Support clusters running Istio (#493)

* Support clusters running Istio
metalbear-co · Oct 5, 2022 · 28856de · 28856de
1 parent ee7d864
commit 28856de
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 8 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -17,6 +17,7 @@ Check [Keep a Changelog](http://keepachangelog.com/) for recommendations on how
 
 ### Fixed
 - `getaddrinfo` now uses [`trust-dns-resolver`](https://docs.rs/trust-dns-resolver/latest/trust_dns_resolver/) when resolving DNS (previously it would do a `getaddrinfo` call in mirrord-agent that could result in incompatibility between the mirrored pod and the user environments).
+- Support clusters running Istio. Closes [[#485](https://github.com/metalbear-co/mirrord/issues/485)].
 
 ## 3.0.11-alpha
 

diff --git a/mirrord-agent/src/steal.rs b/mirrord-agent/src/steal.rs
@@ -144,18 +144,21 @@ where
 
 enum IPTableFormatter {
     Normal,
-    Linkerd,
+    Mesh,
 }
 
 impl IPTableFormatter {
+    const MESH_OUTPUTS: [&'static str; 2] = ["-j PROXY_INIT_OUTPUT", "-j ISTIO_OUTPUT"];
+
     fn detect<IPT: IPTables>(ipt: &IPT) -> Result<Self> {
         let output = ipt.list_rules("OUTPUT")?;
 
-        if output
-            .iter()
-            .any(|rule| rule.contains("-j PROXY_INIT_OUTPUT"))
-        {
-            Ok(IPTableFormatter::Linkerd)
+        if output.iter().any(|rule| {
+            IPTableFormatter::MESH_OUTPUTS
+                .iter()
+                .any(|mesh_output| rule.contains(mesh_output))
+        }) {
+            Ok(IPTableFormatter::Mesh)
         } else {
             Ok(IPTableFormatter::Normal)
         }
@@ -164,7 +167,7 @@ impl IPTableFormatter {
     fn entrypoint(&self) -> &str {
         match self {
             IPTableFormatter::Normal => "PREROUTING",
-            IPTableFormatter::Linkerd => "OUTPUT",
+            IPTableFormatter::Mesh => "OUTPUT",
         }
     }
 
@@ -176,7 +179,9 @@ impl IPTableFormatter {
 
         match self {
             IPTableFormatter::Normal => redirect_rule,
-            IPTableFormatter::Linkerd => format!("-o lo {}", redirect_rule),
+            IPTableFormatter::Mesh => {
+                format!("-o lo {}", redirect_rule)
+            }
         }
     }
 }

diff --git a/mirrord-layer/src/pod_api.rs b/mirrord-layer/src/pod_api.rs
@@ -309,12 +309,23 @@ async fn create_job_pod_agent(
                     "name": mirrord_agent_job_name,
                     "labels": {
                         "app": "mirrord"
+                    },
+                    "annotations":
+                    {
+                        "sidecar.istio.io/inject": "false"
                     }
                 },
                 "spec": {
                 "ttlSecondsAfterFinished": config.agent.ttl,
 
                     "template": {
+                        "metadata": {
+                            "annotations":
+                            {
+                                "sidecar.istio.io/inject": "false"
+                            }
+                        },
+
                 "spec": {
                     "hostPID": true,
                     "nodeName": runtime_data.node_name,