Trim proxy config policy

Trim the number of destinations in the Istio sidecar proxy configuration for your workloads to avoid memory pressure issues. In this guide, you trim proxy configuration by using the TrimProxyConfigPolicy resource.

For more information, see the following resources:

If you import or export resources across workspaces, your policies might not apply. For more information, see Import and export policies.

About Istio sidecar proxy config

Istio uses the Sidecar resource to configure the sidecar proxy of your workloads. This configuration includes the ports, protocols, and services that the proxy uses for inbound and outbound communication. By default, each sidecar has the configuration details for every workload in the service mesh.

In large environments, each sidecar's configuration can become very large, leading to high memory usage. Such memory pressure, in turn, can slow down performance. To avoid performance impact, you can trim the proxy configuration to include only the workloads that your service needs. For example, you might see reductions from 1-2GB per configuration to 20MB.

In your Gloo Mesh TrimProxyConfigPolicy resource, you select workloads and their corresponding allowed destinations within the same Gloo workspace. Then, the Istio sidecar of the workloads keeps only the configuration of those allowed destinations instead of all the destinations in the Istio service mesh. If you apply multiple trim proxy config policies to the same workload, all of the selected destinations are allowed.

The Sidecar resource cannot be applied to any gateway pods, such as the east-west or ingress gateways. For full control over the destinations that the gateways can talk to, create a workspace for each gateway pod and import the resources the gateway must have access to.

Before you begin

This guide assumes that you use the same names for components like clusters, workspaces, and namespaces as in the getting started. If you have different names, make sure to update the sample configuration files in this guide.
  1. Complete the multicluster getting started guide to set up the following testing environment.
    • Three clusters along with environment variables for the clusters and their Kubernetes contexts.
    • The Gloo Platform CLI, meshctl, along with other CLI tools such as kubectl and istioctl.
    • The Gloo management server in the management cluster, and the Gloo agents in the workload clusters.
    • Istio installed in the workload clusters.
    • A simple Gloo workspace setup.
  2. Install Bookinfo and other sample apps.
  3. Optional: To trim all proxy configs in the workspace by default, you can enable the trimAllProxyConfig setting as shown in the workspace settings guide. Note that you do not need to enable the serviceIsolation.trimProxyConfig setting. Instead, you add back the destinations into the sidecar proxy config by using the policy in this guide.

Configure trim proxy config policies

You can apply a trim proxy config policy at the workload level. For more information, see Applying policies.

The following example policy trims the sidecar proxy config for the productpage workload, removing the config for all destinations except the reviews app.

apiVersion: resilience.policy.gloo.solo.io/v2
kind: TrimProxyConfigPolicy
metadata:
  annotations:
    cluster.solo.io/cluster: ""
  name: trim-1
  namespace: bookinfo
spec:
  applyToWorkloads:
  - selector:
      labels:
        app: productpage
  config:
    includedDestinations:
    - selector:
        labels:
          app: reviews

Review the following table to understand this configuration. For more information, see the API docs.

Setting Description
applyToWorkloads Configure which workloads to apply the policy to by using labels. Workloads can be apps that have injected sidecars, such as deployments or stateful sets, or standalone proxies, such as gateways. If omitted, the policy applies to all workloads in the workspace. For example, if you omit this value and select only the ratings destination, then all of the sidecar proxies are configured only with the ratings endpoint and no other endpoint. You might use this method of omission to build a zero-trust architecture.
includedDestinations For the workloads that this policy applies to, select which destinations to include. When Gloo trims the sidecar proxy of the workloads, these destinations are kept in the configuration. You can select destinations by Kubernetes label. Destinations can be a Kubernetes service, VirtualDestination, or ExternalService. To select all destinations, specify {}. If omitted or if the selection does not match any destination, no destinations are selected and the sidecar proxy configurations of the workloads are not trimmed. The destinations must be within the same workspace as the policy, or imported to the workspace.

Verify trim proxy config policies

  1. Check the proxy configuration of one of your workloads, such as productpage.

    istioctl proxy-config endpoints --context ${REMOTE_CONTEXT1} -n bookinfo $(kubectl get pod --context ${REMOTE_CONTEXT1} -l app=productpage -A -o jsonpath='{.items[0].metadata.name}')
    

    In the output CLUSTER column, note the endpoints for all the services in the mesh, such as ratings and both reviews services.

    ENDPOINT          STATUS   OUTLIER CHECK  CLUSTER
    10.xxx.x.xx:9080  HEALTHY  OK             outbound|9080||ratings.bookinfo.svc.cluster.local
    10.xxx.x.xx:9080  HEALTHY  OK             outbound|9080||reviews.bookinfo.svc.cluster.local
    10.xxx.x.xx:9080  HEALTHY  OK             outbound|9080||reviews.bookinfo.svc.cluster.local      
    
  2. Apply the trim proxy config policy that you previously reviewed.

    kubectl apply --context ${REMOTE_CONTEXT1} -f - << EOF
    apiVersion: resilience.policy.gloo.solo.io/v2
    kind: TrimProxyConfigPolicy
    metadata:
      annotations:
        cluster.solo.io/cluster: ""
      name: trim-1
      namespace: bookinfo
    spec:
      applyToWorkloads:
      - selector:
          labels:
            app: productpage
      config:
        includedDestinations:
        - selector:
            labels:
              app: reviews
    EOF
    
  3. Check the proxy configuration of productpage again.

    istioctl proxy-config endpoints --context ${REMOTE_CONTEXT1} -n bookinfo $(kubectl get pod --context ${REMOTE_CONTEXT1} -l app=productpage -A -o jsonpath='{.items[0].metadata.name}')
    

    In the output, note that now, only the endpoint for the destinations that you selected in the policy is configured, reviews.

    ENDPOINT          STATUS   OUTLIER CHECK  CLUSTER
    10.xxx.x.xx:9080  HEALTHY  OK             outbound|9080||reviews.bookinfo.svc.cluster.local
    10.xxx.x.xx:9080  HEALTHY  OK             outbound|9080||reviews.bookinfo.svc.cluster.local 
    

    If you notice config for more destinations, check that the serviceIsolation.trimProxyConfig field in the workspace settings is disabled. Proxy trimming is additive, so when both the workspace-level and policy-level settings are enabled, the sidecar proxy gets config for both levels.

  4. Optional: Clean up the resources that you created.

    kubectl --context $REMOTE_CONTEXT1 -n bookinfo delete TrimProxyConfigPolicy trim-1