Trim proxy in workspace settings
Enable proxy trimming in the workspace settings along with service isolation.
For more information, see the following resources:
- Overview of proxy trimming, including information about fine-grained, workload-level proxy trimming via the
TrimProxyConfigPolicyresource. - Overview of workspace settings.
- Workspace settings API docs.
Trim proxy config settings on a workspace cannot be applied to a gateway pod, such as the east-west or ingress gateways. For full control over the destinations that the gateways can talk to, create a separate workspace for each gateway pod and import the resources the gateway must have access to.
Before you begin
This guide assumes that you use the same names for components like clusters, workspaces, and namespaces as in the getting started. If you have different names, make sure to update the sample configuration files in this guide.
Complete the multicluster getting started guide to set up the following testing environment.
- Three clusters along with environment variables for the clusters and their Kubernetes contexts.
- The Gloo
meshctlCLI, along with other CLI tools such askubectlandistioctl. - The Gloo management server in the management cluster, and the Gloo agents in the workload clusters.
- Istio installed in the workload clusters.
- A simple Gloo workspace setup.
- Install Bookinfo and other sample apps.
Trim proxy in the workspace settings
You can enable proxy trimming for all workloads within a workspace by configuring the workspace settings. Then, you can add back in workloads on a workspace basis or by workload with the TrimProxyConfigPolicy resource.
Check the proxy configuration of one of your Istio workloads, such as
productpagein thebookinfonamespace. In the output, notice that the configuration includes the details for all services within the mesh, even though your Bookinfo apps might not need to communicate with these services.istioctl proxy-config endpoints --context ${REMOTE_CONTEXT1} -n bookinfo $(kubectl get pod --context ${REMOTE_CONTEXT1} -l app=productpage -A -o jsonpath='{.items[0].metadata.name}')Example output:
ENDPOINT STATUS OUTLIER CHECK CLUSTER 10.0.xx.xx:8081 HEALTHY OK outbound|8081||gloo-mesh-ui.gloo-mesh.svc.cluster.local 10.0.xx.xxx:6379 HEALTHY OK outbound|6379||redis.gloo-mesh.svc.cluster.local 10.0.xx.xxx:9090 HEALTHY OK outbound|80||prometheus-server.gloo-mesh.svc.cluster.local 10.0.xx.xxx:80 HEALTHY OK outbound|8000||httpbin.default.svc.cluster.local 10.0.xx.xx:443 HEALTHY OK outbound|443||kubernetes.default.svc.cluster.local 10.0.xx.xx:8080 HEALTHY OK outbound|80||istio-ingressgateway.gloo-mesh-gateways.svc.cluster.local 10.0.xx.x:5000 HEALTHY OK outbound|5000||helloworld.helloworld.svc.cluster.local 10.0.xx.xxx:9091 HEALTHY OK outbound|9091||gloo-mesh-mgmt-server-admin.gloo-mesh.svc.cluster.local 10.0.xx.xx:6379 HEALTHY OK outbound|6379||gloo-mesh-redis.gloo-mesh.svc.cluster.local 10.0.xx.xxx:9080 HEALTHY OK outbound|80||reviews.global ...Get your workspace settings for the workspaces that you want to trim proxies in.
- List the available workspace settings.
kubectl get workspacesettings -A - Get the configuration file for each workspace settings that you want to modify, such as a global or bookinfo-specific workspace settings.
kubectl get workspacesettings <workspacesettings> -n <namespace> -o yaml
- List the available workspace settings.
Trim all of the Istio sidecar proxies in your workspace by enabling the
trimAllProxyConfigsetting.apiVersion: admin.gloo.solo.io/v2 kind: WorkspaceSettings metadata: labels: app.kubernetes.io/managed-by: Helm name: default namespace: gloo-mesh spec: options: federation: enabled: false serviceIsolation: enabled: false trimAllProxyConfig: trueCheck the proxy configuration of the
productpageapp again. In the output, notice that the configuration no longer includes the details of any service in the mesh.istioctl proxy-config endpoints --context ${REMOTE_CONTEXT1} -n bookinfo $(kubectl get pod --context ${REMOTE_CONTEXT1} -l app=productpage -A -o jsonpath='{.items[0].metadata.name}')Add destinations back into the proxy config, either by enabling the
serviceIsolation.trimProxyConfigsetting at the workspace level to add in all destinations within the workspace or by selecting specific destinations in aTrimProxyConfigPolicy. For more information, see Options for proxy trimmingWorkspace-wide trim proxy setting: The destinations within the workspace (including imported destinations) are added back into the sidecar proxy config. You might use this option if you need proxy trimming at only the workspace level, such as if you have many workspaces with fine-grained import and export rules. However, this approach is not as flexible as the
TrimProxyConfigPolicyresource and requires you to enable service isolation.apiVersion: admin.gloo.solo.io/v2 kind: WorkspaceSettings metadata: labels: app.kubernetes.io/managed-by: Helm name: default namespace: gloo-mesh spec: options: trimAllProxyConfig: true federation: enabled: false serviceIsolation: enabled: true trimProxyConfig: true # scope discovery to services within or imported to the workspaceSpecific destinations by using a policy: The destinations that the policy selects are allowed back into the sidecar proxy config. For more information, see the trim proxy config policy guide.
Verify that the Istio sidecar proxy config has the destinations that you allowed. You can check the endpoints or the Istio
Sidecarcustom resource configuration.The examples show the output for adding back in destinations at the workspace level. Notice that your workspace might include destinations that the Bookinfo apps do not need to communicate with these services. In such case, you can use theTrimProxyConfigPolicyresource instead of theserviceIsolation.trimProxyConfigworkspace settings.Optional: Disable proxy trimming by restoring the original workspace settings.
apiVersion: admin.gloo.solo.io/v2 kind: WorkspaceSettings metadata: labels: app.kubernetes.io/managed-by: Helm name: default namespace: gloo-mesh spec: options: trimAllProxyConfig: false federation: enabled: false serviceIsolation: enabled: false trimProxyConfig: false