Navigation :

Trim proxy config

Trim the number of destinations in the Istio sidecar proxy configuration for your workloads to avoid memory pressure issues. For more information, see the API docs.

If you import or export resources across workspaces, your policies might not apply. For more information, see Import and export policies.

About Istio sidecar proxy config

Istio uses the Sidecar resource to configure the sidecar proxy of your workloads. This configuration includes the ports, protocols, and services that the proxy uses for inbound and outbound communication. By default, each sidecar has the configuration details for every workload in the service mesh.

In large environments, each sidecar's configuration can become very large, leading to high memory usage. Such memory pressure, in turn, can slow down performance. To avoid performance impact, you can trim the proxy configuration to include only the workloads that your service needs. For example, you might see reductions from 1-2GB per configuration to 20MB.

In your Gloo Mesh TrimProxyConfig policy, you select workloads and their corresponding allowed destinations within the same Gloo workspace. Then, the Istio sidecar of the workloads keeps only the configuration of those allowed destinations instead of all the destinations in the Istio service mesh. If you apply multiple trim proxy config policies to the same workload, all of the selected destinations are allowed.

The Sidecar resource cannot be applied to any gateway pods, such as the east-west or ingress gateways. For full control over the destinations that the gateways can talk to, create a workspace for each gateway pod and import the resources the gateway must have access to.

For more information about your options for proxy trimming, see Workspace configuration.

Before you begin

This guide assumes that you use the same names for components like clusters, workspaces, and namespaces as in the getting started. If you have different names, make sure to update the sample configuration files in this guide.

Complete the multicluster getting started guide to set up the following testing environment.
- Three clusters along with environment variables for the clusters and their Kubernetes contexts.
- The Gloo Platform CLI, meshctl, along with other CLI tools such as kubectl and istioctl.
- The Gloo management server in the management cluster, and the Gloo agents in the workload clusters.
- Istio installed in the workload clusters.
- A simple Gloo workspace setup.
Install Bookinfo and other sample apps.
As the workspace administrator, consider trimming all proxy configuration by default in the workspace setting.

Configure trim proxy config policies

You can apply a trim proxy config policy at the workload level. For more information, see Applying policies.

Review the following sample configuration files.

apiVersion: resilience.policy.gloo.solo.io/v2
kind: TrimProxyConfigPolicy
metadata:
  annotations:
    cluster.solo.io/cluster: ""
  name: trim-1
  namespace: bookinfo
spec:
  applyToWorkloads:
  - selector:
      labels:
        app: productpage
  config:
    includedDestinations:
    - selector:
        labels:
          app: reviews

Review the following table to understand this configuration. For more information, see the API docs.

Setting Description

applyToWorkloads Configure which workloads to apply the policy to by using labels. Workloads can be apps that have injected sidecars, such as deployments or stateful sets, or standalone proxies, such as gateways. If omitted, the policy applies to all workloads in the workspace. For example, if you omit this value and select only the ratings destination, then all of the sidecar proxies are configured only with the ratings endpoint and no other endpoint. You might use this method of omission to build a zero-trust architecture.

includedDestinations For the workloads that this policy applies to, select which destinations to include. When Gloo trims the sidecar proxy of the workloads, these destinations are kept in the configuration. You can select destinations by Kubernetes label. Destinations can be a Kubernetes service, VirtualDestination, or ExternalService. To select all destinations, specify {}. If omitted or if the selection does not match any destination, no destinations are selected and the sidecar proxy configurations of the workloads are not trimmed. The destinations must be within the same workspace as the policy, or imported to the workspace.

Setting	Description
`applyToWorkloads`	Configure which workloads to apply the policy to by using labels. Workloads can be apps that have injected sidecars, such as deployments or stateful sets, or standalone proxies, such as gateways. If omitted, the policy applies to all workloads in the workspace. For example, if you omit this value and select only the `ratings` destination, then all of the sidecar proxies are configured only with the `ratings` endpoint and no other endpoint. You might use this method of omission to build a zero-trust architecture.
`includedDestinations`	For the workloads that this policy applies to, select which destinations to include. When Gloo trims the sidecar proxy of the workloads, these destinations are kept in the configuration. You can select destinations by Kubernetes label. Destinations can be a Kubernetes service, VirtualDestination, or ExternalService. To select all destinations, specify `{}`. If omitted or if the selection does not match any destination, no destinations are selected and the sidecar proxy configurations of the workloads are not trimmed. The destinations must be within the same workspace as the policy, or imported to the workspace.

Verify trim proxy config policies

Optional: If you previously trimmed the proxy in your workspace settings, you can disable the options.serviceIsolation.trimProxyConfig setting.

Check the proxy configuration of one of your workloads, such as productpage.

istioctl proxy-config endpoints --context ${REMOTE_CONTEXT1} -n bookinfo $(kubectl get pod --context ${REMOTE_CONTEXT1} -l app=productpage -A -o jsonpath='{.items[0].metadata.name}')

In the output CLUSTER column, note the endpoints for all the services in the mesh, such as ratings and both reviews services.

ENDPOINT          STATUS   OUTLIER CHECK  CLUSTER
10.xxx.x.xx:9080  HEALTHY  OK             outbound|9080||ratings.bookinfo.svc.cluster.local
10.xxx.x.xx:9080  HEALTHY  OK             outbound|9080||reviews.bookinfo.svc.cluster.local
10.xxx.x.xx:9080  HEALTHY  OK             outbound|9080||reviews.bookinfo.svc.cluster.local

Apply the trim proxy config policy that you previously reviewed.

kubectl apply --context ${REMOTE_CONTEXT1} -f - << EOF
apiVersion: resilience.policy.gloo.solo.io/v2
kind: TrimProxyConfigPolicy
metadata:
  annotations:
    cluster.solo.io/cluster: ""
  name: trim-1
  namespace: bookinfo
spec:
  applyToWorkloads:
  - selector:
      labels:
        app: productpage
  config:
    includedDestinations:
    - selector:
        labels:
          app: reviews
EOF

Check the proxy configuration of productpage again.

istioctl proxy-config endpoints --context ${REMOTE_CONTEXT1} -n bookinfo $(kubectl get pod --context ${REMOTE_CONTEXT1} -l app=productpage -A -o jsonpath='{.items[0].metadata.name}')

In the output, note that now, only the endpoint for the destinations that you selected in the policy is configured, reviews.

ENDPOINT          STATUS   OUTLIER CHECK  CLUSTER
10.xxx.x.xx:9080  HEALTHY  OK             outbound|9080||reviews.bookinfo.svc.cluster.local
10.xxx.x.xx:9080  HEALTHY  OK             outbound|9080||reviews.bookinfo.svc.cluster.local

Optional: Clean up the resources that you created.

kubectl --context $REMOTE_CONTEXT1 -n bookinfo delete TrimProxyConfigPolicy trim-1