Closed
Description
In sidecars, and Ambient pre-alpha, we have quite a bit of control on what triggers something to be 'in the mesh'.
When ambient went to alpha we streamlined this to only allow a single hardcoded label opt-in by the user on the namespace.
We should consider adding more flexibility.
Use cases:
- I want to opt-in the entire cluster. This is the cluster-wide default networking stack, so make everything use it.
- But maybe opt out a few namespace as an admin (kube-system, etc)
- But maybe allow namespace admins to opt out (if they cannot use ambient for various reasons
- I want to enforce all pods are in the mesh for security purposes
Note that while the last one is not likely something we can commit to at this time, it would be good if the API we decide is future proofed to enable that use case if/when we can guarantee it.
In the past, which was likely a solid API, we allowed a matchExpression in meshConfig to be defined. We can default, of course, to istio.io/dataplane-mode=ambient, but could express an opt-out model (like istio.io/dataplane-mode NOTIN [disabled]).