istio
252 строки · 9.2 Кб
1// Copyright Istio Authors2//3// Licensed under the Apache License, Version 2.0 (the "License");4// you may not use this file except in compliance with the License.5// You may obtain a copy of the License at6//7// http://www.apache.org/licenses/LICENSE-2.08//9// Unless required by applicable law or agreed to in writing, software10// distributed under the License is distributed on an "AS IS" BASIS,11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.12// See the License for the specific language governing permissions and13// limitations under the License.14package kube16import (18"fmt"19"strings"20corev1 "k8s.io/api/core/v1"22metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"23"sigs.k8s.io/gateway-api/apis/v1beta1"24"istio.io/api/annotation"26"istio.io/api/label"27"istio.io/istio/pilot/pkg/features"28"istio.io/istio/pilot/pkg/model"29"istio.io/istio/pilot/pkg/serviceregistry/provider"30"istio.io/istio/pkg/cluster"31"istio.io/istio/pkg/config/constants"32"istio.io/istio/pkg/config/host"33"istio.io/istio/pkg/config/kube"34"istio.io/istio/pkg/config/visibility"35"istio.io/istio/pkg/spiffe"36"istio.io/istio/pkg/util/sets"37)38func convertPort(port corev1.ServicePort) *model.Port {40return &model.Port{41Name: port.Name,42Port: int(port.Port),43Protocol: kube.ConvertProtocol(port.Port, port.Name, port.Protocol, port.AppProtocol),44}45}46func ConvertService(svc corev1.Service, domainSuffix string, clusterID cluster.ID) *model.Service {48addrs := []string{constants.UnspecifiedIP}49resolution := model.ClientSideLB50externalName := ""51nodeLocal := false52if svc.Spec.Type == corev1.ServiceTypeExternalName && svc.Spec.ExternalName != "" {54externalName = svc.Spec.ExternalName55if features.EnableExternalNameAlias {56resolution = model.Alias57} else {58resolution = model.DNSLB59}60}61if svc.Spec.InternalTrafficPolicy != nil && *svc.Spec.InternalTrafficPolicy == corev1.ServiceInternalTrafficPolicyLocal {62nodeLocal = true63}64if svc.Spec.ClusterIP == corev1.ClusterIPNone { // headless services should not be load balanced66resolution = model.Passthrough67} else if svc.Spec.ClusterIP != "" {68addrs[0] = svc.Spec.ClusterIP69if len(svc.Spec.ClusterIPs) > 1 {70addrs = svc.Spec.ClusterIPs71}72}73ports := make([]*model.Port, 0, len(svc.Spec.Ports))75for _, port := range svc.Spec.Ports {76ports = append(ports, convertPort(port))77}78var exportTo sets.Set[visibility.Instance]80serviceaccounts := make([]string, 0)81if svc.Annotations[annotation.AlphaCanonicalServiceAccounts.Name] != "" {82serviceaccounts = append(serviceaccounts, strings.Split(svc.Annotations[annotation.AlphaCanonicalServiceAccounts.Name], ",")...)83}84if svc.Annotations[annotation.AlphaKubernetesServiceAccounts.Name] != "" {85for _, ksa := range strings.Split(svc.Annotations[annotation.AlphaKubernetesServiceAccounts.Name], ",") {86serviceaccounts = append(serviceaccounts, kubeToIstioServiceAccount(ksa, svc.Namespace))87}88}89if svc.Annotations[annotation.NetworkingExportTo.Name] != "" {90namespaces := strings.Split(svc.Annotations[annotation.NetworkingExportTo.Name], ",")91exportTo = sets.NewWithLength[visibility.Instance](len(namespaces))92for _, ns := range namespaces {93exportTo.Insert(visibility.Instance(ns))94}95}96istioService := &model.Service{98Hostname: ServiceHostname(svc.Name, svc.Namespace, domainSuffix),99ClusterVIPs: model.AddressMap{100Addresses: map[cluster.ID][]string{101clusterID: addrs,102},103},104Ports: ports,105DefaultAddress: addrs[0],106ServiceAccounts: serviceaccounts,107MeshExternal: len(externalName) > 0,108Resolution: resolution,109CreationTime: svc.CreationTimestamp.Time,110ResourceVersion: svc.ResourceVersion,111Attributes: model.ServiceAttributes{112ServiceRegistry: provider.Kubernetes,113Name: svc.Name,114Namespace: svc.Namespace,115Labels: svc.Labels,116ExportTo: exportTo,117LabelSelectors: svc.Spec.Selector,118},119}120switch svc.Spec.Type {122case corev1.ServiceTypeNodePort:123if _, ok := svc.Annotations[annotation.TrafficNodeSelector.Name]; !ok {124// only do this for istio ingress-gateway services125break126}127// store the service port to node port mappings128portMap := make(map[uint32]uint32)129for _, p := range svc.Spec.Ports {130portMap[uint32(p.Port)] = uint32(p.NodePort)131}132istioService.Attributes.ClusterExternalPorts = map[cluster.ID]map[uint32]uint32{clusterID: portMap}133// address mappings will be done elsewhere134case corev1.ServiceTypeLoadBalancer:135if len(svc.Status.LoadBalancer.Ingress) > 0 {136var lbAddrs []string137for _, ingress := range svc.Status.LoadBalancer.Ingress {138if len(ingress.IP) > 0 {139lbAddrs = append(lbAddrs, ingress.IP)140} else if len(ingress.Hostname) > 0 {141// DO NOT resolve the DNS here. In environments like AWS, the ELB hostname142// does not have a repeatable DNS address and IPs resolved at an earlier point143// in time may not work. So, when we get just hostnames instead of IPs, we need144// to smartly switch from EDS to strict_dns rather than doing the naive thing of145// resolving the DNS name and hoping the resolution is one-time task.146lbAddrs = append(lbAddrs, ingress.Hostname)147}148}149if len(lbAddrs) > 0 {150if istioService.Attributes.ClusterExternalAddresses == nil {151istioService.Attributes.ClusterExternalAddresses = &model.AddressMap{}152}153istioService.Attributes.ClusterExternalAddresses.SetAddressesFor(clusterID, lbAddrs)154}155}156}157istioService.Attributes.Type = string(svc.Spec.Type)159istioService.Attributes.ExternalName = externalName160istioService.Attributes.NodeLocal = nodeLocal161if len(svc.Spec.ExternalIPs) > 0 {162if istioService.Attributes.ClusterExternalAddresses == nil {163istioService.Attributes.ClusterExternalAddresses = &model.AddressMap{}164}165istioService.Attributes.ClusterExternalAddresses.AddAddressesFor(clusterID, svc.Spec.ExternalIPs)166}167return istioService169}170func ExternalNameEndpoints(svc *model.Service) []*model.IstioEndpoint {172if svc.Attributes.ExternalName == "" {173return nil174}175out := make([]*model.IstioEndpoint, 0, len(svc.Ports))176discoverabilityPolicy := model.AlwaysDiscoverable178if features.EnableMCSServiceDiscovery {179// MCS spec does not allow export of external name services.180// See https://github.com/kubernetes/enhancements/tree/master/keps/sig-multicluster/1645-multi-cluster-services-api#exporting-services.181discoverabilityPolicy = model.DiscoverableFromSameCluster182}183for _, portEntry := range svc.Ports {184out = append(out, &model.IstioEndpoint{185Address: svc.Attributes.ExternalName,186EndpointPort: uint32(portEntry.Port),187ServicePortName: portEntry.Name,188Labels: svc.Attributes.Labels,189DiscoverabilityPolicy: discoverabilityPolicy,190})191}192return out193}194// ServiceHostname produces FQDN for a k8s service196func ServiceHostname(name, namespace, domainSuffix string) host.Name {197return host.Name(name + "." + namespace + "." + "svc" + "." + domainSuffix) // Format: "%s.%s.svc.%s"198}199// ServiceHostnameForKR calls ServiceHostname with the name and namespace of the given kubernetes resource.201func ServiceHostnameForKR(obj metav1.Object, domainSuffix string) host.Name {202return ServiceHostname(obj.GetName(), obj.GetNamespace(), domainSuffix)203}204// kubeToIstioServiceAccount converts a K8s service account to an Istio service account206func kubeToIstioServiceAccount(saname string, ns string) string {207return spiffe.MustGenSpiffeURI(ns, saname)208}209// SecureNamingSAN creates the secure naming used for SAN verification from pod metadata211func SecureNamingSAN(pod *corev1.Pod) string {212return spiffe.MustGenSpiffeURI(pod.Namespace, pod.Spec.ServiceAccountName)213}214// PodTLSMode returns the tls mode associated with the pod if pod has been injected with sidecar216func PodTLSMode(pod *corev1.Pod) string {217if pod == nil {218return model.DisabledTLSModeLabel219}220return model.GetTLSModeFromEndpointLabels(pod.Labels)221}222// IsAutoPassthrough determines if a listener should use auto passthrough mode. This is used for224// multi-network. In the Istio API, this is an explicit tls.Mode. However, this mode is not part of225// the gateway-api, and leaks implementation details. We already have an API to declare a Gateway as226// a multi-network gateway, so we will use this as a signal.227// A user who wishes to expose multi-network connectivity should create a listener named "tls-passthrough"228// with TLS.Mode Passthrough.229// For some backwards compatibility, we assume any listener with TLS specified and a port matching230// 15443 (or the label-override for gateway port) is auto-passthrough as well.231func IsAutoPassthrough(gwLabels map[string]string, l v1beta1.Listener) bool {232if l.TLS == nil {233return false234}235if hasListenerMode(l, constants.ListenerModeAutoPassthrough) {236return true237}238_, networkSet := gwLabels[label.TopologyNetwork.Name]239if !networkSet {240return false241}242expectedPort := "15443"243if port, f := gwLabels[label.NetworkingGatewayPort.Name]; f {244expectedPort = port245}246return fmt.Sprint(l.Port) == expectedPort247}248func hasListenerMode(l v1beta1.Listener, mode string) bool {250// TODO if we add a hybrid mode for detecting HBONE/passthrough, also check that here251return l.TLS != nil && l.TLS.Options != nil && string(l.TLS.Options[constants.ListenerModeOption]) == mode252}253