sidecar iptables - istio-specific rules should only be inserted into custom chains #50532
Labels
Comments
13 tasks
|
I am adding a |
bleggett
added
the
good first issue
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the feature request
In ambient, we create custom
ISTIO_XXXprefixed chains for our custom iptables rules, and only put our custom rules in these prefixed chains.This makes cleanup and upgrade simpler (main table/chain has one jump to our custom chain, we can remove the drop and the prefixed chains safely), and is the only pattern we should follow for Istio-specific iptables rules, no matter the context (sidecar or node).
In sidecar, we are still slamming a bunch of rules into the main table/chain, e.g: many of the sidecar DNS rules are just in OUTPUT and should be in a custom chain named ISTIO_OUTPUT or similar:
istio/tools/istio-iptables/pkg/capture/testdata/dns-uid-gid.golden
Line 24 in 5789705
Sidecar rule creation should be tweaked to create and insert all rules into custom chains, like ambient does.
We have considered adding a WARN nag to rules cleanup that will flag any non-jump rules in main tables: #50328 (comment) - a PR to fix this issue should eliminate all outstanding WARNs.
Describe alternatives you've considered
Affected product area (please put an X in all that apply)
[ ] Ambient
[ ] Docs
[x] Dual Stack
[ ] Installation
[x] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[ ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
Affected features (please put an X in all that apply)
[ ] Multi Cluster
[ ] Virtual Machine
[ ] Multi Control Plane
Additional context
The text was updated successfully, but these errors were encountered: