Ask questionsMulti-Istio deployments in same k8s cluster

Describe the feature request

After issue #26679 resolved, istiod can be configured to watch a subset of namespaces in a k8s cluster by using meshConfig.discoverySelectors. But for deploying multi-istio in a k8s cluster, there are still some gaps:

  • namespace controller injects ConfigMap istio-root-ca-cert to namespaces, need to scoping it to the namespaces which are part of mesh managed by one Istio deployment, otherwise, it would override istio-root-ca-cert injected by another Istiod deployment.
  • mutating/validating webhook should be configured to run on an object based on which Istio deployment manages its namespace.
  • secrets controller watches all namespaces currently, it should also be configured to avoid trigger XDS push unnecessarily when a Secret doesn't belong to a Istio deployment. This is not mandatory, but better to have.

PR #29802 implemented a DiscoveryNamespacesFilter, which can be reused by namespace controller and secrets controller, but looks like a different set of namespace selectors should be defined, because "discovery - namespaces watched by Istio" and "namespaces in a mesh" are different concept.

Per my understanding, another namespace selector("meshNamespaceSelectors"?) in MeshConfig should be defined and items listed above should be modified accordingly. Please correct me if I misunderstand anything.

Describe alternatives you've considered

[ ] Docs [ ] Installation [X] Networking [ ] Performance and Scalability [ ] Extensions and Telemetry [ ] Security [ ] Test and Release [ ] User Experience [ ] Developer Infrastructure

[] Multi Cluster [ ] Virtual Machine [X] Multi Control Plane

Additional context


Answer questions liamawhite

I think you would also need to filter out Istio CRs to avoid cross-contamination. i.e. If I create a service entry with exportTo: ['*'] in a namespace not managed by a given mesh, it shouldn't appear in Envoys for that mesh. Having spoken to @harveyxia, #29802 doesn't ignore Istio resources created in a given namespace.

Liam White liamawhite @tetrateio Seattle, WA USA Software Engineer @tetrateio. @istio Maintainer.
Github User Rank List