Skip to content

Experimental Support for ambient on Windows#55216

Merged
istio-testing merged 19 commits intoistio:experimental-windows-ambientfrom
keithmattix:exp-windows-ambient-support
Jun 3, 2025
Merged

Experimental Support for ambient on Windows#55216
istio-testing merged 19 commits intoistio:experimental-windows-ambientfrom
keithmattix:exp-windows-ambient-support

Conversation

@keithmattix
Copy link
Contributor

@keithmattix keithmattix commented Feb 21, 2025

Part of #27893. Ztunnel companion PR is istio/ztunnel#1461

More information to follow in an upcoming IstioDay talk as well as a blog post, but in summary: we've made substantial progress towards support Istio on Windows, and we decided the time is right to share where we are with the community! After discussing with the rest of Istio TOC, we have agreed that a long-lived experimental branch is the best place for this code to live for now as we work towards productionizing it and getting CI set up.

What works:

  • in pod traffic redirection (via WFP) for existing pods
  • Logging via UDS
  • ZDS communication with ztunnel

What doesn't work:

  • Host probe exclusion: (there's no iptables on windows, so we need ebpf in order to distinguish between kube-proxy and kublet probes, specifically tc support and helper functions like bpf_skc_lookup_tcp)
  • Client src ip preservation: similar to above, the Windows API we're using here proxies via localhost, so the destination app sees all ztunnel traffic as originating from localhost.
  • DNS proxying (not tested; WFP can handle this in theory)
  • traffic redirection for new pods. With Windows containers today, the CNI is invoked before the pause container is created by containerd, so there's no way for istio-cni to program redirection rules in the netns (it doesn't exist yet). In WS2025, there are some OS level changes that will make this possible, but I have an idea for a workaround that involves injecting an init container that will block main container execution until the istio-cni informer retries enough times to get the pod netns.
  • Probably something I'm forgetting

Rough edges

  • Need to add node selectors based on OS to a lot of our manifests

I'm opening this PR as a draft for folks to take a look and comment on the diff/approach before merging it into the experimental branch. Feel free to reach out with any questions or concerns. Welcome to Istio, Windows!

@istio-testing istio-testing added the do-not-merge/work-in-progress Block merging of a PR because it isn't ready yet. label Feb 21, 2025
@istio-testing
Copy link
Collaborator

istio-testing commented Feb 21, 2025

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@istio-testing istio-testing added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Feb 21, 2025
This was referenced Feb 21, 2025
Merged
Open
@keithmattix keithmattix force-pushed the exp-windows-ambient-support branch from 2a4d3dc to 94877ef Compare February 23, 2025 18:59
@keithmattix keithmattix marked this pull request as ready for review February 28, 2025 21:58
@istio-testing istio-testing removed the do-not-merge/work-in-progress Block merging of a PR because it isn't ready yet. label Feb 28, 2025
@keithmattix keithmattix marked this pull request as draft February 28, 2025 22:25
@istio-testing istio-testing added the do-not-merge/work-in-progress Block merging of a PR because it isn't ready yet. label Feb 28, 2025
@keithmattix keithmattix marked this pull request as ready for review March 15, 2025 23:27
@keithmattix keithmattix requested a review from a team March 15, 2025 23:27
@keithmattix keithmattix requested a review from a team as a code owner March 15, 2025 23:27
@istio-testing istio-testing removed the do-not-merge/work-in-progress Block merging of a PR because it isn't ready yet. label Mar 15, 2025
@keithmattix keithmattix reopened this Mar 21, 2025
@istio-testing istio-testing added the needs-rebase Indicates a PR needs to be rebased before being merged label Mar 21, 2025
@keithmattix keithmattix force-pushed the exp-windows-ambient-support branch from b372025 to 4ae3235 Compare March 21, 2025 23:56
@istio-testing istio-testing removed the needs-rebase Indicates a PR needs to be rebased before being merged label Mar 21, 2025
keithmattix added 16 commits May 20, 2025 15:39
@keithmattix
Get a compilable binary
969593b 
Split out linux specific stuff to their own files behind compilation
flags.

Signed-off-by: Keith Mattix II <keithmattix@microsoft.com>
@keithmattix
Add docker container
44170ec 
Signed-off-by: Keith Mattix II <keithmattix@microsoft.com>
@keithmattix
Add manifest for istio-cni-windows
b7c223d 
Signed-off-by: Keith Mattix II <keithmattix@microsoft.com>
@keithmattix
Generalize iptables datatypes
81e6441 
The goal here is that calls to Iptables and WFP look ~the same.

Signed-off-by: Keith Mattix II <keithmattix@microsoft.com>
@keithmattix
Add windows searching logic for pod uid -> namepsace mapping
4560154 
Signed-off-by: Keith Mattix II <keithmattix@microsoft.com>
@keithmattix
Complete ztunnel server implementation
9cdd9ef 
Signed-off-by: Keith Mattix II <keithmattix@microsoft.com>
@keithmattix
Complete server
6741944 
Signed-off-by: Keith Mattix II <keithmattix@microsoft.com>
@keithmattix
Make HCS stuff windows only
be1926e 
Signed-off-by: Keith Mattix II <keithmattix@microsoft.com>
@keithmattix
Get working mounts
541c6ed 
Signed-off-by: Keith Mattix II <keithmattix@microsoft.com>
@keithmattix
Get traffic redirection going to ztunnel
b7c8911 
Signed-off-by: Keith Mattix II <keithmattix@microsoft.com>
@keithmattix
Complete e2e hbone and passthrough!
ce3d526
@keithmattix
Move windows_namespace to optional WorkloadInfo
e33e713 
Signed-off-by: Keith Mattix II <keithmattix@microsoft.com>
@keithmattix
Add instructions for building + running windows
01453fa 
Signed-off-by: Keith Mattix II <keithmattix@microsoft.com>
@keithmattix
Fix linting errors
0079d81 
Signed-off-by: Keith Mattix II <keithmattix@microsoft.com>
@keithmattix
Bump protoc-gen-go
e153c95 
Signed-off-by: Keith Mattix II <keithmattix@microsoft.com>
@keithmattix
Remove unneeded file
41c95ed 
Signed-off-by: Keith Mattix II <keithmattix@microsoft.com>
@keithmattix keithmattix force-pushed the exp-windows-ambient-support branch from 1d4c298 to 41c95ed Compare May 20, 2025 15:57
@keithmattix
A couple of bug fixes
c533bd1 
Signed-off-by: Keith Mattix II <keithmattix@microsoft.com>
@keithmattix
Go mod tidy
65afdd5 
Signed-off-by: Keith Mattix II <keithmattix@microsoft.com>
@keithmattix keithmattix force-pushed the exp-windows-ambient-support branch from a606658 to 65afdd5 Compare May 20, 2025 17:55
@keithmattix
Refresh golden files
c6abe17 
Signed-off-by: Keith Mattix II <keithmattix@microsoft.com>
@keithmattix
Copy link
Contributor Author

keithmattix commented May 20, 2025

@therealmitchconnors removed one of the files and explained the rest. As for tests @grnmeira is going to iterate on them before we move this into the master branch

@keithmattix
Copy link
Contributor Author

keithmattix commented May 20, 2025

/test integ-pilot-istiodremote

@grnmeira
Copy link
Contributor

grnmeira commented May 28, 2025

@therealmitchconnors @howardjohn is there anything else we need here to get this branch merged? As @keithmattix mentioned I intend to start working on the tests once we have this in.

@grnmeira grnmeira added the windows/ambient Experimental Windows support label May 29, 2025
howardjohn
howardjohn approved these changes Jun 2, 2025
View reviewed changes
Copy link
Member

@howardjohn howardjohn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

did not review, approving since its on experimental branch

@istio-testing istio-testing merged commit a5c2e9d into istio:experimental-windows-ambient Jun 3, 2025
29 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@craigbox craigbox craigbox approved these changes

@howardjohn howardjohn howardjohn approved these changes

@therealmitchconnors therealmitchconnors therealmitchconnors approved these changes

@costinm costinm Awaiting requested review from costinm costinm is a code owner

@linsun linsun Awaiting requested review from linsun linsun is a code owner

@stevenctl stevenctl Awaiting requested review from stevenctl stevenctl is a code owner

@hzxuzhonghu hzxuzhonghu Awaiting requested review from hzxuzhonghu hzxuzhonghu is a code owner

Assignees

No one assigned

Labels

lifecycle/staleproof Indicates a PR or issue has been deemed to be immune from becoming stale and/or automatically closed size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. windows/ambient Experimental Windows support

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@keithmattix @istio-testing @grnmeira @craigbox @howardjohn @therealmitchconnors @jacob-delgado @istio-policy-bot