serving: cluster-local visibility not working when using tags

In what area(s)?

/area networking

What version of Knative?

0.9.x

Expected Behavior

I set a service label:

kubectl label ksvc hello-springboot serving.knative.dev/visibility=cluster-local

The service should not be publicly available.

Actual Behavior

But the service is still publicly accessible.

Steps to Reproduce the Problem

kubectl label ksvc YOUR_SERVICE serving.knative.dev/visibility=cluster-local

Try to access the service publicly.

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 20 (13 by maintainers)

Most upvoted comments

So far I’ve been unable to reproduce this on Knative 0.11.0 with Istio 1.4.2.

+1
jamesward on Dec 16, 2019

To see this exhibited you need to have a traffic split in place.

+1
jamesward on Nov 2, 2019

I’m using 0.10.0 and still seeing the service accessible publicly.

status:
  address:
    url: http://hello-springboot.default.svc.cluster.local
  conditions:
  - lastTransitionTime: "2019-10-29T19:02:39Z"
    status: "True"
    type: ConfigurationsReady
  - lastTransitionTime: "2019-10-29T19:03:50Z"
    status: "True"
    type: Ready
  - lastTransitionTime: "2019-10-29T19:03:50Z"
    status: "True"
    type: RoutesReady
  latestCreatedRevisionName: hello-springboot-97qjk
  latestReadyRevisionName: hello-springboot-97qjk
  observedGeneration: 6
  traffic:
  - latestRevision: false
    percent: 80
    revisionName: hello-springboot-jrjw4
    tag: current
    url: http://current-hello-springboot.default.svc.cluster.local
  - latestRevision: true
    percent: 20
    revisionName: hello-springboot-97qjk
    tag: latest
    url: http://latest-hello-springboot.default.svc.cluster.local
  url: http://hello-springboot.default.svc.cluster.local

$ curl -v http://hello-springboot.default.$IP_ADDRESS.nip.io
* Rebuilt URL to: http://hello-springboot.default.35.223.5.46.nip.io/
*   Trying 35.223.5.46...
* TCP_NODELAY set
* Connected to hello-springboot.default.35.223.5.46.nip.io (35.223.5.46) port 80 (#0)
> GET / HTTP/1.1
> Host: hello-springboot.default.35.223.5.46.nip.io
> User-Agent: curl/7.52.1
> Accept: */*
>
< HTTP/1.1 200 OK
< content-length: 37
< content-type: text/plain;charset=UTF-8
< date: Tue, 29 Oct 2019 19:10:01 GMT
< x-envoy-upstream-service-time: 6
< server: istio-envoy
<
* Curl_http_done: called premature == 0
* Connection #0 to host hello-springboot.default.35.223.5.46.nip.io left intact
hello, world - hello-springboot-jrjw4
+1
jamesward on Oct 29, 2019
Read more comments on GitHub
← serving: Brief 404 errors after creating a route.
serving: conformance shouldn't depend on scale-to-zero  →