Skip to content

Commit c4291e1

Browse files
howardjohnhowardjohn
authored
sidecar: fix misleading docs (#3308)
Stop saying we "block" or "allow" traffic; its not true.
1 parent 1708641 commit c4291e1

File tree

3 files changed

+32
-15
lines changed

3 files changed

+32
-15
lines changed

networking/v1alpha3/sidecar.pb.go

Lines changed: 11 additions & 5 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

networking/v1alpha3/sidecar.pb.html

Lines changed: 10 additions & 5 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

networking/v1alpha3/sidecar.proto

Lines changed: 11 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -32,9 +32,15 @@ import "networking/v1alpha3/virtual_service.proto";
3232
// well as accept traffic on all the ports associated with the
3333
// workload. The `Sidecar` configuration provides a way to fine tune the set of
3434
// ports, protocols that the proxy will accept when forwarding traffic to
35-
// and from the workload. In addition, it is possible to restrict the set
36-
// of services that the proxy can reach when forwarding outbound traffic
37-
// from workload instances.
35+
// and from the workload.
36+
//
37+
// One the common usages of `Sidecar` is to limit the set of configuration for outbound traffic.
38+
// This configuration scoping, among [other options](/docs/ops/configuration/mesh/configuration-scoping/), is useful to prune
39+
// out unneeded configuration, to improve scalability of the mesh.
40+
// A common misunderstanding is that restricting the configuration amounts to *blocking* the traffic.
41+
// If requests are sent to destinations not included in the scoping, the traffic will be treated as
42+
// [unmatched traffic](docs/ops/configuration/traffic-management/traffic-routing/#unmatched-traffic), which is often still allowed.
43+
// The sidecar is not able to enforce an outbound traffic restriction (see [Egress Gateways](/docs/tasks/traffic-management/egress/egress-gateway/) for how to achieve this).
3844
//
3945
// Services and configuration in a mesh are organized into one or more
4046
// namespaces (e.g., a Kubernetes namespace or a CF org/space). A `Sidecar`
@@ -65,7 +71,7 @@ import "networking/v1alpha3/virtual_service.proto";
6571
//
6672
// The example below declares a global default `Sidecar` configuration
6773
// in the root namespace called `istio-config`, that configures
68-
// sidecars in all namespaces to allow egress traffic only to other
74+
// sidecars in all namespaces to configure egress traffic only to other
6975
// workloads in the same namespace as well as to services in the
7076
// `istio-system` namespace.
7177
//
@@ -84,7 +90,7 @@ import "networking/v1alpha3/virtual_service.proto";
8490
//
8591
// The example below declares a `Sidecar` configuration in the
8692
// `prod-us1` namespace that overrides the global default defined
87-
// above, and configures the sidecars in the namespace to allow egress
93+
// above, and configures the sidecars in the namespace to configure egress
8894
// traffic to public services in the `prod-us1`, `prod-apis`, and the
8995
// `istio-system` namespaces.
9096
//

0 commit comments

Comments
 (0)