Allow to ignore proxy redirect for an ip

[lahabana]

Description

For example in GKE the metadata service is always running on the same ip:

Note: If you have a strict cluster network policy in place, you must allow egress to the following IP addresses and port numbers so your Pod can communicate with the GKE metadata server. For clusters running GKE version 1.21.0-gke.1000 and later, allow egress to 169.254.169.252/32 on port 988. For clusters running GKE versions prior to 1.21.0-gke.1000, allow egress to 127.0.0.1/32 on port 988. For clusters running GKE Dataplane V2, ensure that you allowed egress to 169.254.169.254/32 on port 80.

In this case we'd really like to not proxy the traffic (especially as this is used for auth).

Apparently we'd need a rule like:

iptables --table nat -I KUMA_MESH_OUTBOUND --destination {IP_ADDRESS_WE_WANT}/32 --match owner --uid-owner 5678 --jump RETURN

It probably even makes sense to have an entire subnet there

[github-actions[bot]]

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant, please comment on it or attend the next triage meeting.

[github-actions[bot]]

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant, please comment on it or attend the next triage meeting.

[github-actions[bot]]

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant, please comment on it or attend the next triage meeting.

[lahabana]

Istio feature: https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/#direct-access-to-external-services

[lahabana]

@bartsmykla this is fixed by https://github.com/kumahq/kuma/pull/10884 right?