istio.io/istio@v0.0.0-20240520182934-d79c90f27776/releasenotes/notes/37057.yaml

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/releasenotes/notes/37057.yaml (about)

     1  apiVersion: release-notes/v2
     2  kind: feature
     3  area: traffic-management
     4  
     5  # issue is a list of GitHub issues resolved in this note.
     6  # If issue is not in the current repo, specify its full URL instead.
     7  issue:
     8  - 37057
     9  
    10  # releaseNotes is a markdown listing of any user facing changes. This will appear in the
    11  # release notes.
    12  releaseNotes:
    13  - |
    14    **Added** new configuration options to `istio-iptables` and `istio-clean-iptables`
    15    for including/excluding certain user groups from interception of the outgoing traffic
    16    generated by them.
    17  
    18    This feature is intended primarily for use on VMs, where system administrators need
    19    to restrain interception of the outgoing traffic down to a few applications instead
    20    of intercepting all outgoing traffic.
    21  
    22    By default, as before, Istio Sidecar will intercept outgoing traffic from all processes,
    23    no matter what user groups they are running under.
    24  
    25    To change this behavior, system administrators can now use 2 new environment variables
    26    supported by `istio-iptables` and `istio-clean-iptables` - `ISTIO_OUTBOUND_OWNER_GROUPS`
    27    and `ISTIO_OUTBOUND_OWNER_GROUPS_EXCLUDE`.
    28    
    29    `ISTIO_OUTBOUND_OWNER_GROUPS` - is a comma separated list of groups whose outgoing traffic
    30    should be redirected to Envoy (sidecar).
    31    A group can be specified either by name or by a numeric GID.
    32    The wildcard character `*` can be used to configure redirection of traffic from all groups
    33     (default).
    34  
    35    `ISTIO_OUTBOUND_OWNER_GROUPS_EXCLUDE` - is a comma separated list of groups whose outgoing
    36    traffic should be excluded from redirection to Envoy (sidecar).
    37    A group can be specified either by name or by a numeric GID.
    38    Only applies when traffic from all groups (i.e. `*`) is being redirected to Envoy (sidecar).
    39  
    40    `ISTIO_OUTBOUND_OWNER_GROUPS` and `ISTIO_OUTBOUND_OWNER_GROUPS_EXCLUDE` are mutually
    41    exclusive, use only one of them.
    42  
    43    E.g.,
    44  
    45    * `ISTIO_OUTBOUND_OWNER_GROUPS=101,java` instructs to intercept outgoing traffic only from
    46      those processes that run under one of the user groups `101` (by `GID`) or `java` (by name).
    47  
    48    * `ISTIO_OUTBOUND_OWNER_GROUPS_EXCLUDE=root,202` instructs to intercept outgoing traffic
    49      from all processes except for those that under one of the user groups `202` (by `GID`)
    50      or `root` (by name).