Kubernetes

The gateway API is the successor of ingress, and development of Ingress has been halted in favor of the Gateway API. Cilium supports it, but it has to be enabled for it to be used.

Add support for static IP for egress traffic in kubernetes networking.

Add the ability to attach node pools from different regions (like SF, NYC, SGP) to a single Kubernetes cluster. This would help users distribute workloads globally while maintaining single-cluster management, perfect for serving worldwide customers and improving application performance across regions.

as The DOKS use a Cilium as the default CNI, currently the cluster does not work with Istio ambient mode due to the Bpf masquerade is enabled by default in the cilium configmap, which prevents kubelet from doing the health check to pods. When the bpf masquerade is disabled(manually change the configmap), all are working as expected. In the offical Istio document, they also said that when the cluster uses Cilium as the CNI, the bpf masquerade need to be disabled, view more details here https://istio.io/latest/docs/ambient/install/platform-prerequisites/#cilium

Please release a way to make k8s users authenticating through an OpenID Connect Identity provider, it would greatly enhance the maneageability for those organization already using this way of authenticating. I really like DO k8s, but I'm not sure I'm going to use it on a wider scale due to this limitation; as you know for sure, other cloud providers allow it.

The latest Routing Agent release for DOKS has a single CR, Route , that requires specifying gateways by IP address. Given how Droplets can be destroyed, rotated etc, even with reserved IPs attached, it'd be incredibly useful to have the agent find Droplets via a discovery mechanism, similar to how it currently supports using node selectors to restrict settings a route to a subnet of K8s nodes. This could work via Droplet tags, for instance. I'd imagine something similar to the way Cilium handles gateway discovery for Egress Gateways via the CiliumEgressGatewayPolicy CR. Route could look something like: apiVersion: networking.doks.digitalocean.com/v1alpha1 kind: Route metadata: name: egress-gateways spec: destinations: - 0.0.0.0/0 gateways: dropletSelector: matchTags: - egress-gateway

Containerd allows setting a directory for its CRI mirror configuration. Any configuration placed in this directory will be hot reloaded by Containerd. Unfortunately the directory setting requires a restart of Containerd to take effect. Including the following in the Containerd configuration by default would solve this. ```toml version = 2 [plugins."io.containerd.grpc.v1.cri".registry] config_path = "/etc/containerd/certs.d" ``` Having this set is useful for projects like Spegel which makes use of CRI mirror configuration to function. https://spegel.dev/docs/getting-started/

Currently DigitalOcean Managed Kubernetes doesn't provide any methods to track down control plane logs for auditing. Audit logs are highly necessary and useful for security-related issues and situations especially on production environments. This should be one of the first priority feature to be added on DOKS to let user keep their services safe and fully trust DOKS as a production-ready platform.

For security reasons, it would be nice to restrict access to the managed Kubernetes control plane API, either via Firewall configuration or basic IP Whitelisting like Managed Databases. Similar to the feature in EKS https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html