wpbeckwith

OK, coming back to this issue, I've upgraded to the latest release, 1.22.3 and with the cilium settings of ``` bpf: masquerade: false ``` I see the following in the...

Here's the log for the istio-cni-node pods that has the ``` # I disabled ambient for the gitea namesapce 2024-08-08T18:52:54.899135Z info cni-agent Namespace gitea is disabled from ambient mesh 2024-08-08T18:52:54.899749Z...

@bleggett Ok, this is validated in our env that setting `bpf.masquerade=false` does allow the readiness/liveness probes to work for our example deployment. However, the gitea helm chart install still fails....

Here's the ztunnel logs from adding the gitea namespace to the ambient. ``` ztunnel-nczwd 2024-08-10T15:08:50.035645Z info inpod::statemanager pod WorkloadUid("31359d33-70b3-4823-b2c5-26ae61d929a4") received netns, starting proxy ztunnel-nczwd 2024-08-10T15:08:50.035742Z info proxy::inbound listener established address=:15008...

I tried installing a dev build with ``` TAG=$(curl https://storage.googleapis.com/istio-build/dev/latest) wget https://storage.googleapis.com/istio-build/dev/$TAG/istioctl-$TAG-osx.tar.gz tar -xvf istioctl-$TAG-osx.tar.gz ./istioctl version client version: 1.24-alpha.29db22a758f8612e26658e870f820b06d56a8ef8 control plane version: 1.22.3 data plane version: 1.22.3 (9 proxies)...

I was shocked to discover that gitea actually installs 3 NetPols. Once I added port 15008 to the ingress for each then they all have continued in a ready state....