Ben Leggett
Ben Leggett
> @kfaseela @bleggett I think before merging this we need to wait on `1.24.0-rc.0` Helm chart to be published - even if we can get the go.mod Istio tag to...
@nshankar13 can you rebase this against `master` now that https://github.com/istio/istio.io/pull/15898 is in?
My $0.02 is that - `cni.dev/valid-attachments` is a better name anyway - We don't have meaningful back compat concerns at this point for this feature So tweaking the spec and...
Our users have encountered this (We believe) in Istio ambient as well - https://github.com/istio/istio/issues/53105 - https://github.com/istio/istio/discussions/52893#discussioncomment-10866286 We SNAT kubelet health probes to link-local addresses, and if [POD_SECURITY_GROUP_ENFORCING_MODE=strict](https://github.com/aws/amazon-vpc-cni-k8s/blob/master/README.md#pod_security_group_enforcing_mode-v1110) (current default) those...
> When `POD_SECURITY_GROUP_ENFORCING_MODE` is set to strict, we either ignore link-local addresses or provide an option to ignore `link-local` addresses. This can address the issue here. Yes, I notice that...
Actually, `vpc-cni` simply doesn't route link-local traffic correctly _at all_ in SGPP strict mode, no matter the contents of the SG - so this is still a bug with no...
> I think istio non ambient is doing its own attestation. Thats the main user of it I know of. If the istio non ambient support could work with the...
@arndt-s 1. when you say "FD of workload" - what specific "part" of the workload does the FD refer to, in your examples? What _kind_ of FD is the proxy...
> [@bleggett](https://github.com/bleggett) if I understand your question correctly with the file descriptor of a network socket it's the process that initiated the connection in the first place (outgoing request). Yeah...
> I have no clue why we put them in the pure helm charts, but they are used for sure in `istioctl install` which uses them for pruning. Yeah -...