Ben Leggett
Ben Leggett
> :-1: > > It is 100% unacceptable for us to take a working, running sidecar and suddenly stop capturing traffic. That is a critical CVE. Yes, it is also...
> There is one important limitation to mention about the code that verifies if the current state is "compatible" with the desired iptables. The implemented code verifies exact rule/chain matches...
> Yes, upgrade is the place where the limitation will show up, and it is a bummer... To be clear, I am not very worried about this limitation, changing the...
> We only want to accept the tradeoff when istio-init spuriously restarts not if it failed previously. For any other case I think we need a "no tradeoffs" solution... >...
> @bleggett my concern is our contract is "We will initialize iptables at pod startup". We do this through CNI or init-containers. > > Kubernetes has a ~bug (maybe they...
> 2024-03-20 22:11:11.144 Error: UpdatePluginCacheTask::run: XDMP-WRONGHOST: Host 5726652083699477130(ml-cluster-0.ml-cluster.ml.svc.cluster.local) thinks it is really host 4934967208587200779(ml-cluster-1.ml-cluster.ml.svc.cluster.local). How is the app making the determination that there's a mismatch? Is it doing its own...
> > Generally LGTM but is `k8s.v1.cni.cncf.io/networks` _actually_ multus-specific? It seems to be general purpose and often used _with_ multus but I see it mentioned in other contexts such as:...
/ok-to-test
Even if we have a different top-level key, having both `pilot.cni.enabled` and `components.cni.enabled`, where they are entirely disjoint in use and function, is a chart smell. In charts, `components.cni.enabled` means...
For the chart to which the flag is scoped, the flag controls nothing but init container injection. We don't actually do global flag scoping, but the flag only makes sense...