Keith Mattix II

icon indicating an email [email protected]

icon company @microsoft icon location Dallas, TX icon location Istio @ Microsoft

Results 442 comments of Keith Mattix II

Impossible to parse stat tags with clusters containing `.` in the name

We were able to get past this in Istio via a combination of alt_stat_name and the %UPSTREAM_CLUSTER_RAW% stream formatter 👍🏾

Add ambient mode caveats

I agree with Steven: lack of service discovery config sent to a sidecar is NOT a security boundary. exportTo on its own doesn't even limit calling the service from a...

CNI can miss file removals in edge cases

Not stale

Sidecar -> Ztunnel doesn't translate `ISTIO_MUTUAL` to HBONE

How is istiod supposed to know whether a particular destination hostname is ambient or not?

1.24.1 tracking issue

@leosarra Oh nice; that would be great! /cc @jaellio

1.24.1 tracking issue

Actually, I think @jaellio already has a PR somewhere; maybe they look ~the same?

Ambient: leaked pod in snapshot, leading to ztunnel failing to startup

> We ensure the pod UID is in the snapshot as a first concern on Add, and only remove it on an explicit informer pod Remove - an Add failure...

istio-cni: failed to remove pod from mesh

Are you running with seLinux configured by any chance?

istio-cni: failed to remove pod from mesh

This is super helpful, thanks for sharing! Yeah it looks like AppArmor doesn't want istio-cni to have access to that directory despite it having CAP_SYS_PTRACE capabilities

istio-cni: failed to remove pod from mesh

Can you try setting the appArmor profile to Unconfined? https://kubernetes.io/docs/tutorials/security/apparmor/#securing-a-pod /cc @howardjohn