Ben Leggett
Ben Leggett
@JingmingGuo please add release notes - thanks. This makes sense to me (and the TODO clearly implies a gap), but I don't have a ton of context.
> I think it's a good change but pretty risky - can you confirm the result by getting an iptables-save on a real pod ( the golden files are pretty...
> > > with this one rule > > > -A OUTPUT -p udp -j ISTIO_OUTPUT > > > I am not sure i can get what really it fix...
> https://prow.istio.io/view/gs/istio-prow/logs/integ-cni_istio_postsubmit/1788646342856282112 > > (should we be testing CNI from 1.11 "N-1"? Probably not) Didn't know we had a test for this. We should have this for `ambient` as well,...
> @bleggett mind reviewing? postsubmit is broken without this Thought I had, apparently not.
Okay I didn't realize this would kill about 2K LOC. +1 then.
This is an extremely old version of linux/iptables (1.4 is from 2012), and centos7 is ~1 month away from EOL. It might be because the container iptables binary and the...
I can't repro this in a centos7 Docker image, with iptables `1.4.21`: ``` [root@d48fd0199421 /]# iptables -t nat -N ISTIO_OUTPUT [root@d48fd0199421 /]# iptables -t nat -A ISTIO_OUTPUT -p tcp -m...
> Thanks @escoffier! Seems we should document this as a limitation for centOS 7 under https://istio.io/latest/docs/ambient/install/platform-prerequisites/? PR would be welcome! No, we need to update https://istio.io/latest/docs/setup/platform-setup/prerequisites/#kernel-module-requirements-on-cluster-nodes as @howardjohn mentioned. Also,...
Doc PR: https://github.com/istio/istio.io/pull/15121