Merge pull request #534 from openshift-service-mesh-bot/none-master-merge_upstream_istio_master-6253864e

Automator: merge upstream changes to openshift-service-mesh/istio@master

Author: openshift-merge-bot[bot]

.devcontainer/devcontainer.json

@@ -1,6 +1,6 @@
 {
   "name": "istio build-tools",
-  "image": "gcr.io/istio-testing/build-tools:master-4d8a6668b6d46b3becc35f9b24467f841bbb020a",
+  "image": "gcr.io/istio-testing/build-tools:master-8dcf63149d5bdaa83d1407a121098e8e8d1626dd",
   "privileged": true,
   "remoteEnv": {
     "USE_GKE_GCLOUD_AUTH_PLUGIN": "True",

Makefile.core.mk

@@ -49,7 +49,7 @@ endif
 export VERSION
 
 # Base version of Istio image to use
-BASE_VERSION ?= master-2025-10-01T19-01-35
+BASE_VERSION ?= master-2025-11-06T19-00-48
 ISTIO_BASE_REGISTRY ?= gcr.io/istio-release
 
 export GO111MODULE ?= on

cni/pkg/install/install.go

@@ -304,7 +304,7 @@ func checkValidCNIConfig(ctx context.Context, cfg *config.InstallConfig, cniConf
 	// first call of checkValidCNIConfig and we will return an error so the cni config file can be
 	// created or rewritten
 	if defaultCNIConfigFilepath != cniConfigFilepath {
-		log.Infof("cniConfigFilePath mismatch: expected %s but found %s", defaultCNIConfigFilepath, cniConfigFilepath)
+		log.Debugf("cniConfigFilePath mismatch: expected %s but found %s", defaultCNIConfigFilepath, cniConfigFilepath)
 		if len(cfg.CNIConfName) > 0 || !cfg.ChainedCNIPlugin {
 			// Install was run with overridden CNI config file so don't error out on preempt check
 			// Likely the only use for this is testing the script

cni/pkg/ipset/nldeps_unspecified.go

@@ -1,5 +1,4 @@
 //go:build !linux
-// +build !linux
 
 // Copyright Istio Authors
 //

cni/pkg/iptables/iptables_unspecified.go

@@ -1,5 +1,4 @@
 //go:build !linux
-// +build !linux
 
 // Copyright Istio Authors
 //

cni/pkg/nftables/nftables.go

@@ -224,7 +224,7 @@ func (cfg *NftablesConfigurator) AppendInpodRules(podOverrides config.PodLevelOv
 
 		// CLI: nft add rule inet istio-ambient-nat istio-prerouting meta l4proto tcp ip6 saddr
 		// fd16:9254:7127:1337:ffff:ffff:ffff:ffff counter accept
-		cfg.ruleBuilder.AppendRule(IstioPreroutingChain, AmbientNatTable,
+		cfg.ruleBuilder.AppendV6RuleIfSupported(IstioPreroutingChain, AmbientNatTable,
 			"meta l4proto tcp",
 			"ip6 saddr", cfg.cfg.HostProbeV6SNATAddress.String(), Counter,
 			"accept",
@@ -240,7 +240,7 @@ func (cfg *NftablesConfigurator) AppendInpodRules(podOverrides config.PodLevelOv
 	)
 
 	// CLI: nft add rule inet istio-ambient-nat istio-output meta l4proto tcp ip6 daddr fd16:9254:7127:1337:ffff:ffff:ffff:ffff counter accept
-	cfg.ruleBuilder.AppendRule(IstioOutputChain, AmbientNatTable,
+	cfg.ruleBuilder.AppendV6RuleIfSupported(IstioOutputChain, AmbientNatTable,
 		"meta l4proto tcp",
 		"ip6 daddr", cfg.cfg.HostProbeV6SNATAddress.String(), Counter,
 		"accept",
@@ -259,7 +259,7 @@ func (cfg *NftablesConfigurator) AppendInpodRules(podOverrides config.PodLevelOv
 			"redirect to", ":"+fmt.Sprint(config.ZtunnelInboundPlaintextPort),
 		)
 
-		cfg.ruleBuilder.AppendRule(IstioPreroutingChain, AmbientNatTable,
+		cfg.ruleBuilder.AppendV6RuleIfSupported(IstioPreroutingChain, AmbientNatTable,
 			"ip6 daddr", "!=", "::1/128",
 			"tcp dport", "!=", fmt.Sprint(config.ZtunnelInboundPort),
 			"mark and 0xfff", "!=", fmt.Sprintf("0x%x", config.InpodMark), Counter,
@@ -301,7 +301,7 @@ func (cfg *NftablesConfigurator) AppendInpodRules(podOverrides config.PodLevelOv
 		)
 
 		// CLI: nft add rule inet istio-ambient-nat istio-output ip6 daddr != ::1/128 tcp dport 53 mark and 0xfff != 0x539 counter redirect to :15053
-		cfg.ruleBuilder.AppendRule(
+		cfg.ruleBuilder.AppendV6RuleIfSupported(
 			IstioOutputChain, AmbientNatTable,
 			"ip6 daddr", "!=", "::1/128",
 			"tcp dport", "53",
@@ -356,7 +356,7 @@ func (cfg *NftablesConfigurator) AppendInpodRules(podOverrides config.PodLevelOv
 	)
 
 	// CLI: nft add rule inet istio-ambient-nat istio-output oifname "lo" ip6 daddr != ::1/128 counter accept
-	cfg.ruleBuilder.AppendRule(
+	cfg.ruleBuilder.AppendV6RuleIfSupported(
 		IstioOutputChain, AmbientNatTable,
 		"oifname", "lo",
 		"ip6 daddr",
@@ -377,7 +377,7 @@ func (cfg *NftablesConfigurator) AppendInpodRules(podOverrides config.PodLevelOv
 		"redirect to", ":"+fmt.Sprintf("%d", config.ZtunnelOutboundPort),
 	)
 
-	cfg.ruleBuilder.AppendRule(
+	cfg.ruleBuilder.AppendV6RuleIfSupported(
 		IstioOutputChain, AmbientNatTable,
 		"meta l4proto tcp",
 		"ip6 daddr",
@@ -473,7 +473,7 @@ func (cfg *NftablesConfigurator) CreateHostRulesForHealthChecks() error {
 		"ip", "daddr", fmt.Sprintf("@%s-v4", config.ProbeIPSet), Counter, "snat", "to", cfg.cfg.HostProbeSNATAddress.String())
 
 	// For V6 we have to use a different set and a different SNAT IP
-	cfg.ruleBuilder.AppendRule(PostroutingChain, AmbientNatTable, "meta l4proto tcp", "skuid", kubeletUID,
+	cfg.ruleBuilder.AppendV6RuleIfSupported(PostroutingChain, AmbientNatTable, "meta l4proto tcp", "skuid", kubeletUID,
 		"ip6", "daddr", fmt.Sprintf("@%s-v6", config.ProbeIPSet), Counter, "snat", "to", cfg.cfg.HostProbeV6SNATAddress.String())
 
 	return util.RunAsHost(func() error {

cni/pkg/nftables/testdata/default.golden

@@ -7,19 +7,13 @@ add chain inet istio-ambient-nat istio-output
 add rule inet istio-ambient-nat output jump istio-output
 add rule inet istio-ambient-nat prerouting jump istio-prerouting
 add rule inet istio-ambient-nat istio-prerouting meta l4proto tcp ip saddr 169.254.7.127 counter accept
-add rule inet istio-ambient-nat istio-prerouting meta l4proto tcp ip6 saddr e9ac:1e77:90ca:399f:4d6d:ece2:2f9b:3164 counter accept
 add rule inet istio-ambient-nat istio-output meta l4proto tcp ip daddr 169.254.7.127 counter accept
-add rule inet istio-ambient-nat istio-output meta l4proto tcp ip6 daddr e9ac:1e77:90ca:399f:4d6d:ece2:2f9b:3164 counter accept
 add rule inet istio-ambient-nat istio-prerouting ip daddr != 127.0.0.1/32 tcp dport != 15008 mark and 0xfff  != 0x539 counter redirect to :15006
-add rule inet istio-ambient-nat istio-prerouting ip6 daddr != ::1/128 tcp dport != 15008 mark and 0xfff != 0x539 counter redirect to :15006
 add rule inet istio-ambient-nat istio-output oifname != lo mark and 0xfff != 0x539 udp dport 53 counter redirect to :15053
 add rule inet istio-ambient-nat istio-output ip daddr != 127.0.0.1/32 tcp dport 53 mark and 0xfff != 0x539 counter redirect to :15053
-add rule inet istio-ambient-nat istio-output ip6 daddr != ::1/128 tcp dport 53 mark and 0xfff != 0x539 counter redirect to :15053
 add rule inet istio-ambient-nat istio-output meta l4proto tcp mark and 0xfff == 0x111 counter accept
 add rule inet istio-ambient-nat istio-output oifname lo ip daddr != 127.0.0.1/32 counter accept
-add rule inet istio-ambient-nat istio-output oifname lo ip6 daddr != ::1/128 counter accept
 add rule inet istio-ambient-nat istio-output meta l4proto tcp ip daddr != 127.0.0.1/32 mark and 0xfff != 0x539 counter redirect to :15001
-add rule inet istio-ambient-nat istio-output meta l4proto tcp ip6 daddr != ::1/128 mark and 0xfff != 0x539 counter redirect to :15001
 add table inet istio-ambient-mangle
 flush table inet istio-ambient-mangle
 add chain inet istio-ambient-mangle prerouting { type filter hook prerouting priority -150 ; }

cni/pkg/nftables/testdata/dns_pod_disabled_and_on_globally.golden

@@ -7,16 +7,11 @@ add chain inet istio-ambient-nat istio-output
 add rule inet istio-ambient-nat output jump istio-output
 add rule inet istio-ambient-nat prerouting jump istio-prerouting
 add rule inet istio-ambient-nat istio-prerouting meta l4proto tcp ip saddr 169.254.7.127 counter accept
-add rule inet istio-ambient-nat istio-prerouting meta l4proto tcp ip6 saddr e9ac:1e77:90ca:399f:4d6d:ece2:2f9b:3164 counter accept
 add rule inet istio-ambient-nat istio-output meta l4proto tcp ip daddr 169.254.7.127 counter accept
-add rule inet istio-ambient-nat istio-output meta l4proto tcp ip6 daddr e9ac:1e77:90ca:399f:4d6d:ece2:2f9b:3164 counter accept
 add rule inet istio-ambient-nat istio-prerouting ip daddr != 127.0.0.1/32 tcp dport != 15008 mark and 0xfff  != 0x539 counter redirect to :15006
-add rule inet istio-ambient-nat istio-prerouting ip6 daddr != ::1/128 tcp dport != 15008 mark and 0xfff != 0x539 counter redirect to :15006
 add rule inet istio-ambient-nat istio-output meta l4proto tcp mark and 0xfff == 0x111 counter accept
 add rule inet istio-ambient-nat istio-output oifname lo ip daddr != 127.0.0.1/32 counter accept
-add rule inet istio-ambient-nat istio-output oifname lo ip6 daddr != ::1/128 counter accept
 add rule inet istio-ambient-nat istio-output meta l4proto tcp ip daddr != 127.0.0.1/32 mark and 0xfff != 0x539 counter redirect to :15001
-add rule inet istio-ambient-nat istio-output meta l4proto tcp ip6 daddr != ::1/128 mark and 0xfff != 0x539 counter redirect to :15001
 add table inet istio-ambient-mangle
 flush table inet istio-ambient-mangle
 add chain inet istio-ambient-mangle prerouting { type filter hook prerouting priority -150 ; }

cni/pkg/nftables/testdata/dns_pod_enabled_and_off_globally.golden

@@ -7,19 +7,13 @@ add chain inet istio-ambient-nat istio-output
 add rule inet istio-ambient-nat output jump istio-output
 add rule inet istio-ambient-nat prerouting jump istio-prerouting
 add rule inet istio-ambient-nat istio-prerouting meta l4proto tcp ip saddr 169.254.7.127 counter accept
-add rule inet istio-ambient-nat istio-prerouting meta l4proto tcp ip6 saddr e9ac:1e77:90ca:399f:4d6d:ece2:2f9b:3164 counter accept
 add rule inet istio-ambient-nat istio-output meta l4proto tcp ip daddr 169.254.7.127 counter accept
-add rule inet istio-ambient-nat istio-output meta l4proto tcp ip6 daddr e9ac:1e77:90ca:399f:4d6d:ece2:2f9b:3164 counter accept
 add rule inet istio-ambient-nat istio-prerouting ip daddr != 127.0.0.1/32 tcp dport != 15008 mark and 0xfff  != 0x539 counter redirect to :15006
-add rule inet istio-ambient-nat istio-prerouting ip6 daddr != ::1/128 tcp dport != 15008 mark and 0xfff != 0x539 counter redirect to :15006
 add rule inet istio-ambient-nat istio-output oifname != lo mark and 0xfff != 0x539 udp dport 53 counter redirect to :15053
 add rule inet istio-ambient-nat istio-output ip daddr != 127.0.0.1/32 tcp dport 53 mark and 0xfff != 0x539 counter redirect to :15053
-add rule inet istio-ambient-nat istio-output ip6 daddr != ::1/128 tcp dport 53 mark and 0xfff != 0x539 counter redirect to :15053
 add rule inet istio-ambient-nat istio-output meta l4proto tcp mark and 0xfff == 0x111 counter accept
 add rule inet istio-ambient-nat istio-output oifname lo ip daddr != 127.0.0.1/32 counter accept
-add rule inet istio-ambient-nat istio-output oifname lo ip6 daddr != ::1/128 counter accept
 add rule inet istio-ambient-nat istio-output meta l4proto tcp ip daddr != 127.0.0.1/32 mark and 0xfff != 0x539 counter redirect to :15001
-add rule inet istio-ambient-nat istio-output meta l4proto tcp ip6 daddr != ::1/128 mark and 0xfff != 0x539 counter redirect to :15001
 add table inet istio-ambient-mangle
 flush table inet istio-ambient-mangle
 add chain inet istio-ambient-mangle prerouting { type filter hook prerouting priority -150 ; }

cni/pkg/nftables/testdata/hostprobe.golden

@@ -2,4 +2,3 @@ add table inet istio-ambient-nat
 flush table inet istio-ambient-nat
 add chain inet istio-ambient-nat postrouting { type nat hook postrouting priority 100 ; }
 add rule inet istio-ambient-nat postrouting meta l4proto tcp skuid 1000 ip daddr @istio-inpod-probes-v4 counter snat to 169.254.7.127
-add rule inet istio-ambient-nat postrouting meta l4proto tcp skuid 1000 ip6 daddr @istio-inpod-probes-v6 counter snat to e9ac:1e77:90ca:399f:4d6d:ece2:2f9b:3164