How to apply Istio DestinationRule across the mesh?
An interesting question came up today in Istio Slack where someone asked if and how one can apply DestinationRules globally to all workloads inside the cluster. The short answer is yes, and this article will explain how to do it.
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: ?
namespace: ?
spec:
host: ?
trafficPolicy:
loadBalancer:
simple: LEAST_REQUEST
outlierDetection:
consecutive5xxErrors: 10
interval: 2m
baseEjectionTime: 10m
rootNamespace
field in the global mesh options). So let's say we're running a workload in ns1
; when processing the configuration, Istio looks in ns1
first, and if there's no configuration there, it will look in the root namespace. If not explicitly set, the root namespace defaults to istio-system
. The answer to the first question is that we must deploy the resource to the istio-system
namespace.host
field in the DestinationRule expects the name of a service that exists in the service registry - for example, product-page
or product-page.svc.cluster.local
. Note that using a fully qualified name is the preferred way to address the service, so you can avoid misinterpretation and know precisely which service the rule applies to.*
) in the service name. Therefore, to apply a destination rule globally, we could use the notation *.cluster.local
or just leave the host
field off all together.Note
If you're using a different trust domain (configurable throughtrustDomain
field in the global mesh settings), replace thecluster.local
with your trust domain.
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: global-dr
namespace: istio-system
spec:
# Note we don't specify the `host` field at all.
trafficPolicy:
loadBalancer:
simple: LEAST_REQUEST
outlierDetection:
consecutive5xxErrors: 15
interval: 2m
baseEjectionTime: 10m
istioctl pc cluster
command to check the settings are applied globally to all Envoy clusters in the mesh:istioctl pc cluster deploy/httpbin.httpbin -o yaml | grep -B3 consecutive5xx
name: outbound|8000||httpbin.httpbin.svc.cluster.local
outlierDetection:
baseEjectionTime: 900s
consecutive5xx: 15
--
name: outbound|80||istio-ingressgateway.istio-system.svc.cluster.local
outlierDetection:
baseEjectionTime: 900s
consecutive5xx: 15
--
name: outbound|443||istio-ingressgateway.istio-system.svc.cluster.local
outlierDetection:
baseEjectionTime: 900s
consecutive5xx: 15
...
workloadSelector
and specifying the labels. Note that having a mesh or namespace destination rule together with the workloadSelector
isn't going to work. You'll have to specify the exact host name.Note
I've tried setting the host to*.cluster.local
, exporting the destination rule to the current namespace only (default
andexportTo
set to.
), however, the outlier detection (for example) was still applied to workloads outside of thedefault
namespace and the workload selector labels were also ignored. Make sure you check the configuration is applied correctly or per your expectations.
v1
versions of the workloads:apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: sleep-dr
namespace: default
spec:
host: "sleep.default.svc.cluster.local"
workloadSelector:
matchLabels:
version: v1
trafficPolicy:
loadBalancer:
simple: LEAST_REQUEST
outlierDetection:
consecutive5xxErrors: 15
interval: 2m
baseEjectionTime: 10m
How about merging multiple DestinationRules?
PILOT_ENABLE_DESTINATION_RULE_INHERITANCE
environment variable to true
when installing Istio. By default, the destination rule inheritance is turned off.Note
You can pass the environment variables in when installing Istio:istioctl install --set values.pilot.env.PILOT_ENABLE_DESTINATION_RULE_INHERITANCE=true
istio-system
namespace:apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: global-dr
namespace: istio-system
spec:
# Note we don't specify the `host` field at all.
trafficPolicy:
loadBalancer:
simple: LEAST_REQUEST
outlierDetection:
consecutive5xxErrors: 15
interval: 2m
baseEjectionTime: 10m
consecutive5xxErrors
to 25
, for the sleep
host:apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: sleep-dr
namespace: default
spec:
host: "sleep.default.svc.cluster.local"
trafficPolicy:
outlierDetection:
consecutive5xxErrors: 25
istioctl pc cluster
command, we'll see that the sleep
workload inherited the settings from the global DestinationRule that got merged with the local DestinationRule where we changed the consecutive5xxErrors
value:...
name: httpbin
namespace: default
name: outbound|8000||httpbin.default.svc.cluster.local
outlierDetection:
baseEjectionTime: 600s
consecutive5xx: 15
enforcingConsecutive5xx: 100
enforcingSuccessRate: 0
interval: 120s
transportSocketMatches:
- match:
--
...
name: sleep
namespace: default
name: outbound|80||sleep.default.svc.cluster.local
outlierDetection:
baseEjectionTime: 600s
consecutive5xx: 25
enforcingConsecutive5xx: 100
enforcingSuccessRate: 0
interval: 120s
transportSocketMatches:
- match:
...