Ben Leggett

> I donot think we should deprecate a experimental featire flag but make it default. AFAIK most people in China just deplyed a ipv4 cluster Correct. If someone wants an...

> I think it makes sense to remove the dualstack flag because a lot of the code that was originally gated behind it is now always being executed. However, adding...

> Remove `EnableDualStack ` doenot mean eliminating the bugs around it. The bugs are around multi addresses changes. > > > Want IPv4 only? > > -> ipv6=false > >...

The root cause is likely the same as https://github.com/istio/istio/issues/52765 and would need a similar fix. https://github.com/aws/amazon-vpc-cni-k8s/blob/master/README.md#pod_security_group_enforcing_mode-v1110 > inbound/outbound traffic from another pod on the same host or another service on...

See also https://github.com/aws/amazon-vpc-cni-k8s/issues/2797 which I think is the issue we are impacted by here.

(for anyone who finds this) more details for what exact EKS config is required to hit this added here: https://github.com/istio/istio.io/pull/15785 It is also worth noting that using AWS SecurityGroups to...

> **Please provide a description of this PR:** Allow serving Istio mTLS and user TLS on the same port if PeerAuthentication is permissive. See [RFC](https://docs.google.com/document/d/13ciYV5H85rOc_EH1LcuoVyCFxFu_n4SpNq1luvHmRmA/edit#heading=h.xw1gqgyqs5b). > > Fixes #51768 Depends...

> we are using the umbrella ambient chart. so if there is a race condition, it may be due to that Very likely, we don't test, document or support the...

[no-zt-conn.log](https://github.com/user-attachments/files/17740842/no-zt-conn.log) I can see this too, even with `istioctl`/no Helm - simply restarting `istio-cni` breaks something, even though we have `acked` a ztunnel connection and don't record a disconnection, when...

@rwong2888 Just merged a fix (I suspect) for this in https://github.com/istio/istio/pull/54565 - I'm backporting this to 1.24 so it should be in the next point release, as well as 1.25