istio
50 строк · 2.2 Кб
1apiVersion: release-notes/v2
2kind: feature
3area: traffic-management
4
5# issue is a list of GitHub issues resolved in this note.
6# If issue is not in the current repo, specify its full URL instead.
7issue:
8- 37057
9
10# releaseNotes is a markdown listing of any user facing changes. This will appear in the
11# release notes.
12releaseNotes:
13- |
14**Added** new configuration options to `istio-iptables` and `istio-clean-iptables`
15for including/excluding certain user groups from interception of the outgoing traffic
16generated by them.
17
18This feature is intended primarily for use on VMs, where system administrators need
19to restrain interception of the outgoing traffic down to a few applications instead
20of intercepting all outgoing traffic.
21
22By default, as before, Istio Sidecar will intercept outgoing traffic from all processes,
23no matter what user groups they are running under.
24
25To change this behavior, system administrators can now use 2 new environment variables
26supported by `istio-iptables` and `istio-clean-iptables` - `ISTIO_OUTBOUND_OWNER_GROUPS`
27and `ISTIO_OUTBOUND_OWNER_GROUPS_EXCLUDE`.
28
29`ISTIO_OUTBOUND_OWNER_GROUPS` - is a comma separated list of groups whose outgoing traffic
30should be redirected to Envoy (sidecar).
31A group can be specified either by name or by a numeric GID.
32The wildcard character `*` can be used to configure redirection of traffic from all groups
33(default).
34
35`ISTIO_OUTBOUND_OWNER_GROUPS_EXCLUDE` - is a comma separated list of groups whose outgoing
36traffic should be excluded from redirection to Envoy (sidecar).
37A group can be specified either by name or by a numeric GID.
38Only applies when traffic from all groups (i.e. `*`) is being redirected to Envoy (sidecar).
39
40`ISTIO_OUTBOUND_OWNER_GROUPS` and `ISTIO_OUTBOUND_OWNER_GROUPS_EXCLUDE` are mutually
41exclusive, use only one of them.
42
43E.g.,
44
45* `ISTIO_OUTBOUND_OWNER_GROUPS=101,java` instructs to intercept outgoing traffic only from
46those processes that run under one of the user groups `101` (by `GID`) or `java` (by name).
47
48* `ISTIO_OUTBOUND_OWNER_GROUPS_EXCLUDE=root,202` instructs to intercept outgoing traffic
49from all processes except for those that under one of the user groups `202` (by `GID`)
50or `root` (by name).
51