Ben Leggett

Broader topic: in general, if we are making the claim that ambient is compatible with multiple CNIs, I think we need actual integration tests that run the ambient suite (or...

I actually think this is probably not directly related to ambient, and looks to be a problem with the existing sidecar detect-and-repair in Cilium. https://github.com/istio/istio/pull/49207 fixes a bug where `detect...

> can we remove that function? i don't think inpod mode needs it anymore? Inpod doesn't use any of these codepaths at all, this is isolated to sidecar repair (which...

Yep, the recommended way to do this is (and which we need to add to the docs) is to _unlabel_ namespaces/pods first (which should remove the redirection and iptables rules),...

> The previous bad parts of sidecar mode should not be left as a legacy. Agree, I think we can do better. > We can use istioctl to differentiate whether...

A further issue around upgrades is how the CNI agent could tell the difference between "being shut down for _upgrade_" and "being shut down for _uninstall_", for pods that are...

> > A further issue around upgrades is how the CNI agent could tell the difference between "being shut down for _upgrade_" and "being shut down for _uninstall_", for pods...

See also https://github.com/istio/istio/issues/49067

> I don't know that its explicitly "not implemented", I think its a bug. We would need to find the root cause before we fix. > > Note https://github.com/istio/istio/pull/48253/files changes...

@Str33tWalk3r and @tomahkvt please try installing Istio/the Istio CNI component with `--set values.cni.ambient.dnsCapture=true` e.g. https://github.com/bleggett/istio/blob/master/manifests/charts/istio-cni/values.yaml#L59 This is currently required for resolving ServiceEntries and other things within pods, but it is...