## Redirection

As ztunnel aims to transparently encrypt and route users traffic, we need a mechanism to capture all traffic entering and leaving "mesh" pods.
This is a security critical task: if the ztunnel can be bypassed, authorization policies can be bypassed.

Redirection must meet these requirements:
* All traffic *egressing* a pod in the mesh should be redirected to the node-local ztunnel on port 15001.

      #     Redirect only selected ports:            --includeInboundPorts="80,8080"
      excludeInboundPorts: ""
      includeInboundPorts: "*"

      # istio egress capture allowlist
      # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
      # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
      # would only capture egress traffic on those two IP Ranges, all other outbound traffic would

// 2. Adding the pod's IPs to the hostnetns ipsets for node probe checks
// 3. Creating iptables rules inside the pod's netns
// 4. Notifying ztunnel via GRPC to create a proxy for the pod
//
// You may ask why we pass the pod IPs separately from the pod manifest itself (which contains the pod IPs as a field)
// - this is because during add specifically, if CNI plugins have not finished executing,

# KinD cluster like its name, pod and service subnets and network_id. If two cluster
# have the same network_id then they belong to the same network and their pods can
# talk to each other directly.
#
# [{ "cluster_name": "cluster1","pod_subnet": "10.10.0.0/16","svc_subnet": "10.255.10.0/24","network_id": "0" },

.PHONY: test

# This target sets JUNIT_REPORT to the location of the  go-junit-report binary.
# This binary is provided in the build container. If it is not found, the build
# container is not being used, so ask the user to install go-junit-report.
JUNIT_REPORT := $(shell which go-junit-report 2> /dev/null || echo "${ISTIO_BIN}/go-junit-report")

${ISTIO_BIN}/go-junit-report:

      #     Redirect only selected ports:            --includeInboundPorts="80,8080"
      excludeInboundPorts: ""
      includeInboundPorts: "*"
      # istio egress capture allowlist
      # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
      # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
      # would only capture egress traffic on those two IP Ranges, all other outbound traffic would

	messages.Add(msg.NewUpdateIncompatibility(res,
		"meshConfig.defaultConfig.tracer", "1.21",
		"tracing is no longer by default enabled to send to 'zipkin.istio-system.svc'; "+
			"follow https://istio.io/latest/docs/tasks/observability/distributed-tracing/telemetry-api/",
		"1.21"))
	return nil
}

func checkPassthroughTargetPorts(cli kube.CLIClient, messages *diag.Messages) error {

  // rule is the strategy that will dictate the allowable labels that may be set.
  optional string rule = 1;

  // seLinuxOptions required to run as; required for MustRunAs
  // More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
  // +optional
  optional k8s.io.api.core.v1.SELinuxOptions seLinuxOptions = 2;
}