You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In ambient, we create custom ISTIO_XXX prefixed chains for our custom iptables rules, and only put our custom rules in these prefixed chains.
This makes cleanup and upgrade simpler (main table/chain has one jump to our custom chain, we can remove the drop and the prefixed chains safely), and is the only pattern we should follow for Istio-specific iptables rules, no matter the context (sidecar or node).
In sidecar, we are still slamming a bunch of rules into the main table/chain, e.g: many of the sidecar DNS rules are just in OUTPUT and should be in a custom chain named ISTIO_OUTPUT or similar:
Sidecar rule creation should be tweaked to create and insert all rules into custom chains, like ambient does.
We have considered adding a WARN nag to rules cleanup that will flag any non-jump rules in main tables: #50328 (comment) - a PR to fix this issue should eliminate all outstanding WARNs.
Describe alternatives you've considered
Affected product area (please put an X in all that apply)
[ ] Ambient
[ ] Docs
[x] Dual Stack
[ ] Installation
[x] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[ ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
Affected features (please put an X in all that apply)
[ ] Multi Cluster
[ ] Virtual Machine
[ ] Multi Control Plane
Additional context
The text was updated successfully, but these errors were encountered:
Describe the feature request
In ambient, we create custom
ISTIO_XXX
prefixed chains for our custom iptables rules, and only put our custom rules in these prefixed chains.This makes cleanup and upgrade simpler (main table/chain has one jump to our custom chain, we can remove the drop and the prefixed chains safely), and is the only pattern we should follow for Istio-specific iptables rules, no matter the context (sidecar or node).
In sidecar, we are still slamming a bunch of rules into the main table/chain, e.g: many of the sidecar DNS rules are just in OUTPUT and should be in a custom chain named ISTIO_OUTPUT or similar:
istio/tools/istio-iptables/pkg/capture/testdata/dns-uid-gid.golden
Line 24 in 5789705
Sidecar rule creation should be tweaked to create and insert all rules into custom chains, like ambient does.
We have considered adding a WARN nag to rules cleanup that will flag any non-jump rules in main tables: #50328 (comment) - a PR to fix this issue should eliminate all outstanding WARNs.
Describe alternatives you've considered
Affected product area (please put an X in all that apply)
[ ] Ambient
[ ] Docs
[x] Dual Stack
[ ] Installation
[x] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[ ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
Affected features (please put an X in all that apply)
[ ] Multi Cluster
[ ] Virtual Machine
[ ] Multi Control Plane
Additional context
The text was updated successfully, but these errors were encountered: