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant please comment on it promptly or attend the next triage meeting.

github-actions[bot] avatar Apr 15 '22 08:04 github-actions[bot]

This issue was inactive for 30 days it will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant please comment on it promptly or attend the next triage meeting.

github-actions[bot] avatar May 16 '22 08:05 github-actions[bot]

This issue was inactive for 30 days it will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant please comment on it promptly or attend the next triage meeting.

github-actions[bot] avatar Jun 16 '22 08:06 github-actions[bot]

This issue was inactive for 30 days it will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant please comment on it promptly or attend the next triage meeting.

github-actions[bot] avatar Jul 17 '22 08:07 github-actions[bot]

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant, please comment on it or attend the next triage meeting.

github-actions[bot] avatar Oct 17 '22 08:10 github-actions[bot]

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant, please comment on it or attend the next triage meeting.

github-actions[bot] avatar Jan 16 '23 08:01 github-actions[bot]

@lobkovilya is this still a limitation with new policies?

lahabana avatar Jan 16 '23 11:01 lahabana

Yes, it's still a limitation. At this moment we can't apply the policy only to some subset of my-external-service (like version=v2) because all my-external-service endpoints are located in the same DNS cluster

lobkovilya avatar Apr 14 '23 05:04 lobkovilya

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant, please comment on it or attend the next triage meeting.

github-actions[bot] avatar Jul 14 '23 08:07 github-actions[bot]

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant, please comment on it or attend the next triage meeting.

github-actions[bot] avatar Oct 16 '23 08:10 github-actions[bot]

Is this something we want to fix? Should we just say there are no subsets of external services. You should be using a route if you want something like this

lahabana avatar Oct 16 '23 15:10 lahabana

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant, please comment on it or attend the next triage meeting.

github-actions[bot] avatar Jan 16 '24 08:01 github-actions[bot]

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant, please comment on it or attend the next triage meeting.

github-actions[bot] avatar Apr 22 '24 08:04 github-actions[bot]

Is this something we want to fix? Should we just say there are no subsets of external services. You should be using a route if you want something like this

Did anyone ask for this? If not then I think we can just document. On the other hand fixing this shouldn't be that big of a problem.

slonka avatar Apr 22 '24 10:04 slonka

I don't think it makes sense to fix this for old policies. Probably we should just make sure similar use case works for new policies and new external service

lobkovilya avatar Apr 22 '24 14:04 lobkovilya

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant, please comment on it or attend the next triage meeting.

github-actions[bot] avatar Jul 22 '24 08:07 github-actions[bot]

Closing since MeshExternalService doesn't have tags on individual endpoints, so the problem doesn't exist.

lobkovilya avatar Aug 02 '24 14:08 lobkovilya