Merge tag '1.22.6' into tetratefips-release-1.22

Istio release 1.22.6

Makefile.core.mk

@@ -49,7 +49,7 @@ endif
 export VERSION
 
 # Base version of Istio image to use
-BASE_VERSION ?= 1.22-2024-09-04T19-02-08
+BASE_VERSION ?= 1.22-2024-09-17T19-00-54
 ISTIO_BASE_REGISTRY ?= gcr.io/istio-release
 
 export GO111MODULE ?= on

istio.deps

@@ -4,7 +4,7 @@
     "name": "PROXY_REPO_SHA",
     "repoName": "proxy",
     "file": "",
-    "lastStableSHA": "f190ab5d663a808ed8e4fea58eba4447cd51f2a7"
+    "lastStableSHA": "59080172cb101a90727fb6fbf829bf514d63cb53"
   },
   {
     "_comment": "",

pilot/pkg/model/cluster_local.go

@@ -19,26 +19,29 @@ import (
 	"sync"
 
 	"istio.io/istio/pkg/config/host"
-	"istio.io/istio/pkg/util/sets"
 )
 
 var (
 	defaultClusterLocalNamespaces = []string{"kube-system"}
 	defaultClusterLocalServices   = []string{"kubernetes.default.svc"}
 )
 
-// ClusterLocalHosts is a map of host names or wildcard patterns which should only
-// be made accessible from within the same cluster.
+// ClusterLocalHosts is a map of host names or wildcard patterns which indicate
+// whether a host be made accessible from within the same cluster or not.
 type ClusterLocalHosts struct {
-	specific sets.Set[host.Name]
-	wildcard sets.Set[host.Name]
+	specific map[host.Name]bool
+	wildcard map[host.Name]bool
 }
 
 // IsClusterLocal indicates whether the given host should be treated as a
 // cluster-local destination.
 func (c ClusterLocalHosts) IsClusterLocal(h host.Name) bool {
-	_, _, ok := MostSpecificHostMatch(h, c.specific, c.wildcard)
-	return ok
+	_, local, ok := MostSpecificHostMatch(h, c.specific, c.wildcard)
+	// Explicitly set clusterLocal to false if host is not found in clusterLocal settings
+	if !ok {
+		local = false
+	}
+	return local
 }
 
 // ClusterLocalProvider provides the cluster-local hosts.
@@ -98,22 +101,15 @@ func (c *clusterLocalProvider) onMeshUpdated(e *Environment) {
 
 	// Collect the cluster-local hosts.
 	hosts := ClusterLocalHosts{
-		specific: make(map[host.Name]struct{}, 0),
-		wildcard: make(map[host.Name]struct{}, 0),
+		specific: make(map[host.Name]bool),
+		wildcard: make(map[host.Name]bool),
 	}
+
 	for _, serviceSettings := range e.Mesh().ServiceSettings {
-		if serviceSettings.GetSettings().GetClusterLocal() {
-			for _, h := range serviceSettings.GetHosts() {
-				hostname := host.Name(h)
-				if hostname.IsWildCarded() {
-					hosts.wildcard.Insert(hostname)
-				} else {
-					hosts.specific.Insert(hostname)
-				}
-			}
-		} else {
-			// Remove defaults if specified to be non-cluster-local.
-			for _, h := range serviceSettings.GetHosts() {
+		isClusterLocal := serviceSettings.GetSettings().GetClusterLocal()
+		for _, h := range serviceSettings.GetHosts() {
+			// If clusterLocal false, check to see if we should remove a default clusterLocal host.
+			if !isClusterLocal {
 				for i, defaultClusterLocalHost := range defaultClusterLocalHosts {
 					if len(defaultClusterLocalHost) > 0 {
 						if h == string(defaultClusterLocalHost) ||
@@ -126,15 +122,25 @@ func (c *clusterLocalProvider) onMeshUpdated(e *Environment) {
 				}
 			}
 		}
+
+		// Add hosts with their clusterLocal setting to sets.
+		for _, h := range serviceSettings.GetHosts() {
+			hostname := host.Name(h)
+			if hostname.IsWildCarded() {
+				hosts.wildcard[hostname] = isClusterLocal
+			} else {
+				hosts.specific[hostname] = isClusterLocal
+			}
+		}
 	}
 
 	// Add any remaining defaults to the end of the list.
 	for _, defaultClusterLocalHost := range defaultClusterLocalHosts {
 		if len(defaultClusterLocalHost) > 0 {
 			if defaultClusterLocalHost.IsWildCarded() {
-				hosts.wildcard.Insert(defaultClusterLocalHost)
+				hosts.wildcard[defaultClusterLocalHost] = true
 			} else {
-				hosts.specific.Insert(defaultClusterLocalHost)
+				hosts.specific[defaultClusterLocalHost] = true
 			}
 		}
 	}

pilot/pkg/model/cluster_local_test.go

@@ -142,6 +142,123 @@ func TestIsClusterLocal(t *testing.T) {
 			host:     "s.ns3.svc.cluster.local",
 			expected: false,
 		},
+		{
+			name: "global",
+			m: &meshconfig.MeshConfig{
+				ServiceSettings: []*meshconfig.MeshConfig_ServiceSettings{
+					{
+						Settings: &meshconfig.MeshConfig_ServiceSettings_Settings{
+							ClusterLocal: true,
+						},
+						Hosts: []string{
+							"*",
+						},
+					},
+				},
+			},
+			host:     "s.ns1.svc.cluster.local",
+			expected: true,
+		},
+		{
+			name: "global with exclusion wildcard",
+			m: &meshconfig.MeshConfig{
+				ServiceSettings: []*meshconfig.MeshConfig_ServiceSettings{
+					{
+						Settings: &meshconfig.MeshConfig_ServiceSettings_Settings{
+							ClusterLocal: true,
+						},
+						Hosts: []string{
+							"*",
+						},
+					},
+					{
+						Settings: &meshconfig.MeshConfig_ServiceSettings_Settings{
+							ClusterLocal: false,
+						},
+						Hosts: []string{
+							"*.ns1.svc.cluster.local",
+						},
+					},
+				},
+			},
+			host:     "s.ns1.svc.cluster.local",
+			expected: false,
+		},
+		{
+			name: "global with exclusion specific",
+			m: &meshconfig.MeshConfig{
+				ServiceSettings: []*meshconfig.MeshConfig_ServiceSettings{
+					{
+						Settings: &meshconfig.MeshConfig_ServiceSettings_Settings{
+							ClusterLocal: true,
+						},
+						Hosts: []string{
+							"*",
+						},
+					},
+					{
+						Settings: &meshconfig.MeshConfig_ServiceSettings_Settings{
+							ClusterLocal: false,
+						},
+						Hosts: []string{
+							"service.ns1.svc.cluster.local",
+						},
+					},
+				},
+			},
+			host:     "service.ns1.svc.cluster.local",
+			expected: false,
+		},
+		{
+			name: "subdomain local with global",
+			m: &meshconfig.MeshConfig{
+				ServiceSettings: []*meshconfig.MeshConfig_ServiceSettings{
+					{
+						Settings: &meshconfig.MeshConfig_ServiceSettings_Settings{
+							ClusterLocal: true,
+						},
+						Hosts: []string{
+							"*.cluster.local",
+						},
+					},
+					{
+						Settings: &meshconfig.MeshConfig_ServiceSettings_Settings{
+							ClusterLocal: false,
+						},
+						Hosts: []string{
+							"*",
+						},
+					},
+				},
+			},
+			host:     "echo.test.svc.cluster.local",
+			expected: true,
+		},
+		{
+			name: "other domain non-local global",
+			m: &meshconfig.MeshConfig{
+				ServiceSettings: []*meshconfig.MeshConfig_ServiceSettings{
+					{
+						Settings: &meshconfig.MeshConfig_ServiceSettings_Settings{
+							ClusterLocal: true,
+						},
+						Hosts: []string{
+							"*.cluster.local",
+						},
+					},
+					{
+						Settings: &meshconfig.MeshConfig_ServiceSettings_Settings{
+							ClusterLocal: false,
+						},
+						Hosts: []string{
+							"*",
+						},
+					},
+				},
+			},
+			host:     "otherdomain",
+			expected: false,
+		},
 	}
 
 	for _, c := range cases {

releasenotes/notes/48368.yaml

@@ -0,0 +1,8 @@
+apiVersion: release-notes/v2
+kind: bug-fix
+area: installation
+issue:
+- 48368
+releaseNotes:
+  - |
+    **Fixed** kube-virt-related rules not being removed by istio-clean-iptables tool.

releasenotes/notes/52367.yaml

@@ -0,0 +1,7 @@
+apiVersion: release-notes/v2
+kind: bug-fix
+area: traffic-management
+issue: []
+releaseNotes:
+- |
+  **Fixed** Support clusterLocal host exclusions for multi-cluster.

samples/httpbin/httpbin-vault.yaml

@@ -53,6 +53,8 @@ spec:
         name: httpbin
         # Same as found in Dockerfile's CMD but using an unprivileged port
         command:
+        - pipenv
+        - run
         - gunicorn
         - -b
         - 0.0.0.0:8080

samples/httpbin/httpbin.yaml

@@ -58,6 +58,8 @@ spec:
         name: httpbin
         # Same as found in Dockerfile's CMD but using an unprivileged port
         command:
+        - pipenv
+        - run
         - gunicorn
         - -b
         - 0.0.0.0:8080

tools/istio-clean-iptables/pkg/cmd/cleanup.go

@@ -15,6 +15,10 @@
 package cmd
 
 import (
+	"fmt"
+	"net/netip"
+	"os"
+
 	"istio.io/istio/tools/istio-clean-iptables/pkg/config"
 	"istio.io/istio/tools/istio-iptables/pkg/builder"
 	common "istio.io/istio/tools/istio-iptables/pkg/capture"
@@ -37,6 +41,42 @@ type IptablesCleaner struct {
 	ipt6V *dep.IptablesVersion
 }
 
+type NetworkRange struct {
+	IsWildcard    bool
+	CIDRs         []netip.Prefix
+	HasLoopBackIP bool
+}
+
+func separateV4V6(cidrList string) (NetworkRange, NetworkRange, error) {
+	if cidrList == "*" {
+		return NetworkRange{IsWildcard: true}, NetworkRange{IsWildcard: true}, nil
+	}
+	ipv6Ranges := NetworkRange{}
+	ipv4Ranges := NetworkRange{}
+	for _, ipRange := range types.Split(cidrList) {
+		ipp, err := netip.ParsePrefix(ipRange)
+		if err != nil {
+			_, err = fmt.Fprintf(os.Stderr, "Ignoring error for bug compatibility with istio-iptables: %s\n", err.Error())
+			if err != nil {
+				return ipv4Ranges, ipv6Ranges, err
+			}
+			continue
+		}
+		if ipp.Addr().Is4() {
+			ipv4Ranges.CIDRs = append(ipv4Ranges.CIDRs, ipp)
+			if ipp.Addr().IsLoopback() {
+				ipv4Ranges.HasLoopBackIP = true
+			}
+		} else {
+			ipv6Ranges.CIDRs = append(ipv6Ranges.CIDRs, ipp)
+			if ipp.Addr().IsLoopback() {
+				ipv6Ranges.HasLoopBackIP = true
+			}
+		}
+	}
+	return ipv4Ranges, ipv6Ranges, nil
+}
+
 func NewIptablesCleaner(cfg *config.Config, iptV, ipt6V *dep.IptablesVersion, ext dep.Dependencies) *IptablesCleaner {
 	return &IptablesCleaner{
 		ext:   ext,
@@ -85,6 +125,35 @@ func removeOldChains(cfg *config.Config, ext dep.Dependencies, iptV *dep.Iptable
 	flushAndDeleteChains(ext, iptV, constants.NAT, chains)
 }
 
+func cleanupKubeVirt(cfg *config.Config, ext dep.Dependencies, iptV *dep.IptablesVersion, iptV6 *dep.IptablesVersion) {
+	cleanupFunc := func(iptVer *dep.IptablesVersion, rangeInclude NetworkRange) {
+		if rangeInclude.IsWildcard {
+			// Wildcard specified. Redirect all remaining outbound traffic to Envoy.
+			for _, internalInterface := range types.Split(cfg.KubeVirtInterfaces) {
+				DeleteRule(ext, iptVer, constants.PREROUTING, constants.NAT, "-i", internalInterface, "-j", constants.ISTIOREDIRECT)
+			}
+		} else if len(rangeInclude.CIDRs) > 0 {
+			// User has specified a non-empty list of cidrs to be redirected to Envoy.
+			for _, cidr := range rangeInclude.CIDRs {
+				for _, internalInterface := range types.Split(cfg.KubeVirtInterfaces) {
+					DeleteRule(ext, iptVer, constants.PREROUTING, constants.PREROUTING, constants.NAT, "-i", internalInterface,
+						"-d", cidr.String(), "-j", constants.ISTIOREDIRECT)
+				}
+			}
+		}
+		// cleanup short circuit
+		for _, internalInterface := range types.Split(cfg.KubeVirtInterfaces) {
+			DeleteRule(ext, iptVer, constants.PREROUTING, constants.NAT, "-i", internalInterface, "-j", constants.RETURN)
+		}
+	}
+
+	ipv4RangesInclude, ipv6RangesInclude, err := separateV4V6(cfg.OutboundIPRangesInclude)
+	if err == nil {
+		cleanupFunc(iptV, ipv4RangesInclude)
+		cleanupFunc(iptV6, ipv6RangesInclude)
+	}
+}
+
 // cleanupDNSUDP removes any IPv4/v6 UDP rules.
 // TODO BML drop `HandleDSNUDP` and friends, no real need to tread UDP rules specially
 // or create unique abstractions for them
@@ -105,6 +174,8 @@ func (c *IptablesCleaner) Run() {
 	}()
 
 	// clean v4/v6
+	// cleanup kube-virt-related jumps
+	cleanupKubeVirt(c.cfg, c.ext, c.iptV, c.ipt6V)
 	// Remove chains (run once per v4/v6)
 	removeOldChains(c.cfg, c.ext, c.iptV)
 	removeOldChains(c.cfg, c.ext, c.ipt6V)

tools/istio-clean-iptables/pkg/cmd/cleanup_test.go

@@ -74,6 +74,20 @@ func TestIptables(t *testing.T) {
 				cfg.OwnerGroupsExclude = "888,ftp"
 			},
 		},
+		{
+			"ipnets-with-kube-virt-interfaces",
+			func(cfg *config.Config) {
+				cfg.KubeVirtInterfaces = "eth1,eth2"
+				cfg.OutboundIPRangesInclude = "10.0.0.0/8"
+			},
+		},
+		{
+			"kube-virt-interfaces",
+			func(cfg *config.Config) {
+				cfg.KubeVirtInterfaces = "eth1,eth2"
+				cfg.OutboundIPRangesInclude = "*"
+			},
+		},
 		{
 			"inbound-interception-mode",
 			func(cfg *config.Config) {