Merge tag '1.23.1' into tetratefips-release-1.23

Istio release 1.23.1
tetratelabs · Sep 11, 2024 · 00fe2cf · 00fe2cf
2 parents 67c9a86 + 64cfafb
commit 00fe2cf
Show file tree

Hide file tree

Showing 139 changed files with 3,638 additions and 653 deletions.
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -1,6 +1,6 @@
 {
   "name": "istio build-tools",
-  "image": "gcr.io/istio-testing/build-tools:release-1.23-b6cd73221e0f858a739ba0961891c309ab080cfc",
+  "image": "gcr.io/istio-testing/build-tools:release-1.23-d82829888b6f4a2b2b2644fe481d72ced2e402aa",
   "privileged": true,
   "remoteEnv": {
     "USE_GKE_GCLOUD_AUTH_PLUGIN": "True",

diff --git a/Makefile.core.mk b/Makefile.core.mk
@@ -49,7 +49,7 @@ endif
 export VERSION
 
 # Base version of Istio image to use
-BASE_VERSION ?= 1.23-2024-08-08T19-01-38
+BASE_VERSION ?= 1.23-2024-09-04T19-02-13
 ISTIO_BASE_REGISTRY ?= gcr.io/istio-release
 
 export GO111MODULE ?= on

diff --git a/cni/pkg/cmd/root.go b/cni/pkg/cmd/root.go
@@ -19,6 +19,7 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"path/filepath"
 	"strings"
 
 	"github.com/spf13/cobra"
@@ -79,7 +80,7 @@ var rootCmd = &cobra.Command{
 
 		// Start UDS log server
 		udsLogger := udsLog.NewUDSLogger(log.GetOutputLevel())
-		if err = udsLogger.StartUDSLogServer(cfg.InstallConfig.LogUDSAddress, ctx.Done()); err != nil {
+		if err = udsLogger.StartUDSLogServer(filepath.Join(cfg.InstallConfig.CNIAgentRunDir, constants.LogUDSSocketName), ctx.Done()); err != nil {
 			log.Errorf("Failed to start up UDS Log Server: %v", err)
 			return
 		}
@@ -94,14 +95,16 @@ var rootCmd = &cobra.Command{
 
 			// node agent will spawn a goroutine and watch the K8S API for events,
 			// as well as listen for messages from the CNI binary.
-			log.Info("Starting ambient node agent with inpod redirect mode")
-			ambientAgent, err := nodeagent.NewServer(ctx, watchServerReady, cfg.InstallConfig.CNIEventAddress,
+			cniEventAddr := filepath.Join(cfg.InstallConfig.CNIAgentRunDir, constants.CNIEventSocketName)
+			log.Infof("Starting ambient node agent with inpod redirect mode on socket %s", cniEventAddr)
+			ambientAgent, err := nodeagent.NewServer(ctx, watchServerReady, cniEventAddr,
 				nodeagent.AmbientArgs{
-					SystemNamespace: nodeagent.SystemNamespace,
-					Revision:        nodeagent.Revision,
-					ServerSocket:    cfg.InstallConfig.ZtunnelUDSAddress,
-					DNSCapture:      cfg.InstallConfig.AmbientDNSCapture,
-					EnableIPv6:      cfg.InstallConfig.AmbientIPv6,
+					SystemNamespace:   nodeagent.SystemNamespace,
+					Revision:          nodeagent.Revision,
+					ServerSocket:      cfg.InstallConfig.ZtunnelUDSAddress,
+					DNSCapture:        cfg.InstallConfig.AmbientDNSCapture,
+					EnableIPv6:        cfg.InstallConfig.AmbientIPv6,
+					TPROXYRedirection: cfg.InstallConfig.AmbientTPROXYRedirection,
 				})
 			if err != nil {
 				return fmt.Errorf("failed to create ambient nodeagent service: %v", err)
@@ -165,24 +168,19 @@ func init() {
 		Manual:  "Istio CNI Plugin Installer",
 	}))
 
-	registerStringParameter(constants.CNINetDir, "/etc/cni/net.d", "Directory on the host where CNI network plugins are installed")
 	registerStringParameter(constants.CNIConfName, "", "Name of the CNI configuration file")
 	registerBooleanParameter(constants.ChainedCNIPlugin, true, "Whether to install CNI plugin as a chained or standalone")
 	registerStringParameter(constants.CNINetworkConfig, "", "CNI configuration template as a string")
 	registerStringParameter(constants.LogLevel, "warn", "Fallback value for log level in CNI config file, if not specified in helm template")
 
 	// Not configurable in CNI helm charts
 	registerStringParameter(constants.MountedCNINetDir, "/host/etc/cni/net.d", "Directory on the container where CNI networks are installed")
+	registerStringParameter(constants.CNIAgentRunDir, "/var/run/istio-cni", "Location of the node agent writable path on the node (used for sockets, etc)")
 	registerStringParameter(constants.CNINetworkConfigFile, "", "CNI config template as a file")
-	registerStringParameter(constants.KubeconfigFilename, "ZZZ-istio-cni-kubeconfig",
-		"Name of the kubeconfig file which CNI plugin will use when interacting with API server")
 	registerIntegerParameter(constants.KubeconfigMode, constants.DefaultKubeconfigMode, "File mode of the kubeconfig file")
 	registerStringParameter(constants.KubeCAFile, "", "CA file for kubeconfig. Defaults to the same as install-cni pod")
 	registerBooleanParameter(constants.SkipTLSVerify, false, "Whether to use insecure TLS in kubeconfig file")
 	registerIntegerParameter(constants.MonitoringPort, 15014, "HTTP port to serve prometheus metrics")
-	registerStringParameter(constants.LogUDSAddress, "/var/run/istio-cni/log.sock", "The UDS server address which CNI plugin will copy log output to")
-	registerStringParameter(constants.CNIEventAddress, "/var/run/istio-cni/pluginevent.sock",
-		"The UDS server address which CNI plugin will forward ambient pod creation events to")
 	registerStringParameter(constants.ZtunnelUDSAddress, "/var/run/ztunnel/ztunnel.sock", "The UDS server address which ztunnel will connect to")
 	registerBooleanParameter(constants.AmbientEnabled, false, "Whether ambient controller is enabled")
 	// Repair
@@ -240,17 +238,17 @@ func bindViper(name string) {
 }
 
 func constructConfig() (*config.Config, error) {
+	viper.SetDefault(constants.AmbientTPROXYRedirection, true)
 	installCfg := config.InstallConfig{
-		CNINetDir:        viper.GetString(constants.CNINetDir),
 		MountedCNINetDir: viper.GetString(constants.MountedCNINetDir),
 		CNIConfName:      viper.GetString(constants.CNIConfName),
 		ChainedCNIPlugin: viper.GetBool(constants.ChainedCNIPlugin),
+		CNIAgentRunDir:   viper.GetString(constants.CNIAgentRunDir),
 
 		// Whatever user has set (with --log_output_level) for 'cni-plugin', pass it down to the plugin. It will use this to determine
 		// what level to use for itself.
 		// This masks the fact we are doing this weird log-over-UDS to users, and allows them to configure it the same way.
 		PluginLogLevel:        istiolog.LevelToString(istiolog.FindScope(constants.CNIPluginLogScope).GetOutputLevel()),
-		KubeconfigFilename:    viper.GetString(constants.KubeconfigFilename),
 		KubeconfigMode:        viper.GetInt(constants.KubeconfigMode),
 		KubeCAFile:            viper.GetString(constants.KubeCAFile),
 		SkipTLSVerify:         viper.GetBool(constants.SkipTLSVerify),
@@ -263,15 +261,14 @@ func constructConfig() (*config.Config, error) {
 		CNIBinSourceDir:  constants.CNIBinDir,
 		CNIBinTargetDirs: []string{constants.HostCNIBinDir},
 		MonitoringPort:   viper.GetInt(constants.MonitoringPort),
-		LogUDSAddress:    viper.GetString(constants.LogUDSAddress),
-		CNIEventAddress:  viper.GetString(constants.CNIEventAddress),
 
 		ExcludeNamespaces: viper.GetString(constants.ExcludeNamespaces),
 		ZtunnelUDSAddress: viper.GetString(constants.ZtunnelUDSAddress),
 
-		AmbientEnabled:    viper.GetBool(constants.AmbientEnabled),
-		AmbientDNSCapture: viper.GetBool(constants.AmbientDNSCapture),
-		AmbientIPv6:       viper.GetBool(constants.AmbientIPv6),
+		AmbientEnabled:           viper.GetBool(constants.AmbientEnabled),
+		AmbientDNSCapture:        viper.GetBool(constants.AmbientDNSCapture),
+		AmbientIPv6:              viper.GetBool(constants.AmbientIPv6),
+		AmbientTPROXYRedirection: viper.GetBool(constants.AmbientTPROXYRedirection),
 	}
 
 	if len(installCfg.K8sNodeName) == 0 {

diff --git a/cni/pkg/config/config.go b/cni/pkg/config/config.go
@@ -26,10 +26,10 @@ type Config struct {
 
 // InstallConfig struct defines the Istio CNI installation options
 type InstallConfig struct {
-	// Location of the CNI config files in the host's filesystem
-	CNINetDir string
 	// Location of the CNI config files in the container's filesystem (mount location of the CNINetDir)
 	MountedCNINetDir string
+	// Location of the node agent writable path on the node (used for sockets, etc)
+	CNIAgentRunDir string
 	// Name of the CNI config file
 	CNIConfName string
 	// Whether to install CNI plugin as a chained or standalone
@@ -38,8 +38,6 @@ type InstallConfig struct {
 	// Logging level for the CNI plugin
 	// Since it runs out-of-process, it has to be separately configured
 	PluginLogLevel string
-	// Name of the kubeconfig file used by the CNI plugin
-	KubeconfigFilename string
 	// The file mode to set when creating the kubeconfig file
 	KubeconfigMode int
 	// CA file for kubeconfig
@@ -70,12 +68,6 @@ type InstallConfig struct {
 	// The HTTP port for monitoring
 	MonitoringPort int
 
-	// The UDS server address that CNI plugin will send log to.
-	LogUDSAddress string
-
-	// The watch server socket address that CNI plugin will forward CNI events to.
-	CNIEventAddress string
-
 	// The ztunnel server socket address that the ztunnel will connect to.
 	ZtunnelUDSAddress string
 
@@ -87,6 +79,9 @@ type InstallConfig struct {
 
 	// Whether ipv6 is enabled for ambient capture
 	AmbientIPv6 bool
+
+	// Feature flag to determined whether TPROXY is used for redirection.
+	AmbientTPROXYRedirection bool
 }
 
 // RepairConfig struct defines the Istio CNI race repair configuration
@@ -124,13 +119,12 @@ type RepairConfig struct {
 
 func (c InstallConfig) String() string {
 	var b strings.Builder
-	b.WriteString("CNINetDir: " + c.CNINetDir + "\n")
 	b.WriteString("MountedCNINetDir: " + c.MountedCNINetDir + "\n")
 	b.WriteString("CNIConfName: " + c.CNIConfName + "\n")
 	b.WriteString("ChainedCNIPlugin: " + fmt.Sprint(c.ChainedCNIPlugin) + "\n")
+	b.WriteString("CNIAgentRunDir: " + fmt.Sprint(c.CNIAgentRunDir) + "\n")
 
 	b.WriteString("PluginLogLevel: " + c.PluginLogLevel + "\n")
-	b.WriteString("KubeconfigFilename: " + c.KubeconfigFilename + "\n")
 	b.WriteString("KubeconfigMode: " + fmt.Sprintf("%#o", c.KubeconfigMode) + "\n")
 	b.WriteString("KubeCAFile: " + c.KubeCAFile + "\n")
 	b.WriteString("SkipTLSVerify: " + fmt.Sprint(c.SkipTLSVerify) + "\n")
@@ -145,13 +139,12 @@ func (c InstallConfig) String() string {
 	b.WriteString("CNIBinTargetDirs: " + strings.Join(c.CNIBinTargetDirs, ",") + "\n")
 
 	b.WriteString("MonitoringPort: " + fmt.Sprint(c.MonitoringPort) + "\n")
-	b.WriteString("LogUDSAddress: " + fmt.Sprint(c.LogUDSAddress) + "\n")
-	b.WriteString("CNIEventAddress: " + fmt.Sprint(c.CNIEventAddress) + "\n")
 	b.WriteString("ZtunnelUDSAddress: " + fmt.Sprint(c.ZtunnelUDSAddress) + "\n")
 
 	b.WriteString("AmbientEnabled: " + fmt.Sprint(c.AmbientEnabled) + "\n")
 	b.WriteString("AmbientDNSCapture: " + fmt.Sprint(c.AmbientDNSCapture) + "\n")
 	b.WriteString("AmbientIPv6: " + fmt.Sprint(c.AmbientIPv6) + "\n")
+	b.WriteString("AmbientRedirectTPROXY: " + fmt.Sprint(c.AmbientTPROXYRedirection) + "\n")
 
 	return b.String()
 }

diff --git a/cni/pkg/constants/constants.go b/cni/pkg/constants/constants.go
@@ -17,25 +17,25 @@ package constants
 // Command line arguments
 const (
 	// Install
-	MountedCNINetDir     = "mounted-cni-net-dir"
-	CNINetDir            = "cni-net-dir"
-	CNIConfName          = "cni-conf-name"
-	ChainedCNIPlugin     = "chained-cni-plugin"
-	CNINetworkConfigFile = "cni-network-config-file"
-	CNINetworkConfig     = "cni-network-config"
-	LogLevel             = "log-level"
-	KubeconfigFilename   = "kubecfg-file-name"
-	KubeconfigMode       = "kubeconfig-mode"
-	KubeCAFile           = "kube-ca-file"
-	SkipTLSVerify        = "skip-tls-verify"
-	MonitoringPort       = "monitoring-port"
-	LogUDSAddress        = "log-uds-address"
-	ZtunnelUDSAddress    = "ztunnel-uds-address"
-	CNIEventAddress      = "cni-event-address"
-	ExcludeNamespaces    = "exclude-namespaces"
-	AmbientEnabled       = "ambient-enabled"
-	AmbientDNSCapture    = "ambient-dns-capture"
-	AmbientIPv6          = "ambient-ipv6"
+	MountedCNINetDir         = "mounted-cni-net-dir"
+	CNIConfName              = "cni-conf-name"
+	ChainedCNIPlugin         = "chained-cni-plugin"
+	CNINetworkConfigFile     = "cni-network-config-file"
+	CNINetworkConfig         = "cni-network-config"
+	LogLevel                 = "log-level"
+	KubeconfigMode           = "kubeconfig-mode"
+	KubeCAFile               = "kube-ca-file"
+	SkipTLSVerify            = "skip-tls-verify"
+	MonitoringPort           = "monitoring-port"
+	LogUDSSocket             = "log-uds-socket"
+	ZtunnelUDSAddress        = "ztunnel-uds-address"
+	CNIEventSocket           = "cni-event-address"
+	CNIAgentRunDir           = "cni-agent-run-dir"
+	ExcludeNamespaces        = "exclude-namespaces"
+	AmbientEnabled           = "ambient-enabled"
+	AmbientDNSCapture        = "ambient-dns-capture"
+	AmbientIPv6              = "ambient-ipv6"
+	AmbientTPROXYRedirection = "ambient-tproxy-redirection"
 
 	// Repair
 	RepairEnabled            = "repair-enabled"
@@ -60,7 +60,9 @@ const (
 	CNIPluginLogScope     = "cni-plugin"
 	CNIAddEventPath       = "/cmdadd"
 	UDSLogPath            = "/log"
-
+	CNIEventSocketName    = "pluginevent.sock"
+	LogUDSSocketName      = "log.sock"
+	CNIPluginKubeconfName = "istio-cni-kubeconfig"
 	// K8s liveness and readiness endpoints
 	LivenessEndpoint   = "/healthz"
 	ReadinessEndpoint  = "/readyz"

diff --git a/cni/pkg/install/cniconfig.go b/cni/pkg/install/cniconfig.go
@@ -33,14 +33,10 @@ import (
 
 func createCNIConfigFile(ctx context.Context, cfg *config.InstallConfig) (string, error) {
 	pluginConfig := plugin.Config{
-		PluginLogLevel:  cfg.PluginLogLevel,
-		LogUDSAddress:   cfg.LogUDSAddress,
-		CNIEventAddress: cfg.CNIEventAddress,
-		AmbientEnabled:  cfg.AmbientEnabled,
-		Kubernetes: plugin.Kubernetes{
-			Kubeconfig:        filepath.Join(cfg.CNINetDir, cfg.KubeconfigFilename),
-			ExcludeNamespaces: strings.Split(cfg.ExcludeNamespaces, ","),
-		},
+		PluginLogLevel:    cfg.PluginLogLevel,
+		CNIAgentRunDir:    cfg.CNIAgentRunDir,
+		AmbientEnabled:    cfg.AmbientEnabled,
+		ExcludeNamespaces: strings.Split(cfg.ExcludeNamespaces, ","),
 	}
 
 	pluginConfig.Name = "istio-cni"

diff --git a/cni/pkg/install/cniconfig_test.go b/cni/pkg/install/cniconfig_test.go
@@ -447,17 +447,17 @@ func TestCreateCNIConfigFile(t *testing.T) {
 
 	for _, c := range cases {
 		cfgFile := config.InstallConfig{
-			CNIConfName:        c.specifiedConfName,
-			ChainedCNIPlugin:   c.chainedCNIPlugin,
-			PluginLogLevel:     "debug",
-			KubeconfigFilename: kubeconfigFilename,
+			CNIConfName:      c.specifiedConfName,
+			ChainedCNIPlugin: c.chainedCNIPlugin,
+			PluginLogLevel:   "debug",
+			CNIAgentRunDir:   kubeconfigFilename,
 		}
 
 		cfg := config.InstallConfig{
-			CNIConfName:        c.specifiedConfName,
-			ChainedCNIPlugin:   c.chainedCNIPlugin,
-			PluginLogLevel:     "debug",
-			KubeconfigFilename: kubeconfigFilename,
+			CNIConfName:      c.specifiedConfName,
+			ChainedCNIPlugin: c.chainedCNIPlugin,
+			PluginLogLevel:   "debug",
+			CNIAgentRunDir:   kubeconfigFilename,
 		}
 		test := func(cfg config.InstallConfig) func(t *testing.T) {
 			return func(t *testing.T) {

diff --git a/cni/pkg/install/install.go b/cni/pkg/install/install.go
@@ -22,6 +22,7 @@ import (
 	"sync/atomic"
 
 	"istio.io/istio/cni/pkg/config"
+	"istio.io/istio/cni/pkg/constants"
 	"istio.io/istio/cni/pkg/scopes"
 	"istio.io/istio/cni/pkg/util"
 	"istio.io/istio/pkg/file"
@@ -41,7 +42,7 @@ type Installer struct {
 func NewInstaller(cfg *config.InstallConfig, isReady *atomic.Value) *Installer {
 	return &Installer{
 		cfg:                cfg,
-		kubeconfigFilepath: filepath.Join(cfg.MountedCNINetDir, cfg.KubeconfigFilename),
+		kubeconfigFilepath: filepath.Join(cfg.CNIAgentRunDir, constants.CNIPluginKubeconfName),
 		isReady:            isReady,
 	}
 }
@@ -56,10 +57,12 @@ func (in *Installer) installAll(ctx context.Context) (sets.String, error) {
 		return copiedFiles, fmt.Errorf("copy binaries: %v", err)
 	}
 
-	// Install kubeconfig (if needed) - we write/update this in the shared node CNI netdir,
-	// which may be watched by other CNIs, and so we don't want to trigger writes to this file
-	// unless it's missing or the contents are not what we expect.
-	if err := maybeWriteKubeConfigFile(in.cfg); err != nil {
+	// Write kubeconfig with our current service account token as the contents, to the Istio agent rundir.
+	// We do not write this to the common/shared CNI config dir, because it's not CNI config, we do not
+	// need to watch it, and writing non-shared stuff to that location creates churn for other node agents.
+	// Only our plugin consumes this kubeconfig, and it resides in our owned rundir on the host node,
+	// so we are good to simply write it out if our watched svcacct token changes.
+	if err := writeKubeConfigFile(in.cfg); err != nil {
 		cniInstalls.With(resultLabel.Value(resultCreateKubeConfigFailure)).Increment()
 		return copiedFiles, fmt.Errorf("write kubeconfig: %v", err)
 	}

diff --git a/cni/pkg/install/kubeconfig.go b/cni/pkg/install/kubeconfig.go
@@ -25,6 +25,7 @@ import (
 	"sigs.k8s.io/yaml"
 
 	"istio.io/istio/cni/pkg/config"
+	"istio.io/istio/cni/pkg/constants"
 	"istio.io/istio/pilot/pkg/model"
 	"istio.io/istio/pkg/file"
 )
@@ -124,40 +125,20 @@ func createKubeConfig(cfg *config.InstallConfig) (kubeconfig, error) {
 	}, nil
 }
 
-// maybeWriteKubeConfigFile will validate the existing kubeConfig file, and rewrite/replace it if required.
-func maybeWriteKubeConfigFile(cfg *config.InstallConfig) error {
+// writeKubeConfigFile will rewrite/replace the kubeconfig used by the CNI plugin.
+// We are the only consumers of this file and it resides in our owned rundir on the host node,
+// so we are good to simply write it out if our watched svcacct token changes.
+func writeKubeConfigFile(cfg *config.InstallConfig) error {
 	kc, err := createKubeConfig(cfg)
 	if err != nil {
 		return err
 	}
 
-	if err := checkExistingKubeConfigFile(cfg, kc); err != nil {
-		installLog.Info("kubeconfig either does not exist or is out of date, writing a new one")
-		kubeconfigFilepath := filepath.Join(cfg.MountedCNINetDir, cfg.KubeconfigFilename)
-		if err := file.AtomicWrite(kubeconfigFilepath, []byte(kc.Full), os.FileMode(cfg.KubeconfigMode)); err != nil {
-			return err
-		}
-		installLog.Infof("wrote kubeconfig file %s with: \n%+v", kubeconfigFilepath, kc.Redacted)
-	}
-	return nil
-}
-
-// checkExistingKubeConfigFile returns an error if no kubeconfig exists at the configured path,
-// or if a kubeconfig exists there, but differs from the current config.
-// In any case, an error indicates the file must be (re)written, and no error means no action need be taken
-func checkExistingKubeConfigFile(cfg *config.InstallConfig, expectedKC kubeconfig) error {
-	kubeconfigFilepath := filepath.Join(cfg.MountedCNINetDir, cfg.KubeconfigFilename)
-
-	existingKC, err := os.ReadFile(kubeconfigFilepath)
-	if err != nil {
-		installLog.Debugf("no preexisting kubeconfig at %s, assuming we need to create one", kubeconfigFilepath)
+	kubeconfigFilepath := filepath.Join(cfg.CNIAgentRunDir, constants.CNIPluginKubeconfName)
+	if err := file.AtomicWrite(kubeconfigFilepath, []byte(kc.Full), os.FileMode(cfg.KubeconfigMode)); err != nil {
+		installLog.Debugf("error writing kubeconfig: %w", err)
 		return err
 	}
-
-	if expectedKC.Full == string(existingKC) {
-		installLog.Debugf("preexisting kubeconfig %s is an exact match for expected, no need to update", kubeconfigFilepath)
-		return nil
-	}
-
-	return fmt.Errorf("kubeconfig on disk differs from expected, assuming we need to rewrite it")
+	installLog.Infof("wrote kubeconfig file %s with: \n%+v", kubeconfigFilepath, kc.Redacted)
+	return nil
 }