Ben Leggett

> File mounted certificates are coming to K8s core ([kubernetes/enhancements#4317](https://github.com/kubernetes/enhancements/issues/4317)) in 1.30, so it seems like it ought to be a viable option? > > The issue was about serverless...

Weirdly, that override is defined as a `global` in the Helm profile (which is wrong, it's only referenced in `ztunnel`).

You can also set `ztunnel.seLinuxOptions` directly, if you don't want the whole openshift profile: https://github.com/istio/istio/blob/master/manifests/charts/ztunnel/values.yaml#L96 we just need `spc_t` on ztunnel under `selinux`.

See also: https://github.com/istio/istio/discussions/51588#discussioncomment-9796772 Some CNIs block link-local IPs, some allow them thru implicitly. We test Calico in our CI so out of the box it should be fine.

This is likely calico-ebpf just blocking link-local packets entering/exiting the pod, which makes it semi-related to https://github.com/istio/istio/issues/52208#issuecomment-2256507080 If there's a config to tell calico to ignore link-local packets (or just...

Might be worth raising an issue with them. 1. it seems odd/a bug in their BPF progs that with _no_ policy in place, ingress would be allowed but egress would...

> Is that link-local address assigned to any local interface? Nope.

> I think Istio's expectation is that conntrack will pick up the link-local IP and reverse the SNAT and deliver the packet to the host. This does not happen and...

If we wanted to get wild we could also have this make `istioctl analyze` warn you if you try to use any `sidecar.istio.io` labels - not including the CRDs probably...

Yep - the main thing is to get our integ tests running with dualstack (e.g. https://github.com/istio/istio/pull/51872 for ambient). Once they are we will be as confident as we can reasonably...