diff --git a/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx b/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx index a7d4d54256..d4945a1cca 100644 --- a/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx +++ b/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx @@ -233,23 +233,27 @@ This release is supported for use in production. #### Known issues -* Pod restart may be required after initial deployment with Istio Ambient Mode +* Pod restart may be required after initial deployment with Istio Ambient Mode. - When using Calico eBPF dataplane with Istio ambient mode, pods created before ztunnel/istiod are fully ready may experience HBONE tunnel routing failures. Affected pods show connection resets (curl error 56) or TLS handshake failures when - communicating with other ambient-enrolled pods. + When using Calico eBPF dataplane with Istio ambient mode, pods created before ztunnel/istiod are fully ready may experience HBONE tunnel routing failures. + Affected pods show connection resets (curl error 56) or TLS handshake failures when communicating with other ambient-enrolled pods. - Symptoms: - - curl: (56) Recv failure: Connection reset by peer between ambient pods - - ztunnel logs showing received corrupt message of type InvalidContentType - - Traffic works from non-ambient pods and via localhost + Symptoms: + - curl: (56) Recv failure: Connection reset by peer between ambient pods + - ztunnel logs showing received corrupt message of type InvalidContentType + - Traffic works from non-ambient pods and via localhost - Workaround: - Restart affected deployments after enabling ambient mode: - kubectl rollout restart deployment -n + Workaround: + Restart affected deployments after enabling ambient mode: + ```shell + kubectl rollout restart deployment -n + ``` - Root Cause: - Pods created during initial ambient mode setup may have stale ztunnel INPOD socket state, causing HBONE traffic to route to the application port instead of the ztunnel HBONE listener (port 15008). -* There is a bug in the where the image pull secret is not propagated to the target namespace when deploying Istio Ambient mode. Affects only users using a private registry. + Root Cause: + Pods created during initial ambient mode setup may have stale ztunnel INPOD socket state, causing HBONE traffic to route to the application port instead of the ztunnel HBONE listener (port 15008). + +* There is a bug in which the image pull secret is not propagated to the target namespace when deploying Istio Ambient Mode. + Affects only users using a private registry. #### Upgrading