-
Notifications
You must be signed in to change notification settings - Fork 559
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add new phase to WasmPlugin #3143
Conversation
extensions/v1alpha1/wasm.proto
Outdated
@@ -414,6 +414,9 @@ enum PluginPhase { | |||
|
|||
// Insert plugin before Istio stats filters and after Istio authorization filters. | |||
STATS = 3; | |||
|
|||
// Insert plugin before Istio metadata filters, This will generally be at the start of the filter chain. | |||
METADATA_EXCHANGE = 4; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not sure "METADATA_EXCHANGE" should be encoded in our API. The other 3 are logical universal phases of a proxy. MX is a Istio specific internal implementation detail that will probably be changed.
cc @kyessenov
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do you mean with MDS, there's no more MX filter
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
MX filter should not be assumed to exist forever, and moreover, the data it provides cannot be trusted.
Maybe it's better to configure MX filter not to strip the header instead?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sg
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
rethink about this, still worth add a new phase enable user insert WasmPlugin at the start of the filter chain?
@zirain: The following test failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
We deliberately tried to assign semantic meaning to each phase. I don't know what "initial" actually means. |
Sorry didn't realize there was open discussion here before merging. @zirain can you discuss with @kyessenov and make any needed changes/revert before 1.22 if needed |
The config should be about the intent, not the mechanics. If you can explain what "initial" is supposed to be used for, and rename it, that would be enough. |
To further expand on this, what filters are run before the Istio authentication filters? From the issue, one would be the istio.metadata_exchange filter. What phase would include that filter and other filters that one would want to put their filter before? It sounds like calling that phase initial may not be the best. My read was that using Initial just meant that the filters would be put at the front of the line. I don't have a better name in mind. |
I think maybe |
IMO, AUTHN phase should cover most of the cases that need to run. I do not know what would be the use case for being the filter first? METADATA_EXCHANGE seems like a special case - may be we should the change the implementation of AUTHN Phase to insert before Metadata Exchange ? |
Something like iptabels raw table? Allow any audit, any data preprocessing? |
@hzxuzhonghu Isn't that authentication? If you want to check or assert some security property, that's authentication? |
April 10 WG decision was to revert this change, and solve the metadata exchange UX issue here without adding a new WasmPlugin stage: https://docs.google.com/document/d/1wsa06GGiq1LEGwhkiPP0FKIZJqdAiue-VeBonWAzAyk/edit#heading=h.6fcb5py1h0hy |
Can you explain how to do that? |
@zirain Can you read the metadata from the filter state? The details for encoding in either the filter state or the header are subject to change, so either way it's not a fully supported configuration. |
xref: istio/istio#50012
this will allow user insert WasmPlugin at the start of the filter chain.