John Howard
John Howard
> is significantly better than `principal: k8s:namespace:sa` Setting aside what is a better UX, which is a higher opinionated topic... I functionally don't think we can do this. The contract...
To be super clear -- the use case I am trying to solve is this: https://istio.io/latest/blog/2022/get-started-ambient/#l4-authorization-policies. The **vast** majority of policies are of this form, and its such a huge...
> We can make it easier by allowing the user to specify just a namespace - hard to make it easier than that. This is already supported in the API...
I'd check out https://istio.io/latest/blog/2020/dns-proxy/. tl;dr without DNS proxying on, Istio cannot distinguish these at the TCP level
I got the same on Linux + k3d: ``` $ k get nodes -owide NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME k3d-wasm-cluster-server-0 Ready control-plane,master 6m40s v1.27.8+k3s2 172.19.0.2...
Working (kind): ``` # ipset list Name: istio-inpod-probes-v4 Type: hash:ip Revision: 0 Header: family inet hashsize 1024 maxelem 65536 Size in memory: 801 References: 1 Number of entries: 5 Members:...
Go ipset: ``` sendto(3, [ {nlmsg_len=76, nlmsg_type=NFNL_SUBSYS_IPSET
I also looked into the error messages to see if the Go library was missing error context from the kernel. Its not; the ipset CLI just parses IPSET_ERR_COMMENT ('4112') into...
Comparing the ipset from the working vs not working, I also notice the broken one has `Revision:5` on the ipset. The working has `Revision:0`. I don't know where this comes...
One thing I don't get... how does the container image/version impact this?? We should just be going `istio-cni Go code --> kernel` I thought