For more information, see the following resources:

Before you begin

  1. Complete the multicluster getting started guide to set up the following testing environment.

    • Three clusters along with environment variables for the clusters and their Kubernetes contexts.
    • The Gloo meshctl CLI, along with other CLI tools such as kubectl and istioctl.
    • The Gloo management server in the management cluster, and the Gloo agents in the workload clusters.
    • Istio installed in the workload clusters.
    • A simple Gloo workspace setup.
  2. Install Bookinfo and other sample apps.

Trim proxy in the workspace settings

You can enable proxy trimming for all workloads within a workspace by configuring the workspace settings. Then, you can add back in workloads on a workspace basis or by workload with the TrimProxyConfigPolicy resource.

  1. Check the proxy configuration of one of your Istio workloads, such as productpage in the bookinfo namespace. In the output, notice that the configuration includes the details for all services within the mesh, even though your Bookinfo apps might not need to communicate with these services.

      istioctl proxy-config endpoints --context ${REMOTE_CONTEXT1} -n bookinfo $(kubectl get pod --context ${REMOTE_CONTEXT1} -l app=productpage -A -o jsonpath='{.items[0].metadata.name}')
      

    Example output:

      ENDPOINT                                                STATUS      OUTLIER CHECK     CLUSTER
    10.0.xx.xx:8081                                         HEALTHY     OK                outbound|8081||gloo-mesh-ui.gloo-mesh.svc.cluster.local
    10.0.xx.xxx:6379                                        HEALTHY     OK                outbound|6379||redis.gloo-mesh.svc.cluster.local
    10.0.xx.xxx:9090                                        HEALTHY     OK                outbound|80||prometheus-server.gloo-mesh.svc.cluster.local
    10.0.xx.xxx:80                                          HEALTHY     OK                outbound|8000||httpbin.default.svc.cluster.local
    10.0.xx.xx:443                                          HEALTHY     OK                outbound|443||kubernetes.default.svc.cluster.local
    10.0.xx.xx:8080                                         HEALTHY     OK                outbound|80||istio-ingressgateway.gloo-mesh-gateways.svc.cluster.local
    10.0.xx.x:5000                                          HEALTHY     OK                outbound|5000||helloworld.helloworld.svc.cluster.local
    10.0.xx.xxx:9091                                        HEALTHY     OK                outbound|9091||gloo-mesh-mgmt-server-admin.gloo-mesh.svc.cluster.local
    10.0.xx.xx:6379                                         HEALTHY     OK                outbound|6379||gloo-mesh-redis.gloo-mesh.svc.cluster.local
    10.0.xx.xxx:9080                                        HEALTHY     OK                outbound|80||reviews.global
    ...
      
  2. Get your workspace settings for the workspaces that you want to trim proxies in.

    1. List the available workspace settings.
        kubectl get workspacesettings -A
        
    2. Get the configuration file for each workspace settings that you want to modify, such as a global or bookinfo-specific workspace settings.
        kubectl get workspacesettings <workspacesettings> -n <namespace> -o yaml
        
  3. Trim all of the Istio sidecar proxies in your workspace by enabling the trimAllProxyConfig setting.

       apiVersion: admin.gloo.solo.io/v2
       kind: WorkspaceSettings
       metadata:
         labels:
           app.kubernetes.io/managed-by: Helm
         name: default
         namespace: gloo-mesh
       spec:
         options:
           federation:
             enabled: false
           serviceIsolation:
             enabled: false
           trimAllProxyConfig: true
       
  4. Check the proxy configuration of the productpage app again. In the output, notice that the configuration no longer includes the details of any service in the mesh.

      istioctl proxy-config endpoints --context ${REMOTE_CONTEXT1} -n bookinfo $(kubectl get pod --context ${REMOTE_CONTEXT1} -l app=productpage -A -o jsonpath='{.items[0].metadata.name}')
      
  5. Add destinations back into the proxy config, either by enabling the serviceIsolation.trimProxyConfig setting at the workspace level to add in all destinations within the workspace or by selecting specific destinations in a TrimProxyConfigPolicy. For more information, see Options for proxy trimming

    • Workspace-wide trim proxy setting: The destinations within the workspace (including imported destinations) are added back into the sidecar proxy config. You might use this option if you need proxy trimming at only the workspace level, such as if you have many workspaces with fine-grained import and export rules. However, this approach is not as flexible as the TrimProxyConfigPolicy resource and requires you to enable service isolation.

        apiVersion: admin.gloo.solo.io/v2
      kind: WorkspaceSettings
      metadata:
        labels:
          app.kubernetes.io/managed-by: Helm
        name: default
        namespace: gloo-mesh
      spec:
        options:
          trimAllProxyConfig: true
          federation:
            enabled: false
          serviceIsolation:
            enabled: true
            trimProxyConfig: true # scope discovery to services within or imported to the workspace
        
    • Specific destinations by using a policy: The destinations that the policy selects are allowed back into the sidecar proxy config. For more information, see the trim proxy config policy guide.

  6. Verify that the Istio sidecar proxy config has the destinations that you allowed. You can check the endpoints or the Istio Sidecar custom resource configuration.

  7. Optional: Disable proxy trimming by restoring the original workspace settings.

      apiVersion: admin.gloo.solo.io/v2
    kind: WorkspaceSettings
    metadata:
      labels:
        app.kubernetes.io/managed-by: Helm
      name: default
      namespace: gloo-mesh
    spec:
      options:
        trimAllProxyConfig: false
        federation:
          enabled: false
        serviceIsolation:
          enabled: false
          trimProxyConfig: false