diff --git a/annotation/annotations.gen.go b/annotation/annotations.gen.go index 013bce6e67..a6980a6deb 100644 --- a/annotation/annotations.gen.go +++ b/annotation/annotations.gen.go @@ -125,6 +125,19 @@ This is intended to be used when enrolling a workload that only receives traffic }, } + AmbientDnsCapture = Instance { + Name: "ambient.istio.io/dns-capture", + Description: `When specified on a "Pod" enrolled in ambient mesh, controls whether DNS traffic (TCP and UDP on port 53) will be captured and proxied in ambient. +Note that setting this to "false" will break some Istio features, such as ServiceEntries and egress waypoints, but may be desirable for workloads that interact poorly with DNS proxies. +`, + FeatureStatus: Alpha, + Hidden: true, + Deprecated: false, + Resources: []ResourceTypes{ + Pod, + }, + } + AmbientRedirection = Instance { Name: "ambient.istio.io/redirection", Description: `Automatically configured by Istio to indicate a Pod was successfully enrolled in ambient mode. @@ -896,6 +909,7 @@ func AllResourceAnnotations() []*Instance { &AlphaCanonicalServiceAccounts, &AlphaKubernetesServiceAccounts, &AmbientBypassInboundCapture, + &AmbientDnsCapture, &AmbientRedirection, &AmbientWaypointInboundBinding, &GalleyAnalyzeSuppress, diff --git a/annotation/annotations.yaml b/annotation/annotations.yaml index 9450450c5f..48c58cc56e 100644 --- a/annotation/annotations.yaml +++ b/annotation/annotations.yaml @@ -582,3 +582,13 @@ annotations: hidden: false resources: - Pod + + - name: ambient.istio.io/dns-capture + featureStatus: Alpha + description: | + When specified on a `Pod` enrolled in ambient mesh, controls whether DNS traffic (TCP and UDP on port 53) will be captured and proxied in ambient. + Note that setting this to `false` will break some Istio features, such as ServiceEntries and egress waypoints, but may be desirable for workloads that interact poorly with DNS proxies. + deprecated: false + hidden: true + resources: + - Pod diff --git a/releasenotes/notes/3361.yaml b/releasenotes/notes/3361.yaml new file mode 100644 index 0000000000..3923c5d35d --- /dev/null +++ b/releasenotes/notes/3361.yaml @@ -0,0 +1,8 @@ +apiVersion: release-notes/v2 +kind: feature +area: traffic-management +issue: +- 49829 +releaseNotes: +- | + **Added** `ambient.istio.io/bypass-dns-capture` annotation. When specified on a `Pod` enrolled in ambient mesh, DNS traffic (TCP and UDP on port 53) will not be captured or proxied. This will break some Istio features, such as ServiceEntries and egress waypoints, but may be desirable for workloads that interact poorly with DNS proxies.