diff --git a/internal/driver/provisioner.go b/internal/driver/provisioner.go index b08eef0..11b7a2f 100644 --- a/internal/driver/provisioner.go +++ b/internal/driver/provisioner.go @@ -28,7 +28,8 @@ const ( labelKagentiInject = "kagenti.io/inject" labelTenant = "openshell.ai/tenant" labelKagentiTeam = "kagenti.io/team" - annotationSandboxID = "openshell.io/sandbox-id" + annotationSandboxID = "openshell.io/sandbox-id" + annotationBypassInboundCapture = "ambient.istio.io/bypass-inbound-capture" ) // K8sProvisioner implements SandboxProvisioner using the Kubernetes API. It @@ -383,6 +384,10 @@ func (p *K8sProvisioner) buildSandboxSpec(sb *pb.DriverSandbox) map[string]inter podAnnotations := map[string]interface{}{ annotationSandboxID: sb.GetId(), + // Bypass Istio ambient inbound capture so ztunnel (HBONE mode) does not + // re-originate veth-pair connections from the pod's main IP, which breaks + // the proxy's /proc/net/tcp identity resolution. + annotationBypassInboundCapture: "true", } return map[string]interface{}{ diff --git a/internal/driver/provisioner_test.go b/internal/driver/provisioner_test.go index 6ecabc6..9d92bde 100644 --- a/internal/driver/provisioner_test.go +++ b/internal/driver/provisioner_test.go @@ -365,6 +365,9 @@ func TestBuildSandboxSpec_Annotations(t *testing.T) { if annotations[annotationSandboxID] != "sb-anno-123" { t.Errorf("expected annotation %s=sb-anno-123, got %v", annotationSandboxID, annotations[annotationSandboxID]) } + if annotations[annotationBypassInboundCapture] != "true" { + t.Errorf("expected annotation %s=true, got %v", annotationBypassInboundCapture, annotations[annotationBypassInboundCapture]) + } } func TestBuildSandboxSpec_TenantLabels(t *testing.T) {