DOCS-2334: Docs for L7 rearchitecture with Envoy as sidecar containers #1714
Conversation
✅ Deploy Preview succeeded!Built without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify site configuration. |
✅ Deploy Preview for calico-docs-preview-next ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
ctauchen
changed the title
| @@ -24,7 +24,7 @@ Historically, web application firewalls (WAFs) were deployed at the edge of your | |||
|
|
|||
| ### About {{prodname}} WAF | |||
|
|
|||
| WAF is deployed in your cluster along with Envoy DaemonSet. {{prodname}} proxies selected service traffic through Envoy, checking HTTP requests using the industry-standard | |||
| WAF is deployed in your cluster with Envoy as a sidecar container on your pods. {{prodname}} proxies selected service traffic through Envoy, checking HTTP requests using the industry-standard | |||
There was a problem hiding this comment.
There seems to be a difference between the old and new concerning services vs deployments. With sidecars, it looks like you need to annotate deployments rather than services.
Is it fair to guess that we should review all instances of 'service' and consider replacing with 'deployment'?
There was a problem hiding this comment.
We can swap from:
{{prodname}} proxies selected service traffic through Envoy,
to:
{{prodname}} proxies all traffic through Envoy sidecar,
There was a problem hiding this comment.
Yes, we need to change service to deployment where it is talking about the enable of the feature.
There was a problem hiding this comment.
@ctauchen yes that's right. In this case I think the sentence can be
"WAF is deployed in your cluster with Envoy as a sidecar container on your pods. {{prodname}} proxies traffic for the selected pods through Envoy, checking HTTP requests using the industry-standard..."
There was a problem hiding this comment.
Got it, changing service to deployment throughout.
There was a problem hiding this comment.
@peterkellydev @radixo The deployment/service question is more complex than I'd realized, particularly with the WAF doc. We have examples using services, a note talking about how you shouldn't apply WAF to system services, and so on.
I'm thinking that we may need someone who knows what they're doing here (not me) to look through and mark the s/service/deployment locations in the doc.
By my naive understanding, we shouldn't be talking about services much at all, now that we've switched the WAF delivery mechanism to deployments exclusively. What relevance do services have on this page?
|
|
||
| **Limitations** | ||
| * L7 logging is not compatible with a service mesh such as Istio. |
There was a problem hiding this comment.
@peterkellydev In my notes I've got this limitation for all L7 features. In our current docs, it's mentioned only for ALP. I've added to all three, but let me know if I've got that wrong.
There was a problem hiding this comment.
Yes adding to all 3 is good.
There was a problem hiding this comment.
Thanks for confirming. Leaving these as they are.
There was a problem hiding this comment.
@radixo @peterkellydev I've drafted changes as discussed. This changes the docs to be sidecar-only. Please pay special attention to limitations -- I suspect some remain that apply only to daemonset mode.
You can disregard formatting changes -- I'll see that that all gets sorted in my final review.
| * Application layer policy is not compatible with a service mesh such as Istio. | ||
| * Application layer policy can restrict only _ingress_ traffic. | ||
| It can not restrict egress traffic. | ||
| * Support for L7 attributes is limited to HTTP method and URL exact/prefix path. |
There was a problem hiding this comment.
I'm not sure these two bullets about attributes and protocols are limitations - they're just what the feature currently supports. I know they're pre-existing as limitations so it's fine to leave them I guess, I just think the section is less about what the feature supports / was implemented so far vs. things like platform limitations etc
There was a problem hiding this comment.
Limitations are loosely defined, but I'd characterize them as anything that describes a functionality that a user might reasonably expect the product to have, but that the product doesn't have. Whether and how we call those out is a judgement call. I'll leave this for now, as you suggest, but we can certainly reconsider these.
| * Host-networked client pods | ||
| * TLS traffic | ||
| * [LoadBalancer services](https://Kubernetes.io/docs/concepts/services-networking/service/#loadbalancer) | ||
| * Egress gateways |
There was a problem hiding this comment.
Egress Gateway is no longer a limitation in the new mode.
There was a problem hiding this comment.
Line removed, thanks.
|
|
||
| ```bash | ||
| kubectl annotate svc <service-name> -n <service-namespace> projectcalico.org/l7-logging- | ||
| kubectl patch deployment <deployment-name> -n <deployment-namespace> --type='json' -p '[{"op":"remove","path":"/spec/template/metadata/labels/applicationlayer.projectcalico.org~1sidecar"},{"op":"remove","path":"/spec/template/metadata/annotations/applicationlayer.projectcalico.org~1waf"}]' |
There was a problem hiding this comment.
@radixo does this look right for the disable command for WAF?
There was a problem hiding this comment.
Actually it is, the bad thing I left behind were the unnecessary spaces on the left, you can trim them. But about the ~1 string, is how you can scape the / on json paths.
There was a problem hiding this comment.
Will remove leading spaces and leave the rest as is.
| **Limitations** | ||
| * L7 logging is not compatible with a service mesh such as Istio. | ||
| * L7 log collection is not supported for host-networked client pods. | ||
| * When selecting and deselecting traffic for L7 log collection, active connections may be disrupted. |
There was a problem hiding this comment.
This is true for all 3 L7 features too. Although pods will be recycled and rolled out after being selected for L7, there can be existing HTTP connections that get dropped and reconnected. So we haven't changed that, it was true in old model and new model. But it is true for all L7 docs and not just this one. (I wish we had a single doc :) )
There was a problem hiding this comment.
Ok, adding this to all L7 pages. Fits better as a note.
| @@ -24,7 +24,7 @@ Historically, web application firewalls (WAFs) were deployed at the edge of your | |||
|
|
|||
| ### About {{prodname}} WAF | |||
|
|
|||
| WAF is deployed in your cluster along with Envoy DaemonSet. {{prodname}} proxies selected service traffic through Envoy, checking HTTP requests using the industry-standard | |||
| WAF is deployed in your cluster with Envoy as a sidecar container on your pods. {{prodname}} proxies selected service traffic through Envoy, checking HTTP requests using the industry-standard | |||
There was a problem hiding this comment.
We can swap from:
{{prodname}} proxies selected service traffic through Envoy,
to:
{{prodname}} proxies all traffic through Envoy sidecar,
| @@ -24,7 +24,7 @@ Historically, web application firewalls (WAFs) were deployed at the edge of your | |||
|
|
|||
| ### About {{prodname}} WAF | |||
|
|
|||
| WAF is deployed in your cluster along with Envoy DaemonSet. {{prodname}} proxies selected service traffic through Envoy, checking HTTP requests using the industry-standard | |||
| WAF is deployed in your cluster with Envoy as a sidecar container on your pods. {{prodname}} proxies selected service traffic through Envoy, checking HTTP requests using the industry-standard | |||
There was a problem hiding this comment.
Yes, we need to change service to deployment where it is talking about the enable of the feature.
| ```bash | ||
| kubectl apply -f - <<EOF |
There was a problem hiding this comment.
| ```bash | |
| kubectl apply -f - <<EOF | |
| ```yaml |
There was a problem hiding this comment.
Got it. I'll un-kubectl all of these EOF to discourage overwriting existing CRDs.
| @@ -115,32 +97,43 @@ kind: ApplicationLayer | |||
| metadata: | |||
| name: tigera-secure | |||
| spec: | |||
| webApplicationFirewall: Enabled | |||
| sidecarInjection: Enabled | |||
| EOF | |||
| kubectl apply -f https://raw.githubusercontent.com/GoogleCloudPlatform/microservices-demo/main/release/kubernetes-manifests.yaml | ||
| ``` | ||
|
|
||
| ## Apply WAF to services |
There was a problem hiding this comment.
| ## Apply WAF to services | |
| ## Apply WAF to deployments |
|
|
||
| ```bash | ||
| kubectl annotate svc <service-name> -n <service-namespace> projectcalico.org/l7-logging- | ||
| kubectl patch deployment <deployment-name> -n <deployment-namespace> --type='json' -p '[{"op":"remove","path":"/spec/template/metadata/labels/applicationlayer.projectcalico.org~1sidecar"},{"op":"remove","path":"/spec/template/metadata/annotations/applicationlayer.projectcalico.org~1waf"}]' |
There was a problem hiding this comment.
Actually it is, the bad thing I left behind were the unnecessary spaces on the left, you can trim them. But about the ~1 string, is how you can scape the / on json paths.
|
|
||
| ```bash | ||
| kubectl annotate svc <service-name> -n <service-namespace> projectcalico.org/l7-logging- | ||
| kubectl patch deployment <deployment-name> -n <deployment-namespace> --type='json' -p '[{"op":"remove","path":"/spec/template/metadata/labels/applicationlayer.projectcalico.org~1sidecar"},{"op":"remove","path":"/spec/template/metadata/annotations/applicationlayer.projectcalico.org~1waf"}]' |
There was a problem hiding this comment.
| kubectl patch deployment <deployment-name> -n <deployment-namespace> --type='json' -p '[{"op":"remove","path":"/spec/template/metadata/labels/applicationlayer.projectcalico.org~1sidecar"},{"op":"remove","path":"/spec/template/metadata/annotations/applicationlayer.projectcalico.org~1waf"}]' | |
| kubectl patch deployment <deployment-name> -n <deployment-namespace> --type='json' -p '[{"op":"remove","path":"/spec/template/metadata/labels/applicationlayer.projectcalico.org~1sidecar"},{"op":"remove","path":"/spec/template/metadata/annotations/applicationlayer.projectcalico.org~1waf"}]' |
This PR is a continuation of #1648, which is now closed.