Dave Protasowski

/lifecycle frozen /triage accepted It looks there's an Kubernetes API to perform eviction since 1.22+ ([link](https://kubernetes.io/docs/concepts/scheduling-eviction/api-eviction/)) - it would be worth exploring the possibility of the autoscaler using this API...

> This foremost requires scanning all the pods to find the ones to scale down. Which is pretty expensive and hence even for metric sampling we do not do that....

> @dprotaso Just following up on this. Let me know if this might be a bug or I'm missing something. @JonKusz we would still be scraping the Revision's ClusterIP -...

> Just following up on the topic here. Is it possible to have mTLS without Istio with an Ingress with Queue Proxy as Sidecar? Is it possible to use mTLS...

> I cannot use service mesh because of fips and compliance issues Can you elaborate on this? Why don't service meshes help in this case?

Looks like Istio let's you use bring your own CA - https://istio.io/latest/docs/tasks/security/cert-management/plugin-ca-cert/

> What is the configuration to make contour envoy pass through tls. This isn't possible - and if it were I don't think Knative would work - as we expect...

You can't manipulate request headers when doing passthrough. We have an internal data plane contract between components to support features like activation. I would pursue bringing your own CA to...

> We intercept the probes on the primary container (as determined by specifying one containerPort, rather than zero) to enable the queue-proxy and activator to probe for initial readiness at...

To elaborate a bit more - even if we complete #1 since our sidecar is unable to perform exec probes we should probably fall back on #2 - and have...