istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix a couple of typos in Ambient docs (#16178) 

* iptables rules for ztunnel ingress processing match on the destination
  port, and not the source port as was previously described.
* the NetworkPolicy example was incorrect in the document describing how
  to update policies to accomodate HBONE traffic (policy was missing a
  name and app port number was not the same in both versions).

Signed-off-by: Antonin Bas <antonin.bas@broadcom.com>
This commit is contained in:
Antonin Bas 2025-01-17 06:53:55 -08:00 committed by GitHub
parent 20facb1863
commit 3fa011fb90
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 12 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
content/en/docs/ambient/architecture/traffic-redirection/index.md
View File

@ -129,4 +129,4 @@ COMMIT
COMMIT
{{< /text >}}
The command output shows that additional Istio-specific chains are added to the NAT and Mangle tables in netfilter/iptables within the application pod's network namespace. All TCP traffic coming into the pod is redirected to the ztunnel proxy for ingress processing. If the traffic is plaintext (source port != 15008), it will be redirected to the in-pod ztunnel plaintext listening port 15006. If the traffic is HBONE (source port == 15008), it will be redirected to the in-pod ztunnel HBONE listening port 15008. Any TCP traffic leaving the pod is redirected to ztunnel's port 15001 for egress processing, before being sent out by ztunnel using HBONE encapsulation.
The command output shows that additional Istio-specific chains are added to the NAT and Mangle tables in netfilter/iptables within the application pod's network namespace. All TCP traffic coming into the pod is redirected to the ztunnel proxy for ingress processing. If the traffic is plaintext (destination port != 15008), it will be redirected to the in-pod ztunnel plaintext listening port 15006. If the traffic is HBONE (destination port == 15008), it will be redirected to the in-pod ztunnel HBONE listening port 15008. Any TCP traffic leaving the pod is redirected to ztunnel's port 15001 for egress processing, before being sent out by ztunnel using HBONE encapsulation.

18
content/en/docs/ambient/usage/networkpolicy/index.md
View File

@ -23,14 +23,16 @@ For example, the following `NetworkPolicy` will block incoming {{< gloss >}}HBON
{{< text syntax=yaml snip_id=none >}}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: my-app-allow-ingress-web
spec:
ingress:
- ports:
- port: 9090
protocol: TCP
podSelector:
matchLabels:
app.kubernetes.io/name: my-app
ingress:
- ports:
- port: 8080
protocol: TCP
{{< /text >}}
and should be changed to
@ -38,16 +40,18 @@ and should be changed to
{{< text syntax=yaml snip_id=none >}}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: my-app-allow-ingress-web
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: my-app
ingress:
- ports:
- port: 8080
protocol: TCP
- port: 15008
protocol: TCP
podSelector:
matchLabels:
app.kubernetes.io/name: my-app
{{< /text >}}
if `my-app` is added to the ambient mesh.