From 3cb4721ad224b1a1bc225b82942aeedf8fb94307 Mon Sep 17 00:00:00 2001 From: Keith Mattix II Date: Mon, 4 Aug 2025 21:33:39 +0000 Subject: [PATCH 1/4] Add note about istio-cni security Signed-off-by: Keith Mattix II --- content/en/docs/ops/deployment/security-model/index.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/content/en/docs/ops/deployment/security-model/index.md b/content/en/docs/ops/deployment/security-model/index.md index 5f5dbdca58f99..f53cf0ba7c0c1 100644 --- a/content/en/docs/ops/deployment/security-model/index.md +++ b/content/en/docs/ops/deployment/security-model/index.md @@ -40,6 +40,10 @@ The implications of this are discussed [below](#node-compromise). Because this consolidates the elevated privileges required to setup networking into a single pod, rather than *every* pod, this option is generally recommended. +##### Ambient Mode + +In ambient mode, the Istio CNI plugin (and the associated node agent) manages mesh enrollment for pods living on its node. Due to limitations in the Kubernetes API, it is not currently possible for the CNI plugin or its node agent to prevent pods from being scheduled on the node before the CNI plugin is installed and configured. In these rare cases (e.g. on node restart or new node scale out), it is possible that a pod that is labeled for mesh enrollment may come up before the CNI's traffic redirection rules are applied, meaning that policies won't be enforced until after the CNI comes up and that pod is restarted. The Istio community is working with the upstream Kubernetes community to address this limitation, but in the meantime, you can [configure an initcontainer](TODO) enabled [owned CNI mode](TODO) to mitigate these race conditions. + ### Sidecar Proxies Istio may [optionally](/docs/overview/dataplane-modes/) deploy a sidecar proxy next to an application. From cd0a1d59169fbba13f4b11ac954ed90fdbf68ec6 Mon Sep 17 00:00:00 2001 From: Keith Mattix II Date: Thu, 7 Aug 2025 22:46:45 +0000 Subject: [PATCH 2/4] Remove references to initcontainer Signed-off-by: Keith Mattix II --- content/en/docs/ops/deployment/security-model/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/ops/deployment/security-model/index.md b/content/en/docs/ops/deployment/security-model/index.md index f53cf0ba7c0c1..fd8b59b7804a5 100644 --- a/content/en/docs/ops/deployment/security-model/index.md +++ b/content/en/docs/ops/deployment/security-model/index.md @@ -42,7 +42,7 @@ this option is generally recommended. ##### Ambient Mode -In ambient mode, the Istio CNI plugin (and the associated node agent) manages mesh enrollment for pods living on its node. Due to limitations in the Kubernetes API, it is not currently possible for the CNI plugin or its node agent to prevent pods from being scheduled on the node before the CNI plugin is installed and configured. In these rare cases (e.g. on node restart or new node scale out), it is possible that a pod that is labeled for mesh enrollment may come up before the CNI's traffic redirection rules are applied, meaning that policies won't be enforced until after the CNI comes up and that pod is restarted. The Istio community is working with the upstream Kubernetes community to address this limitation, but in the meantime, you can [configure an initcontainer](TODO) enabled [owned CNI mode](TODO) to mitigate these race conditions. +In ambient mode, the Istio CNI plugin (and the associated node agent) manages mesh enrollment for pods living on its node. Due to limitations in the Kubernetes API, it is not currently possible for the CNI plugin or its node agent to prevent pods from being scheduled on the node before the CNI plugin is installed and configured. This can occur even if using node cordons + taints as described [in our upgrade documentation](/docs/ambient/upgrade/helm#cni-node-agent). In these rare cases (e.g. on node restart or new node scale out), it is possible that a pod that is labeled for mesh enrollment may come up before the CNI's traffic redirection rules are applied, meaning that policies won't be enforced until after the CNI comes up and that pod is restarted. The Istio community is working with [various](https://github.com/containernetworking/cni/pull/1052) [upstream](https://github.com/kubernetes/kubernetes/issues/130594) communities to address this limitation, but in the meantime, you can enable [owned CNI mode](https://github.com/jaellio/istio/blob/master/releasenotes/notes/55968.yaml) to mitigate these race conditions. ### Sidecar Proxies From 0313630a7da8323445b85dff6ef1e505a5f7c2ad Mon Sep 17 00:00:00 2001 From: Keith Mattix II Date: Sat, 9 Aug 2025 00:15:35 +0000 Subject: [PATCH 3/4] Fix lint Signed-off-by: Keith Mattix II --- content/en/docs/ops/deployment/security-model/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/ops/deployment/security-model/index.md b/content/en/docs/ops/deployment/security-model/index.md index fd8b59b7804a5..ab22cb328a448 100644 --- a/content/en/docs/ops/deployment/security-model/index.md +++ b/content/en/docs/ops/deployment/security-model/index.md @@ -40,7 +40,7 @@ The implications of this are discussed [below](#node-compromise). Because this consolidates the elevated privileges required to setup networking into a single pod, rather than *every* pod, this option is generally recommended. -##### Ambient Mode +#### Ambient Mode In ambient mode, the Istio CNI plugin (and the associated node agent) manages mesh enrollment for pods living on its node. Due to limitations in the Kubernetes API, it is not currently possible for the CNI plugin or its node agent to prevent pods from being scheduled on the node before the CNI plugin is installed and configured. This can occur even if using node cordons + taints as described [in our upgrade documentation](/docs/ambient/upgrade/helm#cni-node-agent). In these rare cases (e.g. on node restart or new node scale out), it is possible that a pod that is labeled for mesh enrollment may come up before the CNI's traffic redirection rules are applied, meaning that policies won't be enforced until after the CNI comes up and that pod is restarted. The Istio community is working with [various](https://github.com/containernetworking/cni/pull/1052) [upstream](https://github.com/kubernetes/kubernetes/issues/130594) communities to address this limitation, but in the meantime, you can enable [owned CNI mode](https://github.com/jaellio/istio/blob/master/releasenotes/notes/55968.yaml) to mitigate these race conditions. From 0ccbb9f4a6f74ab1059676c618cb42e82e100377 Mon Sep 17 00:00:00 2001 From: Keith Mattix II Date: Mon, 11 Aug 2025 11:41:27 -0500 Subject: [PATCH 4/4] Update content/en/docs/ops/deployment/security-model/index.md Co-authored-by: Craig Box --- content/en/docs/ops/deployment/security-model/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/ops/deployment/security-model/index.md b/content/en/docs/ops/deployment/security-model/index.md index ab22cb328a448..a434f0c04550f 100644 --- a/content/en/docs/ops/deployment/security-model/index.md +++ b/content/en/docs/ops/deployment/security-model/index.md @@ -40,7 +40,7 @@ The implications of this are discussed [below](#node-compromise). Because this consolidates the elevated privileges required to setup networking into a single pod, rather than *every* pod, this option is generally recommended. -#### Ambient Mode +#### Ambient mode In ambient mode, the Istio CNI plugin (and the associated node agent) manages mesh enrollment for pods living on its node. Due to limitations in the Kubernetes API, it is not currently possible for the CNI plugin or its node agent to prevent pods from being scheduled on the node before the CNI plugin is installed and configured. This can occur even if using node cordons + taints as described [in our upgrade documentation](/docs/ambient/upgrade/helm#cni-node-agent). In these rare cases (e.g. on node restart or new node scale out), it is possible that a pod that is labeled for mesh enrollment may come up before the CNI's traffic redirection rules are applied, meaning that policies won't be enforced until after the CNI comes up and that pod is restarted. The Istio community is working with [various](https://github.com/containernetworking/cni/pull/1052) [upstream](https://github.com/kubernetes/kubernetes/issues/130594) communities to address this limitation, but in the meantime, you can enable [owned CNI mode](https://github.com/jaellio/istio/blob/master/releasenotes/notes/55968.yaml) to mitigate these race conditions.