Ben Leggett
Ben Leggett
> > excludeIPRanges: 10.51.160.0/19,10.51.128.0/19 > > DNS server is 10.51.192.10. > > I am almost certain this is the same as #53949. Basically now the UDP respects the excludes Yep,...
This has already been fixed/improved in the 1.25 docs with the `gke` platform profile. We really need a specific "here is how to generate templates from the charts" page, which...
https://github.com/istio/istio.io/pull/16057
> Thanks @bleggett Please push a PR Done, thanks!
> What i had envisioned is a matchExpression on namespace+pod labels, just like webhooks (and a few Istio features like DiscoverySelectors, and some other things we have been discussing). i...
Actually - unrelated to the API discussion, I am reminded that https://github.com/istio/istio/issues/49009 is effectively a blocker for this. Since we do not unhook pods on `istio-cni` uninstall or upgrade (we...
Closing this for now, the selector-based API discussed here will likely be repurposed/employed for an iteration on the DNS exclusion stuff, in order to address concerns people had in the...
> @bleggett now that #49009 is closed, can AutoEnroll proceed safely? Yeah, closing that resolved my concerns with this (and a few other longstanding issues to boot) - it will...
> For dedicated, its less clear (and not yet solved, hence why its WIP). I think we should just add a new config like DEDICATED_WORKLOAD=some-ns/some-workload-name or whatever. xref https://github.com/istio/ztunnel/issues/1198
> * Should we validate the IP address at all? is there a case where some arbitrary external traffic hits our outbound listener somehow that we were protected against before...