-
Notifications
You must be signed in to change notification settings - Fork 536
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update PeerAuthentication docs #3184
base: master
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
overall LGTM
// In ambient mode, security is transparently enabled for a pod by the ztunnel node agent. | ||
// (Traffic between proxies uses the HBONE protocol, which includes encryption with mTLS.) | ||
// Because of this, `DISABLE` mode is not supported. | ||
// `STRICT` mode is useful to ensure that connections that bypass the mesh are not possible. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could we say this api doesnot apply to ambient mode
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It does apply to ambient mode though, just not with DISABLE
mode, AIUI. @keithmattix
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry I missed this. This is correct
rebased and hopefully ready for proper merging |
@howardjohn for formal approval |
@craigbox: The following test failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Given we seem to have decided to keep
PeerAuthentication
around in ambient mode, update the docs to remove the warning, and add the caveat you can'tDISABLE
mTLS any more.(This may or may not be the project's decision.)