-
Bug
-
Resolution: Obsolete
-
Undefined
-
None
-
OSSM 2.4.0
-
False
-
None
-
False
-
-
When traffic is forbidden (status code 403) the istio-proxy logs invalid json. The following are not valid JSON values:
"request_duration": -
"response_tx_duration": -
"upstream_service_time": -
The whole line with "403" status code is below:
{ "authority": "channel-dtljyccs-kn-channel.tenant-1.svc.cluster.local", "bytes_received": 0, "bytes_sent": 19, "downstream_local_address": "10.131.2.30:8080", "downstream_peer_cert_v_end": "2023-09-27T07:44:45.000Z", "downstream_peer_cert_v_start": "2023-09-26T07:42:45.000Z", "downstream_remote_address": "10.130.2.25:59824", "downstream_tls_cipher": "TLS_AES_256_GCM_SHA384", "downstream_tls_version": "TLSv1.3", "duration": 0, "hostname": "kafka-channel-receiver-5d8f99847b-7wg9c", "istio_policy_status": "-", "method": "POST", "path": "/", "protocol": "HTTP/1.1", "request_duration": -, "request_id": "b10439d3-b182-44d7-a3bc-8f2a4693f023", "requested_server_name": "outbound_.80_._.channel-dtljyccs-kn-channel.tenant-1.svc.cluster.local", "response_code": "403", "response_duration": 0, "response_tx_duration": -, "response_flags": "-", "route_name": "-", "start_time": "2023-09-26T07:48:51.990Z", "upstream_cluster": "inbound|8080||", "upstream_host": "-", "upstream_local_address": "-", "upstream_service_time": -, "upstream_transport_failure_reason": "-", "user_agent": "Go-http-client/1.1", "x_forwarded_for": "-" }
When the traffic is allowed (response code 2xx), the values are correct:
"request_duration": 0
"response_tx_duration": 0
"upstream_service_time": 43
The whole log line is below:
{ "authority": "sink-ownrghca.serverless-tests.svc.cluster.local", "bytes_received": 7, "bytes_sent": 0, "downstream_local_address": "10.131.2.18:8012", "downstream_peer_cert_v_end": "2023-09-27T06:10:54.000Z", "downstream_peer_cert_v_start": "2023-09-26T06:08:54.000Z", "downstream_remote_address": "10.131.2.20:52160", "downstream_tls_cipher": "TLS_AES_256_GCM_SHA384", "downstream_tls_version": "TLSv1.3", "duration": 44, "hostname": "activator-69b7f975bb-f9bgw", "istio_policy_status": "-", "method": "POST", "path": "/", "protocol": "HTTP/1.1", "request_duration": 0, "request_id": "7ce67058-221c-4423-84a8-9edb5d075d62", "requested_server_name": "outbound_.80_._.sink-ownrghca-00001.serverless-tests.svc.cluster.local", "response_code": "202", "response_duration": 44, "response_tx_duration": 0, "response_flags": "-", "route_name": "default", "start_time": "2023-09-26T06:18:25.480Z", "upstream_cluster": "inbound|8012||", "upstream_host": "10.131.2.18:8012", "upstream_local_address": "127.0.0.6:45081", "upstream_service_time": 43, "upstream_transport_failure_reason": "-", "user_agent": "Go-http-client/1.1", "x_forwarded_for": "-" }
I understand that there are no good values for the respective fields when the traffic is forbidden but valid JSON should still be returned.
There are a few options:
- set value 0 (in this case the response code is 403 so it should be clear that the value 0 is not a real value)
- do not return the specific fields in the JSON if there are no valid values for them
- set value to math.MaxInt (the value is 9223372036854775807)