Ben Leggett
Ben Leggett
> > IIRC Cilium already supports supplying a template /etc/cni/net.d conflist during install. So (Op. 1) can already probably work. > > I think this is just a bool, so...
> > Every user that provisions their own nodes can do that today with Istio, or any number of other things, correct? Either you have the capability to provision nodes...
Related (port exclusions, etc): https://github.com/istio/istio/issues/43700 Configurable port capture exclusion is already something we support, and will probably have to support in ambient. It's unclear if we need much beyond that...
> @howardjohn @bleggett I wonder if we should instead switch to file delivery of certificates to Envoy instead of SDS because it's consistent with Kubernetes direction [kubernetes/enhancements#4318](https://github.com/kubernetes/enhancements/pull/4318). The existing providers...
Someone else mentioned to me they had issues with `k3d/k3s` specifically as well, using `flannel` - I'll take a look at that. We have integ tests that validate calico with...
Ah perfect. Thank you for digging. That tracks. Microk8s and minikube also use nonstandard cniConf/BinDirs. We already have some platform notes for those two here: https://istio.io/latest/docs/ops/ambient/install/platform-prerequisites/ but not one for...
> I run Istio ambient mode on k3s cluster (amd64) using Calico, It works fine. The commands are: > > ``` > curl -sfL https://rancher-mirror.rancher.cn/k3s/k3s-install.sh | INSTALL_K3S_MIRROR=cn \ > INSTALL_K3S_EXEC='--flannel-backend=none...
> My original example was a k3s cluster with an external CNI (calico), so I don't think the k3s-specific CNI dir was the issue. I do **not** disable `network-policy` at...
From the logs, `istio-cni` can't run the iptables binary it ships with there, which means what you are seeing isn't related to calico. If it can't run the `iptables` binary,...
Okay, I'll try to repro on my end. This smells like a quirk of your specific underlying platform + k3s. One more thing to check - do you have access...