Trim proxy config
Trim the number of destinations in the Istio sidecar proxy configuration for your workloads to avoid memory pressure issues. For more information, see the API docs.
If you import or export resources across workspaces, your policies might not apply. For more information, see Import and export policies.
About Istio sidecar proxy config
Istio uses the Sidecar
resource to configure the sidecar proxy of your workloads. This configuration includes the ports, protocols, and services that the proxy uses for inbound and outbound communication. By default, each sidecar has the configuration details for every workload in the service mesh.
In large environments, each sidecar's configuration can become very large, leading to high memory usage. Such memory pressure, in turn, can slow down performance. To avoid performance impact, you can trim the proxy configuration to include only the workloads that your service needs. For example, you might see reductions from 1-2GB per configuration to 20MB.
In your Gloo Mesh TrimProxyConfig
policy, you select workloads and their corresponding allowed destinations within the same Gloo workspace. Then, the Istio sidecar of the workloads keeps only the configuration of those allowed destinations instead of all the destinations in the Istio service mesh. If you apply multiple trim proxy config policies to the same workload, all of the selected destinations are allowed.
Before you begin
- Complete the multicluster getting started guide to set up the following testing environment.
- Three clusters along with environment variables for the clusters and their Kubernetes contexts.
- The Gloo Platform CLI,
meshctl
, along with other CLI tools such askubectl
andistioctl
. - The Gloo management server in the management cluster, and the Gloo agents in the workload clusters.
- Istio installed in the workload clusters.
- A simple Gloo workspace setup.
- Install Bookinfo and other sample apps.
- As the workspace administrator, consider trimming all proxy configuration by default in the workspace setting.
Configure trim proxy config policies
You can apply a trim proxy config policy at the workload level. For more information, see Applying policies.
Review the following sample configuration files.
apiVersion: resilience.policy.gloo.solo.io/v2
kind: TrimProxyConfigPolicy
metadata:
annotations:
cluster.solo.io/cluster: ""
name: trim-1
namespace: bookinfo
spec:
applyToWorkloads:
- selector:
labels:
app: productpage
config:
includedDestinations:
- selector:
labels:
app: reviews
Review the following table to understand this configuration. For more information, see the API docs.
Setting | Description |
---|---|
applyToWorkloads |
Configure which workloads to apply the policy to by using labels. Workloads can be apps that have injected sidecars, such as deployments or stateful sets, or standalone proxies, such as gateways. If omitted, the policy applies to all workloads in the workspace. For example, if you omit this value and select only the ratings destination, then all of the sidecar proxies are configured only with the ratings endpoint and no other endpoint. You might use this method of omission to build a zero-trust architecture. |
includedDestinations |
For the workloads that this policy applies to, select which destinations to include. When Gloo trims the sidecar proxy of the workloads, these destinations are kept in the configuration. You can select destinations by Kubernetes label. Destinations can be a Kubernetes service, VirtualDestination, or ExternalService. To select all destinations, specify {} . If omitted or if the selection does not match any destination, no destinations are selected and the sidecar proxy configurations of the workloads are not trimmed. The destinations must be within the same workspace as the policy, or imported to the workspace. |
Verify trim proxy config policies
-
Optional: If you previously trimmed the proxy in your workspace settings, you can disable the
options.serviceIsolation.trimProxyConfig
setting. -
Check the proxy configuration of one of your workloads, such as
productpage
.istioctl proxy-config endpoints --context ${REMOTE_CONTEXT1} -n bookinfo $(kubectl get pod --context ${REMOTE_CONTEXT1} -l app=productpage -A -o jsonpath='{.items[0].metadata.name}')
In the output CLUSTER column, note the endpoints for all the services in the mesh, such as
ratings
and bothreviews
services.ENDPOINT STATUS OUTLIER CHECK CLUSTER 10.xxx.x.xx:9080 HEALTHY OK outbound|9080||ratings.bookinfo.svc.cluster.local 10.xxx.x.xx:9080 HEALTHY OK outbound|9080||reviews.bookinfo.svc.cluster.local 10.xxx.x.xx:9080 HEALTHY OK outbound|9080||reviews.bookinfo.svc.cluster.local
-
Apply the trim proxy config policy that you previously reviewed.
kubectl apply --context ${REMOTE_CONTEXT1} -f - << EOF apiVersion: resilience.policy.gloo.solo.io/v2 kind: TrimProxyConfigPolicy metadata: annotations: cluster.solo.io/cluster: "" name: trim-1 namespace: bookinfo spec: applyToWorkloads: - selector: labels: app: productpage config: includedDestinations: - selector: labels: app: reviews EOF
-
Check the proxy configuration of
productpage
again.istioctl proxy-config endpoints --context ${REMOTE_CONTEXT1} -n bookinfo $(kubectl get pod --context ${REMOTE_CONTEXT1} -l app=productpage -A -o jsonpath='{.items[0].metadata.name}')
In the output, note that now, only the endpoint for the destinations that you selected in the policy is configured,
reviews
.ENDPOINT STATUS OUTLIER CHECK CLUSTER 10.xxx.x.xx:9080 HEALTHY OK outbound|9080||reviews.bookinfo.svc.cluster.local 10.xxx.x.xx:9080 HEALTHY OK outbound|9080||reviews.bookinfo.svc.cluster.local
-
Optional: Clean up the resources that you created.
kubectl --context $REMOTE_CONTEXT1 -n bookinfo delete TrimProxyConfigPolicy trim-1