zzoehiijh1ZpZuJ1-SzuVVupenv8r5yuCaFshs/edit#heading=h.dwbqvwmg6ud3))

When a ztunnel receives traffic (authenticated or not) from a workload, it will forward that traffic to the Waypoint proxy **after** applying any `TRANSPORT` layer policies (i.e. `Authorization`s). Thus, if the destination workload has at least the equivalent of a `STRICT` `PeerAuthentication`, unauthenticated traffic will be rejected before it reaches the Waypoint proxy. If the effective policy is `PERMISSIVE` (the default),...

as a Kubernetes DaemonSet.

At a high level, our goal is to provide complete connectivity to a workload throughout its entire lifetime.
Failing to do so can be an availability risk (if we deny traffic that should succeed) or a security risk (if we allow traffic that should be denied).

## High level overview

At a high level, the relevant components look as such:

```mermaid
flowchart TD
    CNIP["CNI Plugin"]
    CNI["CNI Agent"]

  container: '',
  pod: '',
  component: '',
  app: '',
});

dashboard.new('Istio Mesh Dashboard')
+ g.dashboard.withPanels(
  grid.makeGrid([
    row.new('Global Traffic')
    + row.withPanels([
      panels.timeSeries.statRps('Traffic Volume', queries.globalRequest, 'Total requests in the cluster'),
      panels.timeSeries.statPercent('Success Rate', queries.globalRequestSuccessRate, 'Total success rate of requests in the cluster'),

	}
	return true
}

// PodRedirectionActive reports on whether the pod _has_ actually been configured for traffic redirection.
//
// That is, have we annotated it after successfully sending it to the node proxy and set up iptables rules.
//
// If you just want to know if the pod _should be_ configured for traffic redirection, see PodRedirectionEnabled
func PodRedirectionActive(pod *corev1.Pod) bool {

[Istio](https://istio.io/latest/docs/concepts/what-is-istio/) is an open platform for providing a uniform way to [integrate
microservices](https://istio.io/latest/docs/examples/microservices-istio/), manage [traffic flow](https://istio.io/latest/docs/concepts/traffic-management/) across microservices, enforce policies
and aggregate telemetry data. Istio's control plane provides an abstraction
layer over the underlying cluster management platform, such as Kubernetes.

- **Focus**:
  1. Configuration of Envoy proxies by Pilot.
  1. Communication between Pilot and Envoy proxies.
  1. Validation of service discovery.
  1. Testing of traffic management policies (e.g., routing, retries, timeouts).
  1. Validation of load balancing configurations.
  1. Specific `istioctl proxy-config` commands being tested: `bootstrap`, `cluster`, `endpoint`, `listener`, `route`, `all`.

	HostProbeSNATIPV6 = netip.MustParseAddr(env.RegisterStringVar("HOST_PROBE_SNAT_IPV6", DefaultHostProbeSNATIPV6, "").Get())
)

const (
	// to reliably identify kubelet healthprobes from inside the pod (versus standard kube-proxy traffic,
	// since the IP is normally the same), we SNAT identified host probes in the host netns to a fixed
	// APIPA/"link-local" IP.
	//

// See the License for the specific language governing permissions and
// limitations under the License.

package plugin

// InterceptRuleMgr configures networking tables (e.g. iptables or nftables) for
// redirecting traffic to an Istio proxy.
type InterceptRuleMgr interface {
	Program(podName, netns string, redirect *Redirect) error
}

// Constructor for iptables InterceptRuleMgr
func IptablesInterceptRuleMgr() InterceptRuleMgr {

  # process should be kept alive after an occasional reload.
  drainDuration: 2s
  #
  # The mode used to redirect inbound connections to Envoy. This setting
  # has no effect on outbound traffic: iptables REDIRECT is always used for
  # outbound connections.
  # If "REDIRECT", use iptables REDIRECT to NAT and redirect to Envoy.
  # The "REDIRECT" mode loses source addresses during redirection.

}

func newBufPool(sz int) httputil.BufferPool {
	return &bufPool{sz: sz, pool: sync.Pool{
		New: func() interface{} {
			buf := make([]byte, sz)
			return &buf
		},
	}}
}

// ServeHTTP forwards HTTP traffic using the configured transport
func (f *Forwarder) ServeHTTP(w http.ResponseWriter, inReq *http.Request) {
	outReq := new(http.Request)
	*outReq = *inReq // includes shallow copies of maps, but we handle this in Director