For more information, see the following resources:

About Istio sidecar proxy config

Istio uses the Sidecar resource to configure the sidecar proxy of your workloads. This configuration includes the ports, protocols, and services that the proxy uses for inbound and outbound communication. By default, each sidecar has the configuration details for every workload in the service mesh.

In large environments, each sidecar’s configuration can become very large, leading to high memory usage. Such memory pressure, in turn, can slow down performance. To avoid performance impact, you can trim the proxy configuration to include only the workloads that your service needs. For example, you might see reductions from 1-2GB per configuration to 20MB.

In your Gloo Mesh TrimProxyConfigPolicy resource, you select workloads and their corresponding allowed destinations within the same Gloo workspace. Then, the Istio sidecar of the workloads keeps only the configuration of those allowed destinations instead of all the destinations in the Istio service mesh. If you apply multiple trim proxy config policies to the same workload, all of the selected destinations are allowed.

Before you begin

  1. Complete the multicluster getting started guide to set up the following testing environment.

    • Three clusters along with environment variables for the clusters and their Kubernetes contexts.
    • The Gloo meshctl CLI, along with other CLI tools such as kubectl and istioctl.
    • The Gloo management server in the management cluster, and the Gloo agents in the workload clusters.
    • Istio installed in the workload clusters.
    • A simple Gloo workspace setup.
  2. Install Bookinfo and other sample apps.

  3. Optional: To trim all proxy configs in the workspace by default, you can enable the trimAllProxyConfig setting as shown in the workspace settings guide. Note that you do not need to enable the serviceIsolation.trimProxyConfig setting. Instead, you add back the destinations into the sidecar proxy config by using the policy in this guide.

Configure trim proxy config policies

You can apply a trim proxy config policy at the workload level. For more information, see Applying policies.

The following example policy trims the sidecar proxy config for the productpage workload, removing the config for all destinations except the reviews app.

  apiVersion: resilience.policy.gloo.solo.io/v2
kind: TrimProxyConfigPolicy
metadata:
  annotations:
    cluster.solo.io/cluster: ""
  name: trim-1
  namespace: bookinfo
spec:
  applyToWorkloads:
  - selector:
      labels:
        app: productpage
  config:
    includedDestinations:
    - selector:
        labels:
          app: reviews

Review the following table to understand this configuration. For more information, see the API docs.

SettingDescription
applyToWorkloadsConfigure which workloads to apply the policy to by using labels. Workloads can be apps that have injected sidecars, such as deployments or stateful sets, or standalone proxies, such as gateways. If omitted, the policy applies to all workloads in the workspace. For example, if you omit this value and select only the ratings destination, then all of the sidecar proxies are configured only with the ratings endpoint and no other endpoint. You might use this method of omission to build a zero-trust architecture.
includedDestinationsFor the workloads that this policy applies to, select which destinations to include. When Gloo trims the sidecar proxy of the workloads, these destinations are kept in the configuration. You can select destinations by Kubernetes label. Destinations can be a Kubernetes service, VirtualDestination, or ExternalService. To select all destinations, specify {}. If omitted or if the selection does not match any destination, no destinations are selected and the sidecar proxy configurations of the workloads are not trimmed. The destinations must be within the same workspace as the policy, or imported to the workspace.

Verify trim proxy config policies

  1. Check the proxy configuration of one of your workloads, such as productpage.

      istioctl proxy-config endpoints --context ${REMOTE_CONTEXT1} -n bookinfo $(kubectl get pod --context ${REMOTE_CONTEXT1} -l app=productpage -A -o jsonpath='{.items[0].metadata.name}')

    In the output CLUSTER column, note the endpoints for all the services in the mesh, such as ratings and both reviews services.

      ENDPOINT          STATUS   OUTLIER CHECK  CLUSTER
10.xxx.x.xx:9080  HEALTHY  OK             outbound|9080||ratings.bookinfo.svc.cluster.local
10.xxx.x.xx:9080  HEALTHY  OK             outbound|9080||reviews.bookinfo.svc.cluster.local
10.xxx.x.xx:9080  HEALTHY  OK             outbound|9080||reviews.bookinfo.svc.cluster.local

  2. Apply the trim proxy config policy that you previously reviewed.

      kubectl apply --context ${REMOTE_CONTEXT1} -f - << EOF
apiVersion: resilience.policy.gloo.solo.io/v2
kind: TrimProxyConfigPolicy
metadata:
  annotations:
    cluster.solo.io/cluster: ""
  name: trim-1
  namespace: bookinfo
spec:
  applyToWorkloads:
  - selector:
      labels:
        app: productpage
  config:
    includedDestinations:
    - selector:
        labels:
          app: reviews
EOF

  3. Check the proxy configuration of productpage again.

      istioctl proxy-config endpoints --context ${REMOTE_CONTEXT1} -n bookinfo $(kubectl get pod --context ${REMOTE_CONTEXT1} -l app=productpage -A -o jsonpath='{.items[0].metadata.name}')

    In the output, note that now, only the endpoint for the destinations that you selected in the policy is configured, reviews.

      ENDPOINT          STATUS   OUTLIER CHECK  CLUSTER
10.xxx.x.xx:9080  HEALTHY  OK             outbound|9080||reviews.bookinfo.svc.cluster.local
10.xxx.x.xx:9080  HEALTHY  OK             outbound|9080||reviews.bookinfo.svc.cluster.local

Cleanup

You can optionally remove the resources that you set up as part of this guide.
  kubectl --context $REMOTE_CONTEXT1 -n bookinfo delete TrimProxyConfigPolicy trim-1