add notes about traffic addressing for waypoint proxies (#15609)

Signed-off-by: ilrudie <ian.rudie@solo.io>
2024-08-26 16:09:44 -04:00 · 2024-08-26 16:09:44 -04:00 · e3bb560d2b
parent 1064a1e1f4
commit e3bb560d2b
1 changed files with 9 additions and 1 deletions
--- a/content/en/docs/ambient/usage/waypoint/index.md
+++ b/content/en/docs/ambient/usage/waypoint/index.md
@ -107,10 +107,14 @@ The `--for` parameter to `istioctl waypoint apply` can be used to change the [tr
 | `waypoint-for` value | Traffic type |
 | -------------------- | ------------ |
 | `service`            | Kubernetes services |
-| `workload`           | Pod or VM IPs |
+| `workload`           | Pod IPs or VM IPs |
 | `all`                | Both service and workload traffic |
 | `none`               | No traffic (useful for testing) |

+{{< tip >}}
+Traffic type concerns the original addressing. To-service traffic does not become to-workload once the service is resolved to a pod by the service mesh.
+{{< /tip >}}
+
 ## Use a waypoint proxy {#useawaypoint}

 When a waypoint proxy is deployed, it is not used by any resources until you explicitly configure those resources to use it.
@ -185,6 +189,10 @@ pod/reviews-v2-5b667bcbf8-spnnh labeled

 Any requests from pods in the ambient mesh to the `reviews-v2` pod IP will now be routed through the `reviews-v2-pod-waypoint` waypoint for L7 processing and policy enforcement.

+{{< tip >}}
+The original addressing of the traffic is used to determine if a service or workload waypoint should be used. Traffic which is addressed to a service, even though ultimately this would be resolved to a pod IP, is always treated by the ambient mesh as to-service and would use a service-attached waypoint. Workload-attached waypoints are only used when the client addresses traffic to the pod itself.
+{{< /tip >}}
+
 ### Cleaning up

 You can remove all waypoints from a namespace by doing the following: