Skip to content

fix(istio): BPF-compatible egress rules for ztunnel and istiod policies#4632

Open
electricjesus wants to merge 2 commits intotigera:masterfrom
electricjesus:seth/fix-istio-bpf-ambient-policies
Open

fix(istio): BPF-compatible egress rules for ztunnel and istiod policies#4632
electricjesus wants to merge 2 commits intotigera:masterfrom
electricjesus:seth/fix-istio-bpf-ambient-policies

Conversation

@electricjesus
Copy link
Copy Markdown
Member

@electricjesus electricjesus commented Apr 6, 2026
edited by atlassian bot
Loading

Description

Bug fix: When BPF dataplane is enabled with Istio ambient mode, CTLB must be disabled. Without CTLB and kube-proxy, the operator-managed calico-system tier policies for ztunnel and istiod block cross-node communication:

  • ztunnel policy: The service-based egress selector for istiod doesn't resolve correctly for cross-node traffic without CTLB
  • istiod policy: No egress rule allows return traffic (SYN-ACKs) to ztunnel pods on remote nodes

This causes 4/5 ztunnel pods to fail with XDS client connection error connecting to istiod.calico-system.svc:15012 — only the one co-located with istiod works.

Fix: Add pod-selector-based egress rules (conditioned on BPFEnabled()) to both policies:

  • ztunnel: allow egress to k8s-app == 'istiod' pods directly
  • istiod: allow egress to k8s-app == 'ztunnel' pods

Testing:

  • Added render unit tests verifying rules appear when BPF is enabled and are absent otherwise
  • Manually verified on a CaliEnt BPF+ambient cluster (5 nodes, gcp-kubeadm) — all 5 ztunnel pods reach Ready with this fix

Components affected: Istio component renderer (pkg/render/istio/istio.go)

Related issues: CORE-12597

Related PRs:

Release Note

Fix Istio ambient mode on BPF dataplane: add pod-selector-based egress rules to the ztunnel and istiod calico-system tier policies so that cross-node ztunnel-to-istiod communication works when connect-time load balancing (CTLB) is disabled.

For PR author

  • Tests for change.
  • If changing pkg/apis/, run make gen-files
  • If changing versions, run make gen-versions

@electricjesus
fix(istio): add BPF-compatible egress rules for ztunnel and istiod po…
0c7bf05 
…licies

When BPF dataplane is enabled, CTLB (connect-time load balancing) must
be disabled for Istio ambient mode compatibility. Without CTLB and
kube-proxy, the service-based egress selector in the ztunnel policy
doesn't resolve correctly for cross-node traffic, and istiod's egress
policy doesn't allow return traffic to remote ztunnel pods.

This causes all ztunnel pods except the one co-located with istiod to
fail with "XDS client connection error connecting to istiod" because
the calico-system default-deny blocks the unmatched traffic.

Fix by adding pod-selector-based egress rules (conditioned on BPF mode)
so that:
- ztunnel can reach istiod pods directly by pod IP (not just via
  service selector)
- istiod can send return traffic to ztunnel pods on remote nodes
@marvin-tigera marvin-tigera added this to the v1.43.0 milestone Apr 6, 2026
@electricjesus
test(istio): add render tests for BPF-conditional egress rules
403c260 
Verify that when BPF dataplane is enabled, the ztunnel and istiod
policies include pod-selector-based egress rules for cross-node
communication. Also verify these rules are absent when BPF is not
enabled.
@electricjesus electricjesus marked this pull request as ready for review April 6, 2026 15:14
@electricjesus electricjesus requested a review from a team as a code owner April 6, 2026 15:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

docs-pr-required release-note-required

Projects

None yet

Milestone

v1.43.0

Development

Successfully merging this pull request may close these issues.

2 participants

@electricjesus @marvin-tigera