Jason Young

+1 to @howardjohn's suggestion to start with OpenAPI schema first and only add the webhook later if the schema isn't sufficient.

Agreed about that diagrams. They haven't been updated yet. What exactly is the issue with prerequisites that needs to be fixed?

@yusuoh just updated cert provisioning to use Istio CA instead of k8s CSR API. He removed webhook-create-signed-cert.sh and the caBundle patching script in the process. I don't believe he's updated...

The init-container needs sufficient permissions to write iptable rules for redirecting inbound/outbound traffic to the sidecar proxy. Injection requires CAP_NET_ADMIN though there seems to be potential issues with RBAC (see...

> It does not look like the iptables rules from https://github.com/istio/pilot/blob/master/docker/prepare_proxy.sh are present in my iptables on my nodes. Our init-container programs iptable rules in the pod's network namespace. The...

> If you can point me at the code I can always contribue the fix to the injected init containers. Or it might be easier for somebody with commit priviledges...

/assign @bjartek

> I suggest we allow custom bootstrap in a YAML template as part of the mesh/injection config. This seems the most flexible for one-off customizations. It may get a little...

I believe the primary motivation for `--coreDump` was to debug the proxy (envoy). cc @andraxylia @costinm

Should we consider using `AllowUnknownFields` for config forward compatibility? e.g. ```diff diff --git a/pilot/model/conversion.go b/pilot/model/conversion.go index 3d4d1869..d8f3ee88 100644 --- a/pilot/model/conversion.go +++ b/pilot/model/conversion.go @@ -93,7 +94,8 @@ func (ps *ProtoSchema) FromJSON(js...