Add ambient mode caveats

networking/v1alpha3/service_entry.proto

@@ -464,6 +464,9 @@ message ServiceEntry {
   // 1. subjectAltNames: In addition to verifying the SANs of the
   //    service accounts associated with the pods of the service, the
   //    SANs specified here will also be verified.
+  //
+  // **NOTE 3:** Ambient mode does not support wildcard hostsnames.
+  //
   // +kubebuilder:validation:MinItems=1
   // +kubebuilder:validation:MaxItems=256
   // +protoc-gen-crd:list-value-validation:XValidation:message="hostname cannot be wildcard",rule="self != '*'"
@@ -595,6 +598,9 @@ message ServiceEntry {
   // For a Kubernetes Service, the equivalent effect can be achieved by setting
   // the annotation "networking.istio.io/exportTo" to a comma-separated list
   // of namespace names.
+  //
+  // **Note:** Ambient mode does not support this field. Service entries will
+  // be exported to all namespaces.
   repeated string export_to = 7;
 
   // If specified, the proxy will verify that the server certificate's

networking/v1alpha3/sidecar.proto

@@ -21,8 +21,9 @@ syntax = "proto3";
 // $aliases: [/docs/reference/config/networking/v1alpha3/sidecar]
 
 // `Sidecar` describes the configuration of the sidecar proxy that mediates
-// inbound and outbound communication to the workload instance it is attached to. By
-// default, Istio will program all sidecar proxies in the mesh with the
+// inbound and outbound communication to the workload instance it is attached to.
+// `Sidecar` only applies to Sidecar mode.
+// By default, Istio will program all sidecar proxies in the mesh with the
 // necessary configuration required to reach every workload instance in the mesh, as
 // well as accept traffic on all the ports associated with the
 // workload. The `Sidecar` configuration provides a way to fine tune the set of

networking/v1alpha3/virtual_service.proto

@@ -818,6 +818,8 @@ message HTTPMatchRequest {
   //
   // **Note:** This is not a runtime match, but is a selector; it filters which workloads the
   // VirtualService applies to.
+  //
+  // **Note:** Ambient mode does not support this field.
   map<string, string> source_labels = 7;
 
   // Names of gateways where the rule should be applied. Gateway names
@@ -859,6 +861,8 @@ message HTTPMatchRequest {
   //
   // **Note:** This is not a runtime match, but is a selector; it filters which workloads the
   // VirtualService applies to.
+  //
+  // **Note:** Ambient mode does not support this field.
   string source_namespace = 13;
 
   // The human readable prefix to use when emitting statistics for this route.
@@ -990,6 +994,8 @@ message L4MatchAttributes {
   //
   // **Note:** This is not a runtime match, but is a selector; it filters which workloads the
   // VirtualService applies to.
+  //
+  // **Note:** Ambient mode does not support this field.
   map<string, string> source_labels = 4;
 
   // Names of gateways where the rule should be applied. Gateway names
@@ -1003,6 +1009,8 @@ message L4MatchAttributes {
   //
   // **Note:** This is not a runtime match, but is a selector; it filters which workloads the
   // VirtualService applies to.
+  //
+  // **Note:** Ambient mode does not support this field.
   string source_namespace = 6;
 }
 
@@ -1034,6 +1042,8 @@ message TLSMatchAttributes {
   //
   // **Note:** This is not a runtime match, but is a selector; it filters which workloads the
   // VirtualService applies to.
+  //
+  // **Note:** Ambient mode does not support this field.
   map<string, string> source_labels = 5;
 
   // Names of gateways where the rule should be applied. Gateway names
@@ -1047,6 +1057,8 @@ message TLSMatchAttributes {
   //
   // **Note:** This is not a runtime match, but is a selector; it filters which workloads the
   // VirtualService applies to.
+  //
+  // **Note:** Ambient mode does not support this field.
   string source_namespace = 7;
 }