Serving: cluster-local visibility not working when using tags

Created on 1 Oct 2019  路  20Comments  路  Source: knative/serving

In what area(s)?

/area networking

What version of Knative?

0.9.x

Expected Behavior

I set a service label:

kubectl label ksvc hello-springboot serving.knative.dev/visibility=cluster-local

The service should not be publicly available.

Actual Behavior

But the service is still publicly accessible.

Steps to Reproduce the Problem

kubectl label ksvc YOUR_SERVICE serving.knative.dev/visibility=cluster-local

Try to access the service publicly.

arenetworking kinbug
Source
picture jamesward

All 20 comments

cc @tcnghia

dgerd picture dgerd on 1 Oct 2019

@jamesward can you please show how your Service looks? If it is related to tag/subRoute I think it is fixed here https://github.com/knative/serving/pull/5655 .

tcnghia picture tcnghia on 1 Oct 2019

cc @andrew-su

tcnghia picture tcnghia on 1 Oct 2019

yeah, this does seem to only be a problem when there are tags. So probably related to #5655

jamesward picture jamesward on 2 Oct 2019

/close

#5655 fixed this issue.

tcnghia picture tcnghia on 2 Oct 2019

@tcnghia: Closing this issue.

In response to this:

/close

5655 fixed this issue.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

knative-prow-robot picture knative-prow-robot on 2 Oct 2019

I'm using 0.10.0 and still seeing the service accessible publicly.

status:
  address:
    url: http://hello-springboot.default.svc.cluster.local
  conditions:
  - lastTransitionTime: "2019-10-29T19:02:39Z"
    status: "True"
    type: ConfigurationsReady
  - lastTransitionTime: "2019-10-29T19:03:50Z"
    status: "True"
    type: Ready
  - lastTransitionTime: "2019-10-29T19:03:50Z"
    status: "True"
    type: RoutesReady
  latestCreatedRevisionName: hello-springboot-97qjk
  latestReadyRevisionName: hello-springboot-97qjk
  observedGeneration: 6
  traffic:
  - latestRevision: false
    percent: 80
    revisionName: hello-springboot-jrjw4
    tag: current
    url: http://current-hello-springboot.default.svc.cluster.local
  - latestRevision: true
    percent: 20
    revisionName: hello-springboot-97qjk
    tag: latest
    url: http://latest-hello-springboot.default.svc.cluster.local
  url: http://hello-springboot.default.svc.cluster.local

$ curl -v http://hello-springboot.default.$IP_ADDRESS.nip.io
* Rebuilt URL to: http://hello-springboot.default.35.223.5.46.nip.io/
*   Trying 35.223.5.46...
* TCP_NODELAY set
* Connected to hello-springboot.default.35.223.5.46.nip.io (35.223.5.46) port 80 (#0)
> GET / HTTP/1.1
> Host: hello-springboot.default.35.223.5.46.nip.io
> User-Agent: curl/7.52.1
> Accept: */*
>
< HTTP/1.1 200 OK
< content-length: 37
< content-type: text/plain;charset=UTF-8
< date: Tue, 29 Oct 2019 19:10:01 GMT
< x-envoy-upstream-service-time: 6
< server: istio-envoy
<
* Curl_http_done: called premature == 0
* Connection #0 to host hello-springboot.default.35.223.5.46.nip.io left intact
hello, world - hello-springboot-jrjw4
jamesward picture jamesward on 29 Oct 2019
👍1

/assign @andrew-su

tcnghia picture tcnghia on 30 Oct 2019

/assign @shashwathi

shashwathi picture shashwathi on 1 Nov 2019

Hi @jamesward

I could not reproduce this issue on 0.10.0 release. I tried the following steps

  1. Deploy the below service 
apiVersion: serving.knative.dev/v1alpha1 # Current version of Knative
kind: Service
metadata:
  name: helloworld-go # The name of the app
  namespace: default # The namespace the app will use
spec:
  template:
    spec:
      containers:
        - image: gcr.io/knative-samples/helloworld-go # The URL to the image of the app
          env:
            - name: TARGET # The environment variable printed out by the sample app
              value: "Go Sample v1"
  1. Connect to service curl EXTERNAL_IP -H"Host:helloworld-go.default.EXTERNAL_IP.xip.io" -v
* Rebuilt URL to: EXTERNAL_IP/
*   Trying EXTERNAL_IP...
* TCP_NODELAY set
* Connected to EXTERNAL_IP (EXTERNAL_IP) port 80 (#0)
> GET / HTTP/1.1
> Host:helloworld-go.default.EXTERNAL_IP.xip.io
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 200 OK
< content-length: 20
< content-type: text/plain; charset=utf-8
< date: Fri, 01 Nov 2019 18:09:05 GMT
< x-envoy-upstream-service-time: 7915
< server: istio-envoy
<
Hello Go Sample v1!
* Connection #0 to host EXTERNAL_IP left intact
  1. Status of knative service object 
  status:
    address:
      url: http://helloworld-go.default.svc.cluster.local
    conditions:
    - lastTransitionTime: "2019-11-01T17:44:00Z"
      status: "True"
      type: ConfigurationsReady
    - lastTransitionTime: "2019-11-01T18:08:22Z"
      status: "True"
      type: Ready
    - lastTransitionTime: "2019-11-01T18:08:22Z"
      status: "True"
      type: RoutesReady
    latestCreatedRevisionName: helloworld-go-llcsq
    latestReadyRevisionName: helloworld-go-llcsq
    observedGeneration: 1
    traffic:
    - latestRevision: true
      percent: 100
      revisionName: helloworld-go-llcsq
    url: http://helloworld-go.default.EXTERNAL_IP.xip.io

  1. Updated cluster-local label using kubectl label ksvc helloworld-go serving.knative.dev/visibility=cluster-local

  2. connect via curl 

curl EXTERNAL_IP -H"Host:helloworld-go.default.svc.cluster.local" -vv
* Rebuilt URL to: EXTERNAL_IP/
*   Trying EXTERNAL_IP...
* TCP_NODELAY set
* Connected to EXTERNAL_IP (EXTERNAL_IP) port 80 (#0)
> GET / HTTP/1.1
> Host:helloworld-go.default.svc.cluster.local
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 404 Not Found
< date: Fri, 01 Nov 2019 18:08:45 GMT
< server: istio-envoy
< content-length: 0
<
* Connection #0 to host EXTERNAL_IP left intact
  1. Status of knative service
  status:
    address:
      url: http://helloworld-go.default.svc.cluster.local
    conditions:
    - lastTransitionTime: "2019-11-01T17:44:00Z"
      status: "True"
      type: ConfigurationsReady
    - lastTransitionTime: "2019-11-01T18:17:32Z"
      status: "True"
      type: Ready
    - lastTransitionTime: "2019-11-01T18:17:32Z"
      status: "True"
      type: RoutesReady
    latestCreatedRevisionName: helloworld-go-llcsq
    latestReadyRevisionName: helloworld-go-llcsq
    observedGeneration: 1
    traffic:
    - latestRevision: true
      percent: 100
      revisionName: helloworld-go-llcsq
    url: http://helloworld-go.default.svc.cluster.local

Am I missing any steps here?

shashwathi picture shashwathi on 1 Nov 2019

To see this exhibited you need to have a traffic split in place.

jamesward picture jamesward on 2 Nov 2019
👍1

I tried with traffic split as well but still not able to reproduce.

  1. Following is the knative service definition
---
apiVersion: serving.knative.dev/v1alpha1 # Current version of Knative
kind: Service
metadata:
  name: helloworld-go # The name of the app
  namespace: default # The namespace the app will use
spec:
  traffic:
  - tag: current
    percent: 50
    revisionName: helloworld-go-b4mp8
  - tag: latest
    latestRevision: true
    percent: 50
  1. Route status 
  status:
    address:
      url: http://helloworld-go.default.svc.cluster.local
    conditions:
    - lastTransitionTime: "2019-11-04T21:32:28Z"
      status: "True"
      type: ConfigurationsReady
    - lastTransitionTime: "2019-11-04T21:48:09Z"
      status: "True"
      type: Ready
    - lastTransitionTime: "2019-11-04T21:48:09Z"
      status: "True"
      type: RoutesReady
    latestCreatedRevisionName: helloworld-go-jhhp6
    latestReadyRevisionName: helloworld-go-jhhp6
    observedGeneration: 3
    traffic:
    - latestRevision: false
      percent: 50
      revisionName: helloworld-go-b4mp8
      tag: current
      url: http://current-helloworld-go.default.EXTERNAL_IP.xip.io
    - latestRevision: true
      percent: 50
      revisionName: helloworld-go-jhhp6
      tag: latest
      url: http://latest-helloworld-go.default.EXTERNAL_IP.xip.io
    url: http://helloworld-go.default.EXTERNAL_IP.xip.io
  1. All the below requests to individual routes and overall route returned 200 response.

curl http://EXTERNAL_IP -H"Host:helloworld-go.default.EXTERNAL_IP.xip.io" -vv
curl http://latest-helloworld-go.default.EXTERNAL_IP.xip.io -vv
curl http://current-helloworld-go.default.EXTERNAL_IP.xip.io -vv

  1. Updated label 
 status:
    address:
      url: http://helloworld-go.default.svc.cluster.local
    conditions:
    - lastTransitionTime: "2019-11-04T21:32:28Z"
      status: "True"
      type: ConfigurationsReady
    - lastTransitionTime: "2019-11-04T21:40:49Z"
      status: "True"
      type: Ready
    - lastTransitionTime: "2019-11-04T21:40:49Z"
      status: "True"
      type: RoutesReady
    latestCreatedRevisionName: helloworld-go-jhhp6
    latestReadyRevisionName: helloworld-go-jhhp6
    observedGeneration: 3
    traffic:
    - latestRevision: false
      percent: 50
      revisionName: helloworld-go-b4mp8
      tag: current
      url: http://current-helloworld-go.default.svc.cluster.local
    - latestRevision: true
      percent: 50
      revisionName: helloworld-go-jhhp6
      tag: latest
      url: http://latest-helloworld-go.default.svc.cluster.local
    url: http://helloworld-go.default.svc.cluster.local
  1. connecting to overall route and individual route
curl http://EXTERNAL_IP -H"Host:helloworld-go.default.svc.cluster" -vv
* Rebuilt URL to: http://EXTERNAL_IP/
*   Trying EXTERNAL_IP...
* TCP_NODELAY set
* Connected to EXTERNAL_IP (EXTERNAL_IP) port 80 (#0)
> GET / HTTP/1.1
> Host:helloworld-go.default.svc.cluster.local
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 404 Not Found
< date: Mon, 04 Nov 2019 21:41:41 GMT
< server: istio-envoy
< content-length: 0
<
* Connection #0 to host EXTERNAL_IP left intact

curl http://EXTERNAL_IP -H"Host:latest-helloworld-go.default.svc.cluster.local" -vv`

* Rebuilt URL to: http://EXTERNAL_IP/
*   TryingEXTERNAL_IP...
* TCP_NODELAY set
* Connected to EXTERNAL_IP (EXTERNAL_IP) port 80 (#0)
> GET / HTTP/1.1
> Host:latest-helloworld-go.default.svc.cluster.local
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 404 Not Found
< date: Mon, 04 Nov 2019 21:41:56 GMT
< server: istio-envoy
< content-length: 0
<
* Connection #0 to host EXTERNAL_IP left intact

@jamesward : Can you paste the output of virtualservices ?

shashwathi picture shashwathi on 5 Nov 2019

Thanks for looking into this further. What about:
curl http://helloworld-go.default.EXTERNAL_IP.xip.io -vv
or
curl http://latest-helloworld-go.default.EXTERNAL_IP.xip.io -vv

Will get the virtualservices output in a bit (sorry, on a plane).

jamesward picture jamesward on 7 Nov 2019

@jamesward can you please paste the output of the VirtualService? thanks

tcnghia picture tcnghia on 26 Nov 2019

/close
Should be fixed.

vagababov picture vagababov on 10 Dec 2019

@vagababov: Closing this issue.

In response to this:

/close
Should be fixed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

knative-prow-robot picture knative-prow-robot on 10 Dec 2019

Thanks! I'll give it a try when the next release lands.

jamesward picture jamesward on 10 Dec 2019

@jamesward release landed today, can you please give that a try?

tcnghia picture tcnghia on 11 Dec 2019

So far I've been unable to reproduce this on Knative 0.11.0 with Istio 1.4.2.

jamesward picture jamesward on 16 Dec 2019
🎉1

Thanks!

vagababov picture vagababov on 17 Dec 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

mattmoor picture mattmoor  路  7Comments
ahmetb picture ahmetb  路  5Comments
vtereso picture vtereso  路  5Comments
mattmoor picture mattmoor  路  5Comments
ysjjovo picture ysjjovo  路  5Comments