Trim proxy config policy
Trim proxy configuration by using the TrimProxyConfigPolicy
resource.
For more information, see the following resources:
- Overview of proxy trimming, including information about enabling workspace-level proxy trimming.
- TrimProxyConfig policy API docs.
If you import or export resources across workspaces, your policies might not apply. For more information, see Import and export policies.
About Istio sidecar proxy config
Istio uses the Sidecar
resource to configure the sidecar proxy of your workloads. This configuration includes the ports, protocols, and services that the proxy uses for inbound and outbound communication. By default, each sidecar has the configuration details for every workload in the service mesh.
In large environments, each sidecar’s configuration can become very large, leading to high memory usage. Such memory pressure, in turn, can slow down performance. To avoid performance impact, you can trim the proxy configuration to include only the workloads that your service needs. For example, you might see reductions from 1-2GB per configuration to 20MB.
In your Gloo Mesh TrimProxyConfigPolicy
resource, you select workloads and their corresponding allowed destinations within the same Gloo workspace. Then, the Istio sidecar of the workloads keeps only the configuration of those allowed destinations instead of all the destinations in the Istio service mesh. If you apply multiple trim proxy config policies to the same workload, all of the selected destinations are allowed.
The Sidecar
resource cannot be applied to any gateway pods, such as the east-west or ingress gateways. For full control over the destinations that the gateways can talk to, create a workspace for each gateway pod and import the resources the gateway must have access to.
Before you begin
This guide assumes that you use the same names for components like clusters, workspaces, and namespaces as in the getting started. If you have different names, make sure to update the sample configuration files in this guide.
Complete the multicluster getting started guide to set up the following testing environment.
- Three clusters along with environment variables for the clusters and their Kubernetes contexts.
- The Gloo
meshctl
CLI, along with other CLI tools such askubectl
andistioctl
. - The Gloo management server in the management cluster, and the Gloo agents in the workload clusters.
- Istio installed in the workload clusters.
- A simple Gloo workspace setup.
- Install Bookinfo and other sample apps.
Optional: To trim all proxy configs in the workspace by default, you can enable the
trimAllProxyConfig
setting as shown in the workspace settings guide. Note that you do not need to enable theserviceIsolation.trimProxyConfig
setting. Instead, you add back the destinations into the sidecar proxy config by using the policy in this guide.
Configure trim proxy config policies
You can apply a trim proxy config policy at the workload level. For more information, see Applying policies.
You can trim the Istio sidecar proxies for standard Kubernetes workloads, such as Deployments, DaemonSets, and StatefulSets. Proxy trimming is not supported for workloads from other tooling providers’ custom resource definitions (CRDs), such as DeploymentConfigs in OpenShift.
The following example policy trims the sidecar proxy config for the productpage workload, removing the config for all destinations except the reviews app.
apiVersion: resilience.policy.gloo.solo.io/v2
kind: TrimProxyConfigPolicy
metadata:
annotations:
cluster.solo.io/cluster: ""
name: trim-1
namespace: bookinfo
spec:
applyToWorkloads:
- selector:
labels:
app: productpage
config:
includedDestinations:
- selector:
labels:
app: reviews
Review the following table to understand this configuration. For more information, see the API docs.
Setting | Description |
---|---|
applyToWorkloads | Configure which workloads to apply the policy to by using labels. Workloads can be apps that have injected sidecars, such as deployments or stateful sets, or standalone proxies, such as gateways. If omitted, the policy applies to all workloads in the workspace. For example, if you omit this value and select only the ratings destination, then all of the sidecar proxies are configured only with the ratings endpoint and no other endpoint. You might use this method of omission to build a zero-trust architecture. |
includedDestinations | For the workloads that this policy applies to, select which destinations to include. When Gloo trims the sidecar proxy of the workloads, these destinations are kept in the configuration. You can select destinations by Kubernetes label. Destinations can be a Kubernetes service, VirtualDestination, or ExternalService. To select all destinations, specify {} . If omitted or if the selection does not match any destination, no destinations are selected and the sidecar proxy configurations of the workloads are not trimmed. The destinations must be within the same workspace as the policy, or imported to the workspace. |
Verify trim proxy config policies
Check the proxy configuration of one of your workloads, such as
productpage
.istioctl proxy-config endpoints --context ${REMOTE_CONTEXT1} -n bookinfo $(kubectl get pod --context ${REMOTE_CONTEXT1} -l app=productpage -A -o jsonpath='{.items[0].metadata.name}')
In the output CLUSTER column, note the endpoints for all the services in the mesh, such as
ratings
and bothreviews
services.ENDPOINT STATUS OUTLIER CHECK CLUSTER 10.xxx.x.xx:9080 HEALTHY OK outbound|9080||ratings.bookinfo.svc.cluster.local 10.xxx.x.xx:9080 HEALTHY OK outbound|9080||reviews.bookinfo.svc.cluster.local 10.xxx.x.xx:9080 HEALTHY OK outbound|9080||reviews.bookinfo.svc.cluster.local
Apply the trim proxy config policy that you previously reviewed.
kubectl apply --context ${REMOTE_CONTEXT1} -f - << EOF apiVersion: resilience.policy.gloo.solo.io/v2 kind: TrimProxyConfigPolicy metadata: annotations: cluster.solo.io/cluster: "" name: trim-1 namespace: bookinfo spec: applyToWorkloads: - selector: labels: app: productpage config: includedDestinations: - selector: labels: app: reviews EOF
Check the proxy configuration of
productpage
again.istioctl proxy-config endpoints --context ${REMOTE_CONTEXT1} -n bookinfo $(kubectl get pod --context ${REMOTE_CONTEXT1} -l app=productpage -A -o jsonpath='{.items[0].metadata.name}')
In the output, note that now, only the endpoint for the destinations that you selected in the policy is configured,
reviews
.ENDPOINT STATUS OUTLIER CHECK CLUSTER 10.xxx.x.xx:9080 HEALTHY OK outbound|9080||reviews.bookinfo.svc.cluster.local 10.xxx.x.xx:9080 HEALTHY OK outbound|9080||reviews.bookinfo.svc.cluster.local
If you notice config for more destinations, check that theserviceIsolation.trimProxyConfig
field in the workspace settings is disabled. Proxy trimming is additive, so when both the workspace-level and policy-level settings are enabled, the sidecar proxy gets config for both levels.
Cleanup
You can optionally remove the resources that you set up as part of this guide.
kubectl --context $REMOTE_CONTEXT1 -n bookinfo delete TrimProxyConfigPolicy trim-1