Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add GOOGLE_INTERNAL_GSM_NAMESPACE and GOOGLE_INTERNAL_GSM_DEPLOYMENT to node metadata, #68

Closed
wants to merge 1 commit into from
Closed

Add GOOGLE_INTERNAL_GSM_NAMESPACE and GOOGLE_INTERNAL_GSM_DEPLOYMENT to node metadata, #68

wants to merge 1 commit into from

Conversation

karthikbox
Copy link

This will be used for apply authorization policies to deployments. Used only in CSM Gateway API cluster.

ejona86
ejona86 reviewed Sep 30, 2024
View reviewed changes
Copy link
Collaborator

@ejona86 ejona86 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason we don't want to use TRAFFIC_DIRECTOR_CLIENT_ENVIRONMENT ? gkeDeployment in particular is already plumbed through that. That is disabled currently, but there's some movement that seems may enable it. CC @arvindbr8

@karthikbox
Add GOOGLE_INTERNAL_GSM_NAMESPACE and GOOGLE_INTERNAL_GSM_DEPLOYMENT to
2e582d4 
node metadata.

This will be used for apply authorization policies to deployments.
Used only in CSM Gateway API cluster.
arvindbr8
arvindbr8 requested changes Oct 16, 2024
View reviewed changes
Copy link
Member

@arvindbr8 arvindbr8 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you please resolve ejona's [comment]? (#68 (review)). Karthik mentioned that these labels exists in Envoy.

main_test.go
vpcNetworkName: "thedefault",
ip: "10.9.8.7",
zone: "uscentral-5",
metadataLabels: map[string]string{
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The functionality test for adding metadataLabels are already being tested. If you still would like to have another test that adds these exact labels, can we split them to another test?

main.go
@@ -48,6 +48,7 @@ var (
gkePodName = flag.String("gke-pod-name-experimental", "", "GKE pod name to use, instead of reading it from $HOSTNAME or /etc/hostname file. This flag is EXPERIMENTAL and may be changed or removed in a later release.")
gkeNamespace = flag.String("gke-namespace-experimental", "", "GKE namespace to use. This flag is EXPERIMENTAL and may be changed or removed in a later release.")
gkeLocation = flag.String("gke-location-experimental", "", "the location (region/zone) of the GKE cluster, instead of retrieving it from the metadata server. This flag is EXPERIMENTAL and may be changed or removed in a later release.")
gkeDeployment = flag.String("gke-deployment-experimental", "", "GKE deployment to use. This flag is EXPERIMENTAL and may be changed or removed in a later release.")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Should we add more info to the usage text?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why "deployment"? What about bare pods, bare replica sets, and daemon sets? Are these not supported? Or is "deployment"? Or is this more abstract and not referring to the Kubernetes Deployment resource?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Resolved offline.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this behavior could be possible by passing in the k,v to --node-metadata

./td-grpc-bootstrap --node-metadata GOOGLE_INTERNAL_GSM_NAMESPACE=foo --node-metadata GOOGLE_INTERNAL_GSM_DEPLOYMENT=bar

it's worth mentioning that setting this flag will overwrite the value passed to --node-metadata

@karthikbox
Copy link
Author

Is there a reason we don't want to use TRAFFIC_DIRECTOR_CLIENT_ENVIRONMENT ? gkeDeployment in particular is already plumbed through that. That is disabled currently, but there's some movement that seems may enable it. CC @arvindbr8

i did consider that however but we'd still have an inconsistency with envoy node metadata. currently, none of csm envoys set traffic_director_client_environment but they do set the GOOGLE_INTERNAL_GSM_NAMESPACE and GOOGLE_INTERNAL_GSM_DEPLOYMENT (there are other keys such as this in envoy at the top level in node metadata but i left them out as they're not needed at the moment). This logic is already baked into TD control plane and is used in google cloud 1n authz policy (preview) as well as other GA features (istio api for example) for applying the policy to workloads.

when i proposed TRAFFIC_DIRECTOR_CLIENT_ENVIRONMENT originally, it was only meant to make it easier for users to search control plane logs. not for applying policies on. there's no strong reason not to use this for policies as well but at this point its even more work to add this to envoy and teach TD to look for these nested labels. on the other hand, may be its good to keep these labels separate as they're used for different pruposes ?

overall, this is still a net positive. as we get 1n authz support for grpc clients (like envoys) but comes at a small cost of internal redundant info.

@arvindbr8 arvindbr8 requested a review from ejona86 October 23, 2024 13:05
@ejona86
Copy link
Collaborator

ejona86 commented Oct 23, 2024

I don't think I'm the right person to decide this. This seems like a CSM decision.

@arvindbr8 arvindbr8 assigned gnossen and unassigned ejona86 Oct 23, 2024
@arvindbr8
Copy link
Member

I think would be nice to also get @gnossen 's review here

gnossen
gnossen approved these changes Oct 29, 2024
View reviewed changes
Copy link
Contributor

@gnossen gnossen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved, conditional on adding to the help text for the new flag.

main.go
@@ -48,6 +48,7 @@ var (
gkePodName = flag.String("gke-pod-name-experimental", "", "GKE pod name to use, instead of reading it from $HOSTNAME or /etc/hostname file. This flag is EXPERIMENTAL and may be changed or removed in a later release.")
gkeNamespace = flag.String("gke-namespace-experimental", "", "GKE namespace to use. This flag is EXPERIMENTAL and may be changed or removed in a later release.")
gkeLocation = flag.String("gke-location-experimental", "", "the location (region/zone) of the GKE cluster, instead of retrieving it from the metadata server. This flag is EXPERIMENTAL and may be changed or removed in a later release.")
gkeDeployment = flag.String("gke-deployment-experimental", "", "GKE deployment to use. This flag is EXPERIMENTAL and may be changed or removed in a later release.")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Resolved offline.

@arvindbr8
Copy link
Member

We found a faster approach by using the exiting flag --node-metadata to plumb these labels. @karthikbox - Closing this

@arvindbr8 arvindbr8 closed this Nov 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arvindbr8 arvindbr8 arvindbr8 requested changes

@gnossen gnossen gnossen approved these changes

@ejona86 ejona86 Awaiting requested review from ejona86

Assignees

@gnossen gnossen

@karthikbox karthikbox

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@karthikbox @ejona86 @arvindbr8 @gnossen