Laurent Demailly
Laurent Demailly
See also https://istio.io/docs/setup/kubernetes/mesh-expansion.html
@louiscryan fortio reports the exact number of sockets it had to open, if connections get closed in the middle, the number reported is not equal to the input -c connections...
yes the goal of that init container and option is to capture (or not capture) envoy crashes if any https://github.com/istio/istio/issues/3064 is tracking to confirm if it does work (on ci...
there are libc differences we have to be careful about, but if the master envoy is using alpine and working well, that sounds like a good idea (at least for...
PR is welcome if you have a pressing need for it :-)
moving for the oncall to reply
I don't know that this has been solved (the crosslinked issue had to do with using nginx, not specifically about GKE+istio-ingress(now gateway) preserving client IP) - @andraxylia ?
you can check the mesh expansion - it does VM registration in k8s api server which lets the istio CA and the auth node agent fetch the certs for the...
NET_ADMIN is the one we really want, the full privileged was said to be necessary in some environment (which git blame may be able to track)
just to recap, only 1 init container runs with NET_CAP_ADMIN during initialization not at all 'every user workload on the cluster runs a privileged'