istio

1
apiVersion: release-notes/v2
2
kind: feature
3
area: traffic-management
4

5
# issue is a list of GitHub issues resolved in this note.
6
# If issue is not in the current repo, specify its full URL instead.
7
issue:
8
- 37057
9

10
# releaseNotes is a markdown listing of any user facing changes. This will appear in the
11
# release notes.
12
releaseNotes:
13
- |
14
  **Added** new configuration options to `istio-iptables` and `istio-clean-iptables`
15
  for including/excluding certain user groups from interception of the outgoing traffic
16
  generated by them.
17

18
  This feature is intended primarily for use on VMs, where system administrators need
19
  to restrain interception of the outgoing traffic down to a few applications instead
20
  of intercepting all outgoing traffic.
21

22
  By default, as before, Istio Sidecar will intercept outgoing traffic from all processes,
23
  no matter what user groups they are running under.
24

25
  To change this behavior, system administrators can now use 2 new environment variables
26
  supported by `istio-iptables` and `istio-clean-iptables` - `ISTIO_OUTBOUND_OWNER_GROUPS`
27
  and `ISTIO_OUTBOUND_OWNER_GROUPS_EXCLUDE`.
28
  
29
  `ISTIO_OUTBOUND_OWNER_GROUPS` - is a comma separated list of groups whose outgoing traffic
30
  should be redirected to Envoy (sidecar).
31
  A group can be specified either by name or by a numeric GID.
32
  The wildcard character `*` can be used to configure redirection of traffic from all groups
33
   (default).
34

35
  `ISTIO_OUTBOUND_OWNER_GROUPS_EXCLUDE` - is a comma separated list of groups whose outgoing
36
  traffic should be excluded from redirection to Envoy (sidecar).
37
  A group can be specified either by name or by a numeric GID.
38
  Only applies when traffic from all groups (i.e. `*`) is being redirected to Envoy (sidecar).
39

40
  `ISTIO_OUTBOUND_OWNER_GROUPS` and `ISTIO_OUTBOUND_OWNER_GROUPS_EXCLUDE` are mutually
41
  exclusive, use only one of them.
42

43
  E.g.,
44

45
  * `ISTIO_OUTBOUND_OWNER_GROUPS=101,java` instructs to intercept outgoing traffic only from
46
    those processes that run under one of the user groups `101` (by `GID`) or `java` (by name).
47

48
  * `ISTIO_OUTBOUND_OWNER_GROUPS_EXCLUDE=root,202` instructs to intercept outgoing traffic
49
    from all processes except for those that under one of the user groups `202` (by `GID`)
50
    or `root` (by name).
51