Upgrade istio-cni to v.1.23.2

Signed-off-by: Tarek Abouzeid <[email protected]>

.github/workflows/kserve_cni_test.yaml

@@ -4,7 +4,7 @@ on:
     paths:
     - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh
     - .github/workflows/kserve_cni_test.yaml
-    - common/istio-cni-1-22/**
+    - common/istio-cni-1-23/**
     - tests/gh-actions/install_cert_manager.sh
     - common/cert-manager/**
     - tests/gh-actions/install_knative-cni.sh

.github/workflows/pss_test.yaml

@@ -50,7 +50,7 @@ jobs:
       run: kustomize build common/kubeflow-namespace/base | kubectl apply -f -
 
     - name: Install kubeflow-istio-resources
-      run: kustomize build common/istio-cni-1-22/kubeflow-istio-resources/base | kubectl apply -f -
+      run: kustomize build common/istio-cni-1-23/kubeflow-istio-resources/base | kubectl apply -f -
 
     - name: Install KF Multi Tenancy
       run: ./tests/gh-actions/install_multi_tenancy.sh

README.md

@@ -65,7 +65,7 @@ used from the different projects of Kubeflow:
 
 | Component | Local Manifests Path | Upstream Revision |
 | - | - | - |
-| Istio | common/istio-1-22 | [1.22.1](https://github.com/istio/istio/releases/tag/1.22.1) |
+| Istio | common/istio-1-22 | [1.23.2](https://github.com/istio/istio/releases/tag/1.23.2) |
 | Knative | common/knative/knative-serving <br /> common/knative/knative-eventing | [v1.12.4](https://github.com/knative/serving/releases/tag/knative-v1.12.4) <br /> [v1.12.6](https://github.com/knative/eventing/releases/tag/knative-v1.12.6) |
 | Cert Manager | common/cert-manager | [1.14.5](https://github.com/cert-manager/cert-manager/releases/tag/v1.12.2) |
 

common/istio-cni-1-22/cluster-local-gateway/base/cluster-local-gateway.yaml → common/istio-cni-1-23/cluster-local-gateway/base/cluster-local-gateway.yaml

@@ -109,8 +109,7 @@ spec:
         - name: ISTIO_META_WORKLOAD_NAME
           value: cluster-local-gateway
         - name: ISTIO_META_OWNER
-          value: 
-            kubernetes://apis/apps/v1/namespaces/istio-system/deployments/cluster-local-gateway
+          value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/cluster-local-gateway
         - name: ISTIO_META_MESH_ID
           value: cluster.local
         - name: TRUST_DOMAIN
@@ -123,7 +122,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: spec.nodeName
-        image: docker.io/istio/proxyv2:1.22.1
+        image: docker.io/istio/proxyv2:1.23.2
         name: istio-proxy
         ports:
         - containerPort: 15020

common/istio-cni-1-22/istio-install/base/install.yaml → common/istio-cni-1-23/istio-install/base/install.yaml

@@ -263,6 +263,16 @@ rules:
   - patch
   - create
   - delete
+- apiGroups:
+  - networking.istio.io
+  resources:
+  - serviceentries/status
+  verbs:
+  - get
+  - watch
+  - list
+  - update
+  - patch
 - apiGroups:
   - apiextensions.k8s.io
   resources:
@@ -453,6 +463,7 @@ metadata:
     istio.io/rev: default
     k8s-app: istio-cni-repair
     operator.istio.io/component: Cni
+    release: istio
   name: istio-cni-repair-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -522,7 +533,6 @@ metadata:
   name: istio-validator-istio-system
 webhooks:
 - admissionReviewVersions:
-  - v1beta1
   - v1
   clientConfig:
     service:
@@ -580,12 +590,20 @@ metadata:
 ---
 apiVersion: v1
 data:
-  cni_network_config: "{\n  \"cniVersion\": \"0.3.1\",\n  \"name\": \"istio-cni\"\
-    ,\n  \"type\": \"istio-cni\",\n  \"log_level\": \"debug\",\n  \"log_uds_address\"\
-    : \"__LOG_UDS_ADDRESS__\",\n  \n  \"cni_event_address\": \"__CNI_EVENT_ADDRESS__\"\
-    ,\n  \"kubernetes\": {\n      \"kubeconfig\": \"__KUBECONFIG_FILEPATH__\",\n \
-    \     \"cni_bin_dir\": \"/opt/cni/bin\",\n      \"exclude_namespaces\": [ \"kube-system\"\
-    \ ]\n  }\n}"
+  AMBIENT_DNS_CAPTURE: 'false'
+  AMBIENT_ENABLED: 'false'
+  AMBIENT_IPV6: 'true'
+  CHAINED_CNI_PLUGIN: 'true'
+  CNI_NET_DIR: /etc/cni/net.d
+  CURRENT_AGENT_VERSION: 1.23.2
+  EXCLUDED_NAMESPACES: kube-system
+  REPAIR_BROKEN_POD_LABEL_KEY: cni.istio.io/uninitialized
+  REPAIR_BROKEN_POD_LABEL_VALUE: 'true'
+  REPAIR_DELETE_PODS: 'false'
+  REPAIR_ENABLED: 'true'
+  REPAIR_INIT_CONTAINER_NAME: istio-validation
+  REPAIR_LABEL_PODS: 'false'
+  REPAIR_REPAIR_PODS: 'true'
 kind: ConfigMap
 metadata:
   labels:
@@ -828,6 +846,9 @@ data:
           {{- if .Values.global.logAsJson }}
             - --log_as_json
           {{- end }}
+          {{- if .Values.global.proxy.outlierLogPath }}
+            - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }}
+          {{- end}}
           {{- if .Values.global.proxy.lifecycle }}
             lifecycle:
               {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
@@ -1169,12 +1190,16 @@ data:
           }
         spec:
           securityContext:
+          {{- if .Values.gateways.securityContext }}
+            {{- toYaml .Values.gateways.securityContext | nindent 4 }}
+          {{- else }}
             sysctls:
             - name: net.ipv4.ip_unprivileged_port_start
               value: "0"
+          {{- end }}
           containers:
           - name: istio-proxy
-          {{- if contains "/" .Values.global.proxy.image }}
+          {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
             image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
           {{- else }}
             image: "{{ .ProxyImage }}"
@@ -1992,10 +2017,17 @@ data:
                 securityContext:
                   privileged: false
                   runAsGroup: 1337
-                  runAsUser: 0
+                  runAsUser: 1337
+                  allowPrivilegeEscalation: false
+                  readOnlyRootFilesystem: true
+                  runAsNonRoot: true
                   capabilities:
                     drop:
                     - ALL
+        {{- if .Values.gateways.seccompProfile }}
+                  seccompProfile:
+        {{- toYaml .Values.gateways.seccompProfile | nindent 12 }}
+        {{- end }}
                 volumeMounts:
                 - name: workload-socket
                   mountPath: /var/run/secrets/workload-spiffe-uds
@@ -2068,6 +2100,7 @@ data:
             name: "{{.Name}}"
             uid: "{{.UID}}"
         spec:
+          ipFamilyPolicy: PreferDualStack
           ports:
           {{- range $key, $val := .Ports }}
           - name: {{ $val.Name | quote }}
@@ -2153,12 +2186,17 @@ data:
                     "istio.io/gateway-name" .Name
                   ) | nindent 8 }}
             spec:
-              {{- if ge .KubeVersion 122 }}
-              {{/* safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326. */}}
               securityContext:
+              {{- if .Values.gateways.securityContext }}
+                {{- toYaml .Values.gateways.securityContext | nindent 8 }}
+              {{- else }}
                 sysctls:
                 - name: net.ipv4.ip_unprivileged_port_start
                   value: "0"
+              {{- if .Values.gateways.seccompProfile }}
+                seccompProfile:
+              {{- toYaml .Values.gateways.seccompProfile | nindent 10 }}
+              {{- end }}
               {{- end }}
               serviceAccountName: {{.ServiceAccount | quote}}
               containers:
@@ -2174,8 +2212,6 @@ data:
                 {{- end }}
                 {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
                 securityContext:
-                {{- if ge .KubeVersion 122 }}
-                  # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
                   capabilities:
                     drop:
                     - ALL
@@ -2185,18 +2221,6 @@ data:
                   runAsUser: {{ .ProxyUID | default "1337" }}
                   runAsGroup: {{ .ProxyGID | default "1337" }}
                   runAsNonRoot: true
-                {{- else }}
-                  capabilities:
-                    drop:
-                    - ALL
-                    add:
-                    - NET_BIND_SERVICE
-                  runAsUser: 0
-                  runAsGroup: 1337
-                  runAsNonRoot: false
-                  allowPrivilegeEscalation: true
-                  readOnlyRootFilesystem: true
-                {{- end }}
                 ports:
                 - containerPort: 15021
                   name: status-port
@@ -2437,6 +2461,10 @@ data:
         ---
   values: |-
     {
+      "gateways": {
+        "seccompProfile": {},
+        "securityContext": {}
+      },
       "global": {
         "autoscalingv2API": true,
         "caAddress": "",
@@ -2491,6 +2519,7 @@ data:
           "includeInboundPorts": "*",
           "includeOutboundPorts": "",
           "logLevel": "warning",
+          "outlierLogPath": "",
           "privileged": false,
           "readinessFailureThreshold": 4,
           "readinessInitialDelaySeconds": 0,
@@ -2524,7 +2553,7 @@ data:
         "sts": {
           "servicePort": 0
         },
-        "tag": "1.22.1",
+        "tag": "1.23.2",
         "variant": ""
       },
       "istio_cni": {
@@ -2572,7 +2601,6 @@ metadata:
   name: istio-sidecar-injector
 webhooks:
 - admissionReviewVersions:
-  - v1beta1
   - v1
   clientConfig:
     service:
@@ -2608,7 +2636,6 @@ webhooks:
     - pods
   sideEffects: None
 - admissionReviewVersions:
-  - v1beta1
   - v1
   clientConfig:
     service:
@@ -2646,7 +2673,6 @@ webhooks:
     - pods
   sideEffects: None
 - admissionReviewVersions:
-  - v1beta1
   - v1
   clientConfig:
     service:
@@ -2680,7 +2706,6 @@ webhooks:
     - pods
   sideEffects: None
 - admissionReviewVersions:
-  - v1beta1
   - v1
   clientConfig:
     service:
@@ -2745,48 +2770,23 @@ spec:
     spec:
       containers:
       - args:
-        - --log_output_level=default:info,cni:info
+        - --log_output_level=info
         command:
         - install-cni
         env:
-        - name: CNI_NETWORK_CONFIG
-          valueFrom:
-            configMapKeyRef:
-              key: cni_network_config
-              name: istio-cni-config
-        - name: CNI_NET_DIR
-          value: /etc/cni/net.d
-        - name: CHAINED_CNI_PLUGIN
-          value: 'true'
-        - name: REPAIR_ENABLED
-          value: 'true'
         - name: REPAIR_NODE_NAME
           valueFrom:
             fieldRef:
               fieldPath: spec.nodeName
-        - name: REPAIR_LABEL_PODS
-          value: 'false'
-        - name: REPAIR_DELETE_PODS
-          value: 'false'
-        - name: REPAIR_REPAIR_PODS
-          value: 'true'
         - name: REPAIR_RUN_AS_DAEMON
           value: 'true'
         - name: REPAIR_SIDECAR_ANNOTATION
           value: sidecar.istio.io/status
-        - name: REPAIR_INIT_CONTAINER_NAME
-          value: istio-validation
-        - name: REPAIR_BROKEN_POD_LABEL_KEY
-          value: cni.istio.io/uninitialized
-        - name: REPAIR_BROKEN_POD_LABEL_VALUE
-          value: 'true'
         - name: NODE_NAME
           valueFrom:
             fieldRef:
               apiVersion: v1
               fieldPath: spec.nodeName
-        - name: LOG_LEVEL
-          value: debug
         - name: GOMEMLIMIT
           valueFrom:
             resourceFieldRef:
@@ -2795,7 +2795,18 @@ spec:
           valueFrom:
             resourceFieldRef:
               resource: limits.cpu
-        image: docker.io/istio/install-cni:1.22.1
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        envFrom:
+        - configMapRef:
+            name: istio-cni-config
+        image: docker.io/istio/install-cni:1.23.2
         name: install-cni
         readinessProbe:
           httpGet:
@@ -2958,8 +2969,7 @@ spec:
         - name: ISTIO_META_WORKLOAD_NAME
           value: istio-ingressgateway
         - name: ISTIO_META_OWNER
-          value: 
-            kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway
+          value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway
         - name: ISTIO_META_MESH_ID
           value: cluster.local
         - name: TRUST_DOMAIN
@@ -2972,7 +2982,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: spec.nodeName
-        image: docker.io/istio/proxyv2:1.22.1
+        image: docker.io/istio/proxyv2:1.23.2
         name: istio-proxy
         ports:
         - containerPort: 15021
@@ -3148,6 +3158,8 @@ spec:
               fieldPath: spec.serviceAccountName
         - name: KUBECONFIG
           value: /var/run/secrets/remote/config
+        - name: CA_TRUSTED_NODE_ACCOUNTS
+          value: istio-system/ztunnel
         - name: PILOT_TRACE_SAMPLING
           value: '1'
         - name: PILOT_ENABLE_ANALYSIS
@@ -3164,7 +3176,7 @@ spec:
               resource: limits.cpu
         - name: PLATFORM
           value: ''
-        image: docker.io/istio/pilot:1.22.1
+        image: docker.io/istio/pilot:1.23.2
         name: discovery
         ports:
         - containerPort: 8080

common/istio-cni-1-22/profile.yaml → common/istio-cni-1-23/profile.yaml

@@ -14,7 +14,7 @@ spec:
       enabled: true
   hub: docker.io/istio
   profile: default
-  tag: 1.22.1
+  tag: 1.23.2
   values:
     defaultRevision: ""
     gateways: