Add docs for enabling Istio native nftables feature

[yxun]

This PR adds new doc and samples about the Istio native nftables feature. That feature was merged in the upstream release-1.27. This doc outlines the configuration steps using Sail Operator.

• Documentation Update

Related issue: #1123

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 78.75%. Comparing base (8958564) to head (f89ca91).
⚠️ Report is 52 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1122      +/-   ##
==========================================
+ Coverage   77.78%   78.75%   +0.96%     
==========================================
  Files          44       44              
  Lines        2823     2255     -568     
==========================================
- Hits         2196     1776     -420     
+ Misses        521      369     -152     
- Partials      106      110       +4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[yxun]

We don't have a version: v1.27 in Sail Operator now. So I use the version: v1.28-alpha.24646157 in this PR draft now. Will update that in a following commit.

[sridhargaddam]

While this looks good. In the longer run, we should use templates and update it based on the args.

[sridhargaddam]

Regarding the installation on OCP for Sail Operator, I feel we should link to the existing documentation rather than duplicating the steps here once again. If the steps require some explicit config that can be added as a note.

[sridhargaddam]

Thanks for looking into this @yxun

[sridhargaddam]

Suggested change

	The support for native nftables when using Istio sidecar mode was implemented in the upstream istio release-1.27 [release note](https://github.com/istio/istio/blob/master/releasenotes/notes/nftables-sidecar.yaml). It is disabled by default. To enable it, you can set a feature flag as `values.global.nativeNftables=true`. For example,
	The support for native nftables when using Istio sidecar mode was implemented in the upstream istio [release-1.27](https://github.com/istio/istio/blob/master/releasenotes/notes/nftables-sidecar.yaml). It is disabled by default. To enable it, you can set a feature flag as `values.global.nativeNftables=true`. For example,

[sridhargaddam]

Since we are talking about nftables, we can avoid using "istiod-canary"

Suggested change

	helm install istiod-canary istio/istiod \
	helm install istiod istio/istiod \

[sridhargaddam]

We can use 1.27 (or whatever is the latest supported version) here.

[sridhargaddam]

Since the updateStrategy section is anyways using the defaults, we can avoid specifying it in the yamls.

[sridhargaddam]

As this document is for Sail Operator, lets avoid any OpenShift specific notes. Please use appropriate mechanism for Kind cluster.

[sridhargaddam]

Actually you can remove this whole section since we are capturing the same info below.

[sridhargaddam]

Is this a TODO?

[yxun]

yes, the Ambient mode part install and upgrade is in progress. When that part is clear, I will update the upgrade task JIRA and this PR draft.

[sridhargaddam]

Suggested change

	Attach a debug container and you will get the following rules in the `istio-proxy` container:
	Attach a debug container and you can see the nftable rules from the `istio-proxy` container:

[sridhargaddam]

Suggested change

	The migration of using the existing Istio iptables backend to nftables backend can be done by upgrading Istio. The following example installs an Istio control plane with the iptables backend and a sample application curl in a data plane namespace test-ns.
	The migration from iptables backend to nftables backend can be done by upgrading Istio. The following example installs an Istio control plane with the iptables backend and a sample application in test-ns namespace.

[sridhargaddam]

As this is a Sail Operator doc, lets use the installation mechanisms supported in Sail Operator.

[yxun]

This PR is still WIP. I tried the Sail Operator 1.27.1 but still getting the following error

IstioCNI default violates policy 299 - "unknown field "spec.values.global.nativeNftables""

The api field PR was merged in #1183
I am reopening JIRA https://issues.redhat.com/browse/OSSM-10589

[yxun]

The latest Sail Operator (1.27.1) log shows:

2025-10-01T07:31:28Z INFO setup version.BuildInfo{Version:"1.27.1", GitRevision:"18c6703878d493e756a0f3dc12d600d64220a184",

Unfortunately , the api change PR was one commit behind that :
https://github.com/istio-ecosystem/sail-operator/commits/release-1.27

We may need to bump Sail Operator to a newer 1.27 version and then I can verify the nftables feature using Sail Operator.

[fjglira]

Hey, can you please convert these files to ASCII doc? We now have all the docs under the docs folder in ASCII format

[yxun]

yes, I pushed another commit about adding a ascii one. I'm checking. If the conversion looks correct , I will remove the markdown file in another commit after review.

[yxun]

@sridhargaddam

Here are two findings :
1. When using Sail Operator, the upgraded IstioCNI and Istio resources spec.version value need to be different from the prior instances. Otherwise, the appended spec.values will not be configured.
2. After ambient mode upgrade, the data plane application deployment(s) still need a restart so that new rules can be applied in the pod network.

The doc PR is ready for review. Thanks.

[sridhargaddam]

Lets remove these fields as they are anyways default.

[sridhargaddam]

Suggested change

	When you install IstioCNI and Istio resources with Sail Operator, you can create an instance of them with `+spec.values.global.nativeNftables=true+`.
	This feature configures Istio to use the `+nftables+` backend instead of `+iptables+` for traffic redirection.
	When installing `Istio` and `IstioCNI` resources with the Sail Operator, you can enable nftables by setting `spec.values.global.nativeNftables=true` in the resource. This option configures Istio to use the nftables backend for traffic redirection instead of iptables.

[sridhargaddam]

Not sure what this is for. Can you eloborate?

[yxun]

That was automatically generated when I run make gen-api-docs . I can remove that asciidoc format mark.

[sridhargaddam]

We can remove this line as we already mentioned above how to enable nftables.

[sridhargaddam]

This should be updated to version 1.28

[sridhargaddam]

Suggested change

	You can find all rules are in the `+inet+` table. The following example installs a sample application `+curl+` in a data plane namespace `+test-ns+`.
	You can find all rules are in the `+inet+` table. The following example installs a sample application `+curl+` in a namespace `+test-ns+` that is part of the mesh.

[sridhargaddam]

Suggested change

	===== Upgrade with Sail Operator on OpenShift
	===== Upgrade using Sail Operator

[sridhargaddam]

Suggested change

	To upgrade an iptable based Istio service mesh, using the following steps:
	To upgrade an iptable based Istio service mesh with nftables backend, use the following steps:

[sridhargaddam]

The whole of the section is redundant, we are just repeating things again. Please re-work on the section below. We dont have to show the Yamls again, just include a note saying that spec.values.global.nativeNftables should be set to true in Istio and IstioCNI CRs.

[sridhargaddam]

hmm... we should find a way to support re-programming the new rules without having to restart the pods. Did you take a look at the code to understand what it does when config changes and the rules do not match?

[sridhargaddam]

When using Sail Operator, the upgraded IstioCNI and Istio resources spec.version value need to be different from the prior instances. Otherwise, the appended spec.values will not be configured.

Are you saying that when we update any spec.values (without modifying the version) the updated values are not reflected in the Istio deployment?
Looping @dgn to check if this is some known.

[yxun]

When using Sail Operator, the upgraded IstioCNI and Istio resources spec.version value need to be different from the prior instances. Otherwise, the appended spec.values will not be configured.

Are you saying that when we update any spec.values (without modifying the version) the updated values are not reflected in the Istio deployment? Looping @dgn to check if this is some known.

yes, I am not clear about other spec.values settings. When I added the +spec.values.global.nativeNftables=true+, it was only applied when I changed the spec.version value for an in place upgrade scenario.

[istio-testing]

@yxun: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
e2e-kind-olm_sail-operator_main	f89ca91	link	true	/test e2e-kind-olm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[yxun]

When using Sail Operator, the upgraded IstioCNI and Istio resources spec.version value need to be different from the prior instances. Otherwise, the appended spec.values will not be configured.

When I run the latest Sail operator 1.27.3+ , I see Istio values overrides behavior works correctly in this upgrade case.
There was already an unit test file covering that.
https://github.com/istio-ecosystem/sail-operator/blob/main/pkg/istiovalues/overrides_test.go

My Quote finding was not correct. It could be caused by running an old Istio version which had not included nftables change there.

[yxun]

hmm... we should find a way to support re-programming the new rules without having to restart the pods.

Still work in progress about the re-programming rule changes without having to restart the application pods.