Skip to content

Commit ed1ed75

Browse files
authored
OSSM-6615 Make sure IOR ignores services without selectors (#1022) (#1029)
* OSSM-6615 Make sure IOR ignores services without selectors IOR finds a matching service for a pod by checking each service's label selector. However, this also matches services with an empty selector, which is wrong. These services should be ignored by IOR since an empty label selector indicates that the service endpoints are managed externally and not that the service should match all pods. * Add test * Increase timeout The previous timeout was only 3s, which caused the retry.UntilSuccessOrFail to fail on the first attempt instead of allowing the retry to be performed.
1 parent 96d8b3a commit ed1ed75

File tree

3 files changed

+28
-9
lines changed

3 files changed

+28
-9
lines changed

pilot/pkg/config/kube/ior/controller.go

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -289,6 +289,11 @@ func (r *routeController) findService(gateway *networking.Gateway) (*types.Names
289289
podLabels := labels.Set(pod.ObjectMeta.Labels)
290290
// Look for a service whose selector matches the pod labels
291291
for _, service := range services {
292+
if len(service.Spec.Selector) == 0 {
293+
// an empty label selector does not mean that the service should match all pods, but that the
294+
// service endpoints are managed externally; IOR should therefore ignore this service
295+
continue
296+
}
292297
svcSelector := labels.SelectorFromSet(service.Spec.Selector)
293298

294299
iorLog.Debugf("matching service selector %s against %s", svcSelector.String(), podLabels)

pilot/pkg/config/kube/ior/ior_test.go

Lines changed: 20 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -255,6 +255,9 @@ func TestCreate(t *testing.T) {
255255
defer func() { close(stop) }()
256256
store, k8sClient, routerClient := initClients(t, stop)
257257

258+
// create unrelated service with an empty selector to confirm that IOR is not picking it up
259+
createService(t, k8sClient.GetActualClient(), controlPlaneNs, "service-with-empty-selector", nil)
260+
258261
createIngressGateway(t, k8sClient.GetActualClient(), controlPlaneNs, map[string]string{"istio": "ingressgateway"})
259262

260263
for i, c := range cases {
@@ -324,6 +327,11 @@ func validateRoutes(t *testing.T, hosts []string, list *[]*routeapiv1.Route, gat
324327
t.Fatal("Route's host wrongly not set to wildcard.")
325328
}
326329

330+
// check service
331+
if route.Spec.To.Name != "gw-service" {
332+
t.Fatalf("Route points to wrong service: %s", route.Spec.To.Name)
333+
}
334+
327335
// TLS
328336
if tls {
329337
if route.Spec.TLS.InsecureEdgeTerminationPolicy != routeapiv1.InsecureEdgeTerminationPolicyRedirect {
@@ -530,29 +538,35 @@ func findRouteByHost(list *[]*routeapiv1.Route, host string) *routeapiv1.Route {
530538

531539
func createIngressGateway(t *testing.T, client kube.Client, ns string, labels map[string]string) {
532540
t.Helper()
533-
createPod(t, client, ns, labels)
534-
createService(t, client, ns, labels)
541+
createPod(t, client, ns, "gw-pod", labels)
542+
createService(t, client, ns, "gw-service", labels)
535543
}
536544

537-
func createPod(t *testing.T, client kube.Client, ns string, labels map[string]string) {
545+
func createPod(t *testing.T, client kube.Client, ns, name string, labels map[string]string) {
538546
t.Helper()
539547

540548
_, err := client.Kube().CoreV1().Pods(ns).Create(context.TODO(), &k8sioapicorev1.Pod{
541549
ObjectMeta: metav1.ObjectMeta{
542-
Labels: labels,
550+
Name: name,
551+
Namespace: ns,
552+
Labels: labels,
543553
},
544554
}, metav1.CreateOptions{})
545555
if err != nil {
546556
t.Fatal(err)
547557
}
548558
}
549559

550-
func createService(t *testing.T, client kube.Client, ns string, labels map[string]string) {
560+
func createService(t *testing.T, client kube.Client, ns, name string, selector map[string]string) {
551561
t.Helper()
552562

553563
_, err := client.Kube().CoreV1().Services(ns).Create(context.TODO(), &k8sioapicorev1.Service{
564+
ObjectMeta: metav1.ObjectMeta{
565+
Name: name,
566+
Namespace: ns,
567+
},
554568
Spec: k8sioapicorev1.ServiceSpec{
555-
Selector: labels,
569+
Selector: selector,
556570
},
557571
}, metav1.CreateOptions{})
558572
if err != nil {

tests/integration/servicemesh/managingroutes/main_test.go

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -248,14 +248,14 @@ func applyGatewayOrFail(ctx framework.TestContext, ns, name string, labels map[s
248248
// retry because of flaky validation webhook
249249
retry.UntilSuccessOrFail(ctx, func() error {
250250
return ctx.ConfigIstio().EvalFile(ns, map[string]interface{}{"hosts": hosts, "name": name, "labels": labels}, gatewayTmpl).Apply()
251-
}, retry.Timeout(3*time.Second))
251+
}, retry.Timeout(15*time.Second))
252252
}
253253

254254
func deleteGatewayOrFail(ctx framework.TestContext, ns, name string, labels map[string]string, hosts ...string) {
255255
// retry because of flaky validation webhook
256256
retry.UntilSuccessOrFail(ctx, func() error {
257257
return ctx.ConfigIstio().EvalFile(ns, map[string]interface{}{"hosts": hosts, "name": name, "labels": labels}, gatewayTmpl).Delete()
258-
}, retry.Timeout(3*time.Second))
258+
}, retry.Timeout(15*time.Second))
259259
}
260260

261261
func applyVirtualServiceOrFail(ctx framework.TestContext, ns, gatewayNs, gatewayName, virtualServiceName string) {
@@ -266,5 +266,5 @@ func applyVirtualServiceOrFail(ctx framework.TestContext, ns, gatewayNs, gateway
266266
}
267267
retry.UntilSuccessOrFail(ctx, func() error {
268268
return ctx.ConfigIstio().EvalFile(ns, values, virtualSvcTmpl).Apply()
269-
}, retry.Timeout(3*time.Second))
269+
}, retry.Timeout(15*time.Second))
270270
}

0 commit comments

Comments
 (0)