feat: istio native sidecars

pepr.ts

@@ -7,7 +7,6 @@ import { PeprModule } from "pepr";
 
 import cfg from "./package.json";
 
-import { istio } from "./src/pepr/istio";
 import { Component, setupLogger } from "./src/pepr/logger";
 import { operator } from "./src/pepr/operator";
 import { setupAuthserviceSecret } from "./src/pepr/operator/controllers/keycloak/authservice/config";
@@ -31,9 +30,6 @@ const log = setupLogger(Component.STARTUP);
     // UDS Core Policies
     policies,
 
-    // Istio service mesh
-    istio,
-
     // Prometheus monitoring stack
     prometheus,
 

src/istio/values/values.yaml

@@ -18,3 +18,4 @@ meshConfig:
 pilot:
   env:
     PILOT_JWT_ENABLE_REMOTE_JWKS: hybrid
+    ENABLE_NATIVE_SIDECARS: true

src/pepr/operator/controllers/istio/injection.ts

@@ -13,6 +13,7 @@ const log = setupLogger(Component.OPERATOR_ISTIO);
 
 const injectionLabel = "istio-injection";
 const injectionAnnotation = "uds.dev/original-istio-injection";
+const nativeIstioAnnotation = "uds.dev/native-istio-sidecars";
 
 /**
  * Syncs the package namespace istio-injection label and adds a label for the package name
@@ -29,40 +30,60 @@ export async function enableInjection(pkg: UDSPackage) {
   const originalInjectionLabel = labels[injectionLabel];
   const annotations = sourceNS.metadata?.annotations || {};
   const pkgKey = `uds.dev/pkg-${pkg.metadata.name}`;
+  const hasMigrationAnnotation = annotations[nativeIstioAnnotation] === "true";
 
   // Mark the original namespace injection setting for if all packages are removed
   if (!annotations[injectionAnnotation]) {
     annotations[injectionAnnotation] = originalInjectionLabel || "non-existent";
   }
 
-  // Ensure the namespace is configured
-  if (!annotations[pkgKey] || originalInjectionLabel !== "enabled") {
-    // Ensure Istio injection is enabled
+  let shouldRestartPods = false;
+
+  // Ensure native Istio migration annotation is present
+  if (!hasMigrationAnnotation) {
+    annotations[nativeIstioAnnotation] = "true";
+    log.info(`Adding native Istio migration annotation to namespace ${pkg.metadata.namespace}.`);
+    shouldRestartPods = true; // Pods need restarting for migration
+  }
+
+  // Ensure Istio injection is enabled
+  if (originalInjectionLabel !== "enabled") {
     labels[injectionLabel] = "enabled";
+    log.info(`Enabling Istio injection for namespace ${pkg.metadata.namespace}.`);
+    shouldRestartPods = true; // Pods need restarting due to label change
+  }
 
-    // Add the package annotation
+  // Ensure package-specific annotation is updated
+  if (annotations[pkgKey] !== "true") {
     annotations[pkgKey] = "true";
-
-    // Apply the updated Namespace
-    log.debug(`Updating namespace ${pkg.metadata.namespace} with istio injection label`);
-    await K8s(kind.Namespace).Apply(
-      {
-        metadata: {
-          name: pkg.metadata.namespace,
-          labels,
-          annotations,
-        },
-      },
-      { force: true },
+    log.info(
+      `Updating package-specific annotation for ${pkg.metadata.name} in namespace ${pkg.metadata.namespace}.`,
     );
+  }
 
-    // Kill the pods if we changed the value of the istio-injection label
-    if (originalInjectionLabel !== labels[injectionLabel]) {
-      log.debug(
-        `Attempting pod restart in ${pkg.metadata.namespace} based on istio injection label change`,
-      );
-      await killPods(pkg.metadata.namespace, true);
-    }
+  // Apply namespace updates if there are changes
+  const updatedNamespace = {
+    metadata: {
+      name: pkg.metadata.namespace,
+      labels,
+      annotations,
+    },
+  };
+
+  if (
+    JSON.stringify(sourceNS.metadata?.labels) !== JSON.stringify(labels) ||
+    JSON.stringify(sourceNS.metadata?.annotations) !== JSON.stringify(annotations)
+  ) {
+    log.debug(`Applying updates to namespace ${pkg.metadata.namespace}.`);
+    await K8s(kind.Namespace).Apply(updatedNamespace, { force: true });
+  } else {
+    log.debug(`No namespace updates needed for ${pkg.metadata.namespace}.`);
+  }
+
+  // Restart pods if required
+  if (shouldRestartPods) {
+    log.debug(`Restarting pods in ${pkg.metadata.namespace} due to configuration changes.`);
+    await killPods(pkg.metadata.namespace, true);
   }
 }
 
@@ -119,8 +140,8 @@ export async function cleanupNamespace(pkg: UDSPackage) {
 /**
  * Forces deletion of pods with the incorrect istio sidecar state
  *
- * @param ns
- * @param enableInjection
+ * @param ns The namespace to target
+ * @param enableInjection Whether injection is being enabled
  */
 async function killPods(ns: string, enableInjection: boolean) {
   // Get all pods in the namespace
@@ -135,7 +156,8 @@ async function killPods(ns: string, enableInjection: boolean) {
       continue;
     }
 
-    const foundSidecar = pod.spec?.containers?.find(c => c.name === "istio-proxy");
+    // note that this is `initContainers` now because that is how native sidecar works
+    const foundSidecar = pod.spec?.initContainers?.find(c => c.name === "istio-proxy");
 
     // If enabling injection, ignore pods that already have the istio sidecar
     if (enableInjection && foundSidecar) {

src/pepr/policies/common.ts

@@ -70,19 +70,17 @@ export function isIstioInitContainer(
   container?: V1Container,
 ) {
   // Check for the sidecar.istio.io/status annotation
-  const hasAnnotation = request.HasAnnotation("sidecar.istio.io/status");
-  if (!hasAnnotation) {
+  if (!request.HasAnnotation("sidecar.istio.io/status")) {
     return false;
   }
 
-  // Check for what looks like an istio sidecar
-  const possibleSidecar = request.Raw.spec?.containers?.find(
-    c =>
-      c.name === "istio-proxy" &&
-      c.ports?.find(p => p.name === "http-envoy-prom") &&
-      c.args?.includes("proxy"),
+  // Check for an Istio proxy in initContainers
+  const hasInitContainerSidecar = request.Raw.spec?.initContainers?.some(
+    c => c.name === "istio-proxy" && c.args?.includes("proxy"),
   );
-  if (!possibleSidecar) {
+
+  // Exit if no Istio proxy is found in initContainers
+  if (!hasInitContainerSidecar) {
     return false;
   }
 

src/pepr/policies/security.spec.ts

@@ -413,7 +413,7 @@ describe("security policies", () => {
     );
   });
 
-  it("should restrict capabilities.add", async () => {
+  it("should restrict capabilities.add for non-istio-init containers", async () => {
     const expected = (e: Error) =>
       expect(e).toMatchObject({
         ok: false,
@@ -425,7 +425,7 @@ describe("security policies", () => {
       });
 
     return Promise.all([
-      // Check for capabilities.add
+      // Check for capabilities.add with a regular container, which should fail
       K8s(kind.Pod)
         .Apply({
           metadata: {
@@ -439,7 +439,7 @@ describe("security policies", () => {
                 image: "127.0.0.1/fake",
                 securityContext: {
                   capabilities: {
-                    add: ["NET_ADMIN"],
+                    add: ["NET_ADMIN"], // This should trigger a failure since `NET_ADMIN` is not authorized for non-istio-init
                   },
                 },
               },