Skip to content

OSSM_13620_nftables#111267

Open
lhite8041 wants to merge 14 commits intoopenshift:service-mesh-docs-mainfrom
lhite8041:OSSM_13620_nftables
Open

OSSM_13620_nftables#111267
lhite8041 wants to merge 14 commits intoopenshift:service-mesh-docs-mainfrom
lhite8041:OSSM_13620_nftables

Conversation

@lhite8041
Copy link
Copy Markdown

@lhite8041 lhite8041 commented May 5, 2026
edited
Loading

OSSM-13620: Support Native nftables in Istio (RHEL 10)

Version(s):
service-mesh-docs-main, service-mesh-docs-main-3.4, service-mesh-docs-main-3.3

Issue:
https://redhat.atlassian.net/browse/OSSM-13620

Link to docs preview:

QE review:

  • QE has approved this change.

@openshift-ci openshift-ci Bot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label May 5, 2026
@lhite8041
Copy link
Copy Markdown
Author

lhite8041 commented May 5, 2026

/label merge-review-in-progress

@openshift-ci openshift-ci Bot added the merge-review-in-progress Signifies that the merge review team is reviewing this PR label May 5, 2026
@ocpdocs-previewbot
Copy link
Copy Markdown

ocpdocs-previewbot commented May 5, 2026
edited
Loading

🤖 Fri May 08 19:00:50 - Prow CI generated the docs preview:
https://111267--ocpdocs-pr.netlify.app
Complete list of updated preview URLs: artifacts/updated_preview_urls.txt

@lhite8041 @claude
Remove artifacts directory from tracking
5775c22 
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@openshift-ci openshift-ci Bot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels May 5, 2026
sridhargaddam
sridhargaddam reviewed May 7, 2026
View reviewed changes
Comment thread modules/ossm-creating-istio-resource-using-console.adoc
Comment thread modules/ossm-creating-istio-resource-using-console.adoc
Comment thread modules/ossm-creating-istiocni-resource-using-console.adoc
@sridhargaddam
Copy link
Copy Markdown

sridhargaddam commented May 7, 2026

@lhite8041 Thanks for the PR. We will need similar changes to the ambient mode as well.

For your reference, please see https://github.com/istio-ecosystem/sail-operator/blob/main/docs/common/istio-nftables.adoc#install-in-ambient-mode

sridhargaddam
sridhargaddam approved these changes May 7, 2026
View reviewed changes
Copy link
Copy Markdown

@sridhargaddam sridhargaddam left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thank you.

@openshift-ci openshift-ci Bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels May 7, 2026
@lhite8041 lhite8041 requested a review from sridhargaddam May 8, 2026 11:08
sridhargaddam
sridhargaddam reviewed May 8, 2026
View reviewed changes
Comment thread update/ossm-preparing-for-rhel-10-migration.adoc Outdated

{SMProductShortName} relies on a packet-filtering backend to intercept and redirect application traffic to the service mesh data plane. Because {op-system-base-full} 10 removes the `iptables` framework, you must enable the `nativeNftables` parameter in your {istio} and `IstioCNI` resources.

Enabling this parameter allows the {istio} CNI plugin to detect the host's capabilities and use `nft` commands for redirection. In mixed clusters, the service mesh continues to use `iptables` on legacy nodes (such as {op-system-base-full} 9) while using `nftables` on {op-system-base-full} 10 nodes, ensuring a smooth transition during node migration.
Copy link
Copy Markdown

@sridhargaddam sridhargaddam May 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of saying "legacy" nodes, probably we can say "non-RHEL10" nodes.

Suggested change
Enabling this parameter allows the {istio} CNI plugin to detect the host's capabilities and use `nft` commands for redirection. In mixed clusters, the service mesh continues to use `iptables` on legacy nodes (such as {op-system-base-full} 9) while using `nftables` on {op-system-base-full} 10 nodes, ensuring a smooth transition during node migration.
Enabling this parameter allows the {istio} CNI plugin to detect the host's capabilities and use `nft` commands for redirection. In mixed clusters, the service mesh continues to use `iptables` on non-{op-system-base-full} 10 nodes while using `nftables` on {op-system-base-full} 10 nodes, ensuring a smooth transition during node migration.

Comment thread update/ossm-preparing-for-rhel-10-migration.adoc Outdated
[id="ossm-preparing-for-rhel-10-migration"]
= Preparing for Red Hat Enterprise Linux 10 migration
include::_attributes/common-attributes.adoc[]
:context: ossm-preparing-for-rhel-10-migration
Copy link
Copy Markdown

@sridhargaddam sridhargaddam May 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we are talking about RHEL10 migration which covers areas beyond nftables, I'd like rzago@redhat.com to take a look at the updated content to see if we want to add something to this doc.

Comment thread modules/ossm-migrate-to-nftables-rhel10-ambient.adoc Outdated
@@ -0,0 +1,75 @@
// Module included in the following assemblies:
Copy link
Copy Markdown

@sridhargaddam sridhargaddam May 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After re-reviewing the updated files, I feel we can remove these two files (i.e., modules/ossm-migrate-to-nftables-rhel10-ambient.adoc and modules/ossm-migrate-to-nftables-rhel10-sidecar.adoc) all-together since we have mentioned the nftables config in the required files (i.e., modules/ossm-installing-istio-ambient-mode.adoc).

Comment thread update/ossm-preparing-for-rhel-10-migration.adoc Outdated
[IMPORTANT]
====
Enable `nativeNftables` **before** you add {op-system-base-full} 10 nodes to your cluster. If this support is not enabled, service mesh components such as the `istio-cni` agent and the Ztunnel proxy will fail to initialize on the new nodes.
====
Copy link
Copy Markdown

@sridhargaddam sridhargaddam May 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can add a note specifically for Ambient mode as described here.
https://github.com/istio-ecosystem/sail-operator/blob/main/docs/common/istio-nftables.adoc#upgrade-in-ambient-mode

@lhite8041 lhite8041 force-pushed the OSSM_13620_nftables branch from 7946674 to fdd5edd Compare May 8, 2026 13:30
@openshift-ci openshift-ci Bot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels May 8, 2026
@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented May 8, 2026

@lhite8041: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@sridhargaddam sridhargaddam sridhargaddam approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

merge-review-in-progress Signifies that the merge review team is reviewing this PR size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lhite8041 @ocpdocs-previewbot @sridhargaddam