John Howard
John Howard
I am not sure why we would bother with the taint if we have the init container anyways
Ok so two distinct modes, then. Just to clarify, taint is not just documentation. There is an Istio-side implementation required, and there are complexities I cannot discuss publicly (for a...
> Why would these not work on ztunnel restart? IMO: Denying all traffic is ok (but obviously should be avoided where possible). Traffic bypassing ztunnel entirely is not So not...
> Is there a chance that node agent can validate the rule and then delay the application start The race is that the node agent hasn't even started yet
A really really bad idea that might be possible... in the CNI flow, at some point the pod IP is written to the pod spec. We could add a hook...
There is no pilot-agent running anywhere in ambient
On drain envoy should be sending connection:close header. Is it not happening or is Prometheus ignoring it?
debug logs can answer that
Ok was wondering if the failure makes it no send `close`; it does appear correct in my test: ``` / $curl 10.244.0.12:808 -v;echo * Trying 10.244.0.12:808... * Connected to 10.244.0.12...
Yeah which is actually expected probably, prometheus is expected to call during shutdown. I wonder if the timing out the checks to open connections and prometheus scrape interval is aligning...