-
Notifications
You must be signed in to change notification settings - Fork 102
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cluster.local
cannot be used as a pointer to the local trust domain
#1260
Comments
Istio in general supports one trust domain per control-plane instance. We have a magic alias such that Ambient supports one trust domain in the dataplane ATM. We could make it support the magic alias the control plane does, but there are a lot of (existing) problems that does not solve. The trust domain alias in sidecars solves only one problem, really - to let you delay updating your Auth policies if you change your trust domain, which I do not think is very valuable or even something we should encourage - your Auth policies should explictly declare the principals you want, in all cases. But you don't even need the magic alias to do that - Auth policies themselves can already do everything the magic alias allows for, by adding multiple principals to your Auth policies explicitly - which is better anyway, since AuthPolicies are supposed to be declarative, and having a secret switch to allow unlisted principals to pass the policy is Not Great. If you want to have 2 trust domains but only actually use 1 of them, you don't actually need or want 2 trust domains - relying on the alias is bad practice IMO and we shouldn't encourage people to create or configure trust domains they do not intend to use. Aliases are a semi-hack IMO. Istio doesn't really support multiple trust domains within a single control-plane instance, and the use of the alias for migrations is redundant with existing AuthPolicy capabilities - they really don't do anything useful, and break the declarative model of AuthPolicies. I actually think we should just deprecate the use of trust domain aliases entirely in this doc and tell people to explicitly add the principals they want to their AuthPolicies if they wish to migrate between trust domains, which works just fine for this (likely extremely rare) activity and doesn't break the policy model or require weird controlplane logic. Suggest the following:
None of that requires any ambient changes, and would be better for sidecars too, so that's my pref here - added to the next WG tho for discussion. |
When using sidecars, with istio installations that have a custom trust domain, for example
old-td
.Then both principals trust domains
old-td
and orcluster.local
are valid to be used in the Authorization policyHowever, that is not the case in ambient (ztunnel), you have to use only the custom trust domain i.e.
old-td
The docs recommend using
cluster.local
as a best practice (that might be an outdated suggestion, fwiw). However, this means that all customers that were usingcluster.local
as a pointer to the local trust domain, would be impacted when migrating workloads from sidecars into ambient, which would catch them by surprise.The text was updated successfully, but these errors were encountered: