Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support ip_families field in service #1161

Merged
merged 2 commits into from
Jun 24, 2024
Merged

Support ip_families field in service #1161

merged 2 commits into from
Jun 24, 2024

Conversation

howardjohn
Copy link
Member

@howardjohn howardjohn commented Jun 18, 2024
edited
Loading

Istio side istio/istio#51606

This implements the new ip_families field for services:

Add a new IPFamilies field to service. This is used for two things:

  1. DNS lookups for headless services MUST not return unsupported families. Without this field, it is impossible to know which workload IPs to filter
  2. When we select a workload IP after resolving a service, we must pick a supported family. This is possible to do without for non-headless services (by inferring from the VIPs field), but easier to be explicit.

Fixes #1152

@howardjohn howardjohn added the release-notes-none Indicates a PR that does not require release notes. label Jun 18, 2024
@istio-testing
Copy link
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@istio-testing istio-testing added do-not-merge/work-in-progress Block merging of a PR because it isn't ready yet. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jun 18, 2024
@howardjohn howardjohn mentioned this pull request Jun 18, 2024
Merged
@howardjohn
Copy link
Member Author

/test all

@howardjohn howardjohn added the do-not-merge/hold Block automatic merging of a PR. label Jun 19, 2024
@howardjohn howardjohn marked this pull request as ready for review June 19, 2024 00:22
@howardjohn howardjohn requested a review from a team as a code owner June 19, 2024 00:22
@istio-testing istio-testing removed the do-not-merge/work-in-progress Block merging of a PR because it isn't ready yet. label Jun 19, 2024
hzxuzhonghu
hzxuzhonghu reviewed Jun 19, 2024
View reviewed changes
src/dns/server.rs Outdated
service
.endpoints
.iter()
.filter_map(|(_, ep)| match &ep.address {
Some(addr) => {
if let Some(false) = family.map(|f| f.accepts_ip(addr.address)) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@howardjohn I am not quite understanding this, checking record_type has already filtered unmatched ipfamily.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

example is a user queries A for a service with IP family Ipv6. We need to move sure we do NOT return ipv4 addresses

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this is a clientside defense against a server bug, it needs an error log.

(And a test, this is basically covering a scenario where a v4 is returned for an AAAA record, which is violently against the DNS spec)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not protection against a bug. Its perfectly valid for a client to send a A request for a service that is specified as IPv6 only, we just need to return no IPs.

Additionally ,there is a test that covers this exact scenario that I added alongside the PR.

(And a test, this is basically covering a scenario where a v4 is returned for an AAAA record, which is violently against the DNS spec)

No, I think there is a confusion. This is:

  • Client sends A request for Service X
  • Service X is IPv6 only, selects pods that are IPv4 AND IPv6
  • Before: we would return IPv4 address. Expected/with this PR: we do not respond

In no scenario are were (with or without this PR) sending IPv4 responses to AAAA or IPv6 responses to A

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That being said I think I can short-circuit this check to be at the service level instead of the pod level to give the same behavior.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, changed to a service level check. Should be more clear now hopefully

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LMK if that addresses the concerns

MorrisLaw
MorrisLaw reviewed Jun 19, 2024
View reviewed changes
src/dns/server.rs Show resolved Hide resolved
src/proxy/outbound.rs Outdated Show resolved Hide resolved
@howardjohn howardjohn removed the do-not-merge/hold Block automatic merging of a PR. label Jun 24, 2024
@istio-testing istio-testing merged commit 8458d66 into istio:master Jun 24, 2024
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MorrisLaw MorrisLaw MorrisLaw left review comments

@bleggett bleggett bleggett left review comments

@hzxuzhonghu hzxuzhonghu hzxuzhonghu approved these changes

Assignees
No one assigned
Labels
release-notes-none Indicates a PR that does not require release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

dualstack: DNS always returns both IP families regardless of service configuration
5 participants
@howardjohn @istio-testing @bleggett @MorrisLaw @hzxuzhonghu