istio.io/istio@v0.0.0-20240520182934-d79c90f27776/releasenotes/notes/ssh-iptables.yaml

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/releasenotes/notes/ssh-iptables.yaml (about)

     1  apiVersion: release-notes/v2
     2  kind: bug-fix
     3  area: traffic-management
     4  issue:
     5  - 35733
     6  releaseNotes:
     7  - |
     8    **Fixed** an issue causing mTLS errors for traffic on port 22, by including port 22 in iptables by default.
     9  
    10  upgradeNotes:
    11  - title: Port 22 iptables capture changes
    12    content: |
    13      In previous versions, port 22 was excluded from iptables capture. This mitigates risk of getting locked out of a VM
    14      when using Istio on VMs. This configuration was hardcoded into the iptables logic, meaning there was no way to
    15      capture traffic on port 22.
    16  
    17      The iptables logic now no longer has special logic on port 22. Instead, the `istioctl x workload entry configure`
    18      command will automatically configure `ISTIO_LOCAL_EXCLUDE_PORTS` to include port 22. This means that VM users will
    19      continue to have port 22 excluded, while Kubernetes users will have port 22 included now.
    20  
    21      If this behavior is undesirable, the port can be explicitly opted out in Kubernetes with the `traffic.sidecar.istio.io/excludeInboundPorts` annotation.