Support native sidecar by default#56428
Conversation
|
|
|
😊 Welcome @irenezhong2861! This is either your first contribution to the Istio istio repo, or it's been You can learn more about the Istio working groups, Code of Conduct, and contribution guidelines Thanks for contributing! Courtesy of your friendly welcome wagon. |
|
Hi @irenezhong2861. Thanks for your PR. I'm waiting for a istio member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/ok-to-test |
8d311f3 to
08c79ad
Compare
aa7d148 to
d39664b
Compare
manifests/charts/istio-control/istio-discovery/files/injection-template.yaml
Outdated
Show resolved
Hide resolved
| {{ $nativeSidecar := (or (and (not (isset .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`)) (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true")) (eq (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`) "true")) }} | ||
| {{ $nativeSidecar := .NativeSidecars }} | ||
| {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`) }} | ||
| {{ $nativeSidecar = eq (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`) "true" }} |
There was a problem hiding this comment.
Why is this duplicated in the injection template logic?
There was a problem hiding this comment.
Cleaned up this line. The injection-template is ran here, with params.nativeSidecar being passed in and read in injection-template.yaml via .NativeSidecars. The is to generate the template pod. Later on, the same annotation logic is used to generate the merged pod. Both places need code to overwrite the param.nativeSidecar value with the annotation value.
| Name: "node-1", | ||
| }, | ||
| Status: corev1.NodeStatus{ | ||
| NodeInfo: corev1.NodeSystemInfo{ |
There was a problem hiding this comment.
Can we get more of a range of kubelet versions?
There was a problem hiding this comment.
What about old kubelet versions? We should probably test that they have classic sidecars right?
There was a problem hiding this comment.
added test case below with old version and added golden files. The new test case has one 1.33 node and one 1.28 node so native sidecar will be off without needing to set any flags.
| } | ||
|
|
||
| var nodes kclient.Client[*corev1.Node] | ||
| if wh.nodes != nil { |
There was a problem hiding this comment.
Should probably log or something if this isn't initialized for some reason
pkg/kube/inject/webhook.go
Outdated
|
|
||
| minVersion := 29 | ||
| allNodesValid := false | ||
| for _, n := range nodes.List(metav1.NamespaceAll, klabels.Everything()) { |
There was a problem hiding this comment.
What happens if someone adds an older node to their k8s cluster? Talk through the process in a code comment.
There was a problem hiding this comment.
add comment around how older nodes will switch the native sidecar value to false since this checks versions of all nodes.
There was a problem hiding this comment.
this needs to take into account Kubernetes version of wait until the minimum supported version is GA. this would be about 3 years so a long wait.
If you look through the issue you'll see I had a WIP PR to do so that we could leverage.
edit: I skimmed quickly on my phone and I think I missed some logic, so I may be wrong - will look closer soon. Sorry!
pkg/kube/inject/webhook.go
Outdated
| return false | ||
| } | ||
|
|
||
| minVersion := 29 |
There was a problem hiding this comment.
should do 1.33 imo. we cannot GA a beta feature
There was a problem hiding this comment.
+1 to this - I missed it in my initial pass. There is also a bug in older versions that doesn't really affect Istio, but still shouldn't expose users to it by default if we can help it IMO
There was a problem hiding this comment.
in my initial PR I had a way for a user to say "automatically detect, minimum beta" as an opt-in to 1.29. but for default should be 1.33 IMO
There was a problem hiding this comment.
if the pod has a node name assigned explicitly (very rare) we can also probably check only that node. maybe niche though
There was a problem hiding this comment.
Updated the version to 1.33, with a branch to check if only the corresponding node if pod.Spec.nodeName is not empty. Currently have a log.warn if the the node name is set but the node can't be found, and not enabling native sidecar in that case, open to suggestions!
There was a problem hiding this comment.
With this kubelet version check though, I don't think we need to wait until 1.33 is the min supported k8s version. It handles the case of nodes on ineligible versions by not defaulting native side cars for them. We might not need a check like this at all once 1.33 is the min version and just enable all by default.
There was a problem hiding this comment.
Yes, once we get past the supported 1.33 version skew, we could remove a lot of these checks, though folks who are running LTS in a cloud provider need to keep them around
| Name: "node-1", | ||
| }, | ||
| Status: corev1.NodeStatus{ | ||
| NodeInfo: corev1.NodeSystemInfo{ |
There was a problem hiding this comment.
What about old kubelet versions? We should probably test that they have classic sidecars right?
b3cc938 to
74b4cce
Compare
|
/test integ-ambient-mc |
* remove finding of pods by IP * fix test * add feature flag and release note
a383473 to
76daf96
Compare
howardjohn
left a comment
There was a problem hiding this comment.
As a fast followup, can we make sure we turn this off in the compatbility profiles for the older versions?
opened #56903 to update compatibility profiles |
|
/cherry-pick release-1.27 |
|
@keithmattix: new pull request created: #56918 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
* upstream/master: set VERSION on master to 1.28 (istio#56902) Automator: update ztunnel@master in istio/istio@master (istio#56900) Move Alpha Gateway API Inference Extension support to master (istio#56845) Support native sidecar by default (istio#56428) feat: represent revision tags using services (istio#56851)
Please provide a description of this PR:
Enables native sidecar by default