- Sort Score
- Result 10 results
- Languages All
Results 1 - 10 of 18 for heading (0.19 sec)
-
architecture/ambient/ztunnel.md
This only applies for selector-based policies; namespaced and global policies can be handled without needing to list them out in the Workload API. ## Redirection As ztunnel aims to transparently encrypt and route users traffic, we need a mechanism to capture all traffic entering and leaving "mesh" pods. This is a security critical task: if the ztunnel can be bypassed, authorization policies can be bypassed.
Plain Text - Registered: Wed May 08 22:53:08 GMT 2024 - Last Modified: Thu Apr 25 22:35:16 GMT 2024 - 16.6K bytes - Viewed (0) -
cni/pkg/iptables/iptables.go
"-i", "lo", "-j", "ACCEPT") // CLI: -A ISTIO_PRERT -p tcp -m tcp --dport <INPORT> -m mark ! --mark 0x539/0xfff -j TPROXY --on-port <INPORT> --on-ip 127.0.0.1 --tproxy-mark 0x111/0xfff // // DESC: Anything heading to <INPORT> that does not have the mark, TPROXY to ztunnel inbound port <INPORT> iptablesBuilder.AppendRule( iptableslog.UndefinedCommand, ChainInpodPrerouting, iptablesconstants.MANGLE, "-p", "tcp", "-m", "tcp",
Go - Registered: Wed May 08 22:53:08 GMT 2024 - Last Modified: Tue May 07 19:54:50 GMT 2024 - 19.7K bytes - Viewed (0) -
cni/pkg/ipset/nldeps_linux.go
} return nil } // Alpine and some distros struggles with this - ipset CLI utilities support this, but // the kernel can be out of sync with the CLI utility, leading to errors like: // // ipset v7.10: Argument `comment' is supported in the kernel module of the set type hash:ip // starting from the revision 3 and you have installed revision 1 only. // Your kernel is behind your ipset utility.
Go - Registered: Wed May 08 22:53:08 GMT 2024 - Last Modified: Tue Apr 30 22:24:38 GMT 2024 - 3.9K bytes - Viewed (0) -
manifests/charts/istio-control/istio-discovery/templates/clusterrole.yaml
verbs: ["update", "patch"] - apiGroups: ["gateway.networking.k8s.io"] resources: ["gatewayclasses"] verbs: ["create", "update", "patch", "delete"] # Needed for multicluster secret reading, possibly ingress certs in the future - apiGroups: [""] resources: ["secrets"] verbs: ["get", "watch", "list"] # Used for MCS serviceexport management - apiGroups: ["{{ $mcsAPIGroup }}"]
Others - Registered: Wed May 08 22:53:08 GMT 2024 - Last Modified: Fri Apr 12 16:44:32 GMT 2024 - 5.7K bytes - Viewed (0) -
cni/pkg/nodeagent/informers.go
// test flakes with the fake kube client in `pkg/kube/client.go` - // because we are using `List()` in the handler, without this requeue, // the fake client will sometimes drop pod events leading to test flakes. // // WaitForCacheSync *helps*, but does not entirely fix this problem s.namespaces = kclient.New[*corev1.Namespace](kubeClient)
Go - Registered: Wed May 08 22:53:08 GMT 2024 - Last Modified: Fri May 03 19:29:42 GMT 2024 - 9.6K bytes - Viewed (0) -
operator/cmd/mesh/testdata/manifest-generate/data-snapshot.tar.gz
`Deployment.spec.selector` labels must match. If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to: ```yaml app: istio-gateway istio: gateway # the release name with leading istio- prefix stripped ``` If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels `foo=bar,istio=ingressgateway`: ```yaml name: my-custom-gateway...
Others - Registered: Wed May 08 22:53:08 GMT 2024 - Last Modified: Wed Jan 10 05:10:03 GMT 2024 - 198.1K bytes - Viewed (1) -
manifests/charts/istiod-remote/templates/clusterrole.yaml
verbs: ["update", "patch"] - apiGroups: ["gateway.networking.k8s.io"] resources: ["gatewayclasses"] verbs: ["create", "update", "patch", "delete"] # Needed for multicluster secret reading, possibly ingress certs in the future - apiGroups: [""] resources: ["secrets"] verbs: ["get", "watch", "list"] # Used for MCS serviceexport management - apiGroups: ["{{ $mcsAPIGroup }}"]
Others - Registered: Wed May 08 22:53:08 GMT 2024 - Last Modified: Fri Apr 12 16:44:32 GMT 2024 - 5.8K bytes - Viewed (0) -
common-protos/k8s.io/api/networking/v1alpha1/generated.proto
// An IP address can be represented in different formats, to guarantee the uniqueness of the IP, // the name of the object is the IP address in canonical format, four decimal digits separated // by dots suppressing leading zeros for IPv4 and the representation defined by RFC 5952 for IPv6. // Valid: 192.168.1.5 or 2001:db8::1 or 2001:db8:aaaa:bbbb:cccc:dddd:eeee:1 // Invalid: 10.01.2.3 or 2001:db8:0:0:0::1 message IPAddress {
Plain Text - Registered: Wed May 08 22:53:08 GMT 2024 - Last Modified: Mon Mar 11 18:43:24 GMT 2024 - 6K bytes - Viewed (0) -
cni/pkg/nodeagent/ztunnelserver.go
fd := int(wl.Netns.Fd()) log.Infof("Sending local pod %s ztunnel", uid) resp, err = conn.sendMsgAndWaitForAck(&zdsapi.WorkloadRequest{ Payload: &zdsapi.WorkloadRequest_Add{ Add: &zdsapi.AddWorkload{ Uid: uid, WorkloadInfo: wl.Workload, }, }, }, &fd) } else { log.Infof("netns not available for local pod %s. sending keep to ztunnel", uid)
Go - Registered: Wed May 08 22:53:08 GMT 2024 - Last Modified: Fri Apr 12 21:47:31 GMT 2024 - 12.4K bytes - Viewed (0) -
common-protos/k8s.io/api/core/v1/generated.proto
// for when the pod needs a feature only available to the host user namespace, such as // loading a kernel module with CAP_SYS_MODULE. // When set to false, a new userns is created for the pod. Setting false is useful for // mitigating container breakout vulnerabilities even allowing users to run their // containers as root without actually having root privileges on the host.
Plain Text - Registered: Wed May 08 22:53:08 GMT 2024 - Last Modified: Mon Mar 11 18:43:24 GMT 2024 - 255.8K bytes - Viewed (0)