CFP: Scope Clustermesh APIserver to only export Identities and Endpoints Fronted by Global Service

[krunaljain]

Cilium Feature Proposal

Is your proposed feature related to a problem?

Yes. The current Cilium Clustermesh implementation distributes all endpoints and identities across connected clusters. While this ensures full visibility, it introduces significant scalability challenges as the number of clusters, endpoints, and identities increases. In large-scale deployments, this results in high memory consumption and operational inefficiencies, limiting the ability to scale Clustermesh effectively.

Describe the feature you'd like

We propose introducing a new “scoped-export” mode for the Clustermesh API server. This mode restricts cross-cluster propagation to only those endpoints and identities that are fronted by global services. The goal is to reduce the volume of data shared across clusters while preserving essential service connectivity and policy enforcement for global services.

Key requirements include:

Maintain full cross-cluster visibility for endpoints and identities associated with global services.
Avoid propagating endpoints and identities not tied to global services.
Ensure backward compatibility with existing Clustermesh deployments.
Support dynamic updates based on service lifecycle events.

(Optional) Describe your proposed solution
Current proposal: cilium/design-cfps#74
Previous Design Document:

CFP-39876

[MrFreezeex]

Hii @krunaljain 👋, afaict the document you share isn't public, could you double check this?

Aside from that from a super high level question (but this might get answered in your doc): what happens when you want to have some network policies for consumer (ingress traffic) of a global service from other clusters?

[krunaljain]

@MrFreezeex Reattached the document. For the network policies, the endpoints and identities information associated with all resources fronted by global services would be exported as it is today. As the network policies work in the current OSS version, they should work even with the proposal for scoped export?

[MrFreezeex]

If you could send your proposal either with a pdf format/Google doc (with a public link where we could comment) or a PR to https://github.com/cilium/design-cfps that would be nicer, thanks!

Aside from that about my question: let's say you have my-svc which is a global in cluster 1 and 2, only cluster 2 contains backing pod. You have client pods in cluster1 that contact my-svc. You also want to have a network policy in cluster 2 whitelisting ingress traffic from those client pod in cluster1 to pods backing my-svc in cluster2. If in cluster2 you don't get identities from those client pod in cluster1 you can't do that.

What do you plan to do about this? Some extra annotation whitelisting those identities too in a way? That this is expected to not work in this mode? Something else?

[krunaljain]

@MrFreezeex Can you try to access the document now?

Thanks for clarifying your question. We intend to provide a custom annotation which allows customers to allowlist export of certain endpoints and its associated identities which are not fronted by global services. The clients would need to be annotated to make sure the associated identities are exported to remote clusters

[MrFreezeex]

Yes thanks! Will comment on the doc itself

[MrFreezeex]

Our discussion on the doc about annotation made me think about an alternative implementation:

Let's say we introduce two new annotations on Pods: (initial naming idea, can be changed btw) clustermesh.cilium.io/export-enabled & clustermesh.cilium.io/internal-export-enabled. If a user want to have the Pod be considered in the clustermesh (assuming a global feature flag is enabled too probably) he use the first annotation on Pod (probably through whatever he use to create pod such a Deployment/StatefulSet/...).

For marking Pod, as it's possible in kubernetes to add an annotation on a Pod dynamically that means we could have a controller who will watch for global Services and Pod and will control the presence of the second annotation/internal annotation on the Pod. If the pod match the selector of a global Service the annotation will be added else it will be removed (if the annotation is present).

For CiliumEndpoint we can just add the internal annotation if at least one of the two annotation are present in the existing controller managing CiliumEndpoint.

For CiliumIdentity, its existing controller would need to check if there is at least one pod (or CiliumEndpoint?) that is annotated with an export annotation and we can annotate the CiliumIdentity as a result of that check. The existing controller for CiliumIdentity already watch Pods so I don't think this would be a big change.

For CiliumEndpointSlice, we could globally mark an a CES as exported if one of its CEP is marked for export. If we do that without introducing any additional logic it would mean that we would be exporting some endpoints from a CES that are not necessary to be exported. To not have this problem we could modify the logic of CES creation so that Endpoint marked/not marked for export are grouped within the same object (similar logic on regular k8s EndpointSlice that are grouped with addres type). This optimization could probably be doable as a later step which will further optimize this new export mechanism.

On clustermesh side, the logic becomes really straightforward, CEP/CES/CiliumIdentity with an export enabled annotation are considered and the rest are ignored.

I'm not super familiar with most of these part of Cilium so I might have missed a few things and I believe there could be some alternatives to the proposed CiliumEndpointSlice logic that we could consider too. Also there are variations on how we consider pod marked, possibly we could not dynamically add this internal annotation if selected by a global service but start watching for global Services in the CiliumEndoint controller and do this logic without the additional annotaiton which could be less moving parts (for instance if the CiliumEndpoint is created before the annotation would be dynamically added on the Pod object) but slightly complexify the logic in this controller (also note that it won't add more request to the kube-apiserver as we already watch for Services in the agent anyway).

WDYT?

[krunaljain]

@MrFreezeex If we add annotation on a pod, we receive watch events on the pod when someone adds/removes annotations. Now for that Pod object, how do I find out the corresponding CiliumEndpoint, CiliumEndpointSlice and CiliumIdentity objects without querying the APIserver? This is the major issue for us to allowlist via pod annotations. We are looking to implement the functionality without setting additional set of watches/joins on the APIserver as that might be counter productive for this CFP. Hence, the CFP proposes service to service level connectivity.

[MrFreezeex]

@MrFreezeex If we add annotation on a pod, we receive watch events on the pod when someone adds/removes annotations. Now for that Pod object, how do I find out the corresponding CiliumEndpoint, CiliumEndpointSlice and CiliumIdentity objects without querying the APIserver? This is the major issue for us to allowlist via pod annotations. We are looking to implement the functionality without setting additional set of watches/joins on the APIserver as that might be counter productive for this CFP. Hence, the CFP proposes service to service level connectivity.

Sorry if that part wasn't clear, the existing CiliumEndpoint and CiliumIdentities controllers are already watching for pods so it would be just a matter of propagating this info with the existing resource/informers there in the same controllers/reconcilers that create/update them. And for CiliumEndpointSlice similarly but from CiliumEndpoint instead of Pods.

Even if we are not dynamically annotating pod like proposed here:

Also there are variations on how we consider pod marked, possibly we could not dynamically add this internal annotation if selected by a global service but start watching for global Services in the CiliumEndoint controller and do this logic without the additional annotaiton which could be less moving parts (for instance if the CiliumEndpoint is created before the annotation would be dynamically added on the Pod object) but slightly complexify the logic in this controller (also note that it won't add more request to the kube-apiserver as we already watch for Services in the agent anyway).

The agents already watch for Pods/Services so there would actually no new request to the apiserver being performed.

[krunaljain]

@MrFreezeex Thanks for the info. Can you link the CiliumEndpoint and CiliumIdentity controllers from the code that you referred to in your comment?