Serving: Allow service to service calls in Knative service mesh

Created on 22 Jun 2018 · 8Comments · Source: knative/serving

Expected Behavior

A configuration/service cannot call another configuration/service without using the public domain today (calling to x-00001-service is not sufficient because 1. these names change, 2. it skips activator and if a revision is scaled to 0, it doesn't come back up) . We want to be able to call other configuration/services within the cluster without the need to use the public domain.

arenetworking kinbug

Source

mdemirhan

Most helpful comment

You will need to install a cluster-local-gateway using https://knative.dev/docs/install/installing-istio/#updating-your-install-to-use-cluster-local-gateway . However you will need to add this line --set global.mtls.auto=false since currently there is an error in the doc

tcnghia on 20 Dec 2019

👍2

All 8 comments

A configuration/service cannot call another configuration/service without using the public domain today

Ideally, I'd also like to be able to call a knative configuration/service from an arbitrary non-knative Pod running in the same k8s cluster. Hopefully this doesn't really require extra effort to support if I'm willing to ensure my non-knative Pod includes the istio-proxy sidecar, but I just wanted to explicitly call out the use case so you can decide if it's in scope or not for this tracking issue.

enisoc on 23 Jun 2018

@enisoc a Knative service is now can be addressed by <service>.<ns>.svc.cluster.local. I think that suffice for our purpose here?

Remaining issue is supporting a short name version which is tracked in a different bug.

tcnghia on 17 Jul 2018

I've tried calling a knative service from both another knative service's pod and a regular pod but it's not working for me.

$ kubectl get service
NAME                          TYPE           CLUSTER-IP       EXTERNAL-IP                                            PORT(S)             AGE
kubernetes                    ClusterIP      10.96.0.1        <none>                                                 443/TCP             15h
mini-test                     LoadBalancer   10.104.240.63    <pending>                                              80:32339/TCP        3h28m
minikube-test                 ExternalName   <none>           cluster-local-gateway.istio-system.svc.cluster.local   <none>              3m30s
minikube-test-wkzms           ClusterIP      10.106.25.9      <none>                                                 80/TCP              3m58s
minikube-test-wkzms-metrics   ClusterIP      10.98.212.238    <none>                                                 9090/TCP,9091/TCP   4m4s
minikube-test-wkzms-private   ClusterIP      10.106.234.157   <none>                                                 80/TCP,8022/TCP     4m1s

minikube-test here is a knative service and mini-test is a regular service. if I sh into either one's pod, this is what I expect to work but it doesn't even have a DNS record:

/ # nslookup minikube-test
nslookup: can't resolve '(null)': Name does not resolve

nslookup: can't resolve 'minikube-test': Name does not resolve

Similarly:

/ # nslookup minikube-test.default.svc.cluster.local
nslookup: can't resolve '(null)': Name does not resolve

nslookup: can't resolve 'minikube-test.default.svc.cluster.local': Name does not resolve
/ # nslookup minikube-test.default.example.com
nslookup: can't resolve '(null)': Name does not resolve

nslookup: can't resolve 'minikube-test.default.example.com': Name does not resolve

The only ones that can be resolved are those services with revision tag, which change and skip activator, same issues talked about at start.

/ # nslookup minikube-test-wkzms
nslookup: can't resolve '(null)': Name does not resolve

Name:      minikube-test-wkzms
Address 1: 10.106.25.9 minikube-test-wkzms.default.svc.cluster.local

/ # nslookup minikube-test-wkzms-metrics
nslookup: can't resolve '(null)': Name does not resolve

Name:      minikube-test-wkzms-metrics
Address 1: 10.98.212.238 minikube-test-wkzms-metrics.default.svc.cluster.local

/ # nslookup minikube-test-wkzms-private
nslookup: can't resolve '(null)': Name does not resolve

Name:      minikube-test-wkzms-private
Address 1: 10.106.234.157 minikube-test-wkzms-private.default.svc.cluster.local

/ # nslookup cluster-local-gateway.istio-system.svc.cluster.local
nslookup: can't resolve '(null)': Name does not resolve

nslookup: can't resolve 'cluster-local-gateway.istio-system.svc.cluster.local': Name does not resolve

Oh, and only minikube-test-wkzms-private works which is strange, calling minikube-test-wkzms returns a Error getting active endpoint: revision.serving.knative.dev "" not found.

How am I supposed to accomplish this from inside the cluster @tcnghia ?

xphoniex on 20 Dec 2019

@xphoniex Do you have a service named 'cluster-local-gateway' in the namespace 'istio-system'?

tcnghia on 20 Dec 2019

No, I only have istio-ingressgateway and istio-pilot. Has this got anything to do with my istio installation?

xphoniex on 20 Dec 2019

tcnghia on 20 Dec 2019

👍2

(the error in the doc is tracked here, if you are interested https://github.com/knative/serving/issues/6254#issuecomment-567785377)

tcnghia on 20 Dec 2019

Thank you @tcnghia

I went back to the installation guide and found the part I'd missed. It was kind of hidden.

By the way I had no issue with my cluster-local-gateway, works just fine out of the box.

xphoniex on 20 Dec 2019

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Set per revision headers in Cluster Ingress

vagababov · 3Comments

Activator leaks metrics publicly

scothis · 3Comments

latestRevision routes may point to older revisions if latestCreated is not ready

greghaynes · 4Comments

kbuffer rename breaks updating

mattmoor · 5Comments

Support wildcard certificate for Auto TLS feature

ZhiminXiang · 3Comments