Skip to content

Feat: Migrated to Istio 1.26.1 and merged istio and istio cni #3153

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 34 commits into from
Jun 18, 2025
Merged

Feat: Migrated to Istio 1.26.1 and merged istio and istio cni #3153

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
34 commits
Select commit Hold shift + click to select a range
429b2cc
Feat: Migrated to Istio 1.26.1 and merged istio and istio cni
madmecodes Jun 2, 2025
b1ffa69
update: unit tests error duplicate CRD fix
madmecodes Jun 3, 2025
f469eec
TEST: standard istio as patch
madmecodes Jun 3, 2025
d470cd6
update: fix istio install Cluster Specific
madmecodes Jun 3, 2025
975fe33
update: readme and standard to insecure naming convention
madmecodes Jun 3, 2025
5b7e93c
update: istio cni and non cni tested
madmecodes Jun 3, 2025
fe5b32a
update readme switch
madmecodes Jun 3, 2025
f8c2d3b
update: Synch script updated acc. to new structure
madmecodes Jun 3, 2025
71d6943
update kserve readme
madmecodes Jun 3, 2025
06080c1
update: renamed istio-1-26 to istio only
madmecodes Jun 3, 2025
8404060
Update README.md
juliusvonkohout Jun 3, 2025
c37efbf
Apply suggestions from code review
juliusvonkohout Jun 3, 2025
44230f4
Update kustomization.yaml
juliusvonkohout Jun 3, 2025
3844f43
Delete common/istio/istio-install/overlays/insecure/install-insecure.…
juliusvonkohout Jun 3, 2025
dddb033
Delete common/istio/istio-install/overlays/insecure/patches directory
juliusvonkohout Jun 3, 2025
d56e54f
Update kustomization.yaml
juliusvonkohout Jun 3, 2025
8d89832
Update README.md
juliusvonkohout Jun 3, 2025
073098a
Update README.md
juliusvonkohout Jun 3, 2025
cbfa44d
feat: add minimal insecure overlay for Istio CNI Patches sidecar inje…
madmecodes Jun 7, 2025
b7af4f8
TEST: standard istio as patch
madmecodes Jun 10, 2025
7ab891a
update: CNI and insecure pipeline gh action workflow added
madmecodes Jun 13, 2025
fee6a65
update: istio validation and kustomisation insecure
madmecodes Jun 13, 2025
c04fe0c
update: verbose kustomisation because the insecure overlay was failin…
madmecodes Jun 17, 2025
82fbdc4
fix: yq to grep for tests
madmecodes Jun 17, 2025
7d830f6
fix: single quote
madmecodes Jun 17, 2025
e16e9b2
Delete scripts/trivy_scan.py
juliusvonkohout Jun 17, 2025
4fcf756
Update trivy_scan.py
juliusvonkohout Jun 17, 2025
1e4ac35
Update istio_validation.yaml
juliusvonkohout Jun 17, 2025
dffec6c
Update: pss updated
madmecodes Jun 17, 2025
e91a3d7
update: multi-tenancy fix
madmecodes Jun 17, 2025
26cde01
update: added PSS in remaining ns
madmecodes Jun 17, 2025
1ab6a58
update: added auth policy test for insecure istio
madmecodes Jun 17, 2025
37c0335
update: PSS baseline check for CNI only not for insecure non-cni
madmecodes Jun 17, 2025
c090f49
fix: kserve filing tests
madmecodes Jun 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions common/istio/istio-install/overlays/insecure/allow-namespace-traffic.yaml
View file
Open in desktop
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this needed? i think the profile controller creates it by default

Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
---

Check warning on line 1 in common/istio/istio-install/overlays/insecure/allow-namespace-traffic.yaml

View workflow job for this annotation

GitHub Actions / format_YAML_files 

1:1 [document-start] found forbidden document start "---"
# Allow traffic within kubeflow-user-example-com namespace for testing, do we need it here or shall i add just in GHA worklow, since its just for the test?
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-test-namespace-traffic
namespace: kubeflow-user-example-com
spec:
action: ALLOW
rules:
- from:
- source:
namespaces: ["kubeflow-user-example-com"]
1 change: 1 addition & 0 deletions common/istio/istio-install/overlays/insecure/kustomization.yaml
View file
Open in desktop
Copy link
Member

@juliusvonkohout juliusvonkohout Jun 3, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please redo this from scratch. It should only patch out the CNI enablement in the sidecar. Nothing else. More than 30 line sin total is probably not the right way. Especially more than 20.000 lines. We dont want to maintain this many lines.

Copy link
Member

@juliusvonkohout juliusvonkohout Jun 9, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What did you do with

        - name: EXTERNAL_ISTIOD
          value: "false"
        - name: PILOT_ENABLE_CROSS_CLUSTER_WORKLOAD_ENTRY
          value: "true"
        - name: PILOT_ENABLE_WORKLOAD_ENTRY_AUTOREGISTRATION
          value: "true"
        - name: PILOT_SKIP_VALIDATE_TRUST_DOMAIN
          value: "true"

Why did you add this? WHy is it needed to disable istio-cni?

where is the simple inline delete patch for the daemonset?

Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ resources:
- ../oauth2-proxy
- ../../../istio-namespace/base
- namespaces-pss-privileged.yaml
- allow-namespace-traffic.yaml

patches:
- path: configmap-patch.yaml
Expand Down
Loading