### Design details

Broadly, `istio-cni` accomplishes ambient redirection by instructing ztunnel to set up sockets within the application pod network namespace, where:

- one end of the socket is in the application pod
- and the other end is in ztunnel's pod

and setting up iptables rules to funnel traffic thru that socket "tube" to ztunnel and back.

iptables -t nat -N ISTIO_POSTRT
iptables -t nat -A POSTROUTING -j ISTIO_POSTRT

	// The HTTP port for monitoring
	MonitoringPort int

	// The UDS server address that CNI plugin will send log to.
	LogUDSAddress string

	// The watch server socket address that CNI plugin will forward CNI events to.
	CNIEventAddress string

	// The ztunnel server socket address that the ztunnel will connect to.
	ZtunnelUDSAddress string

	// Whether ambient is enabled
	AmbientEnabled bool

    resources:
  {{ template "resources" . }}
    volumeMounts:
    - name: workload-socket
      mountPath: /var/run/secrets/workload-spiffe-uds
    {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
    - name: gke-workload-certificate
      mountPath: /var/run/secrets/workload-spiffe-credentials

iptables -t nat -N ISTIO_POSTRT
iptables -t nat -A POSTROUTING -j ISTIO_POSTRT
iptables -t nat -A ISTIO_POSTRT -m owner --socket-exists -p tcp -m set --match-set istio-inpod-probes-v4 dst -j SNAT --to-source 169.254.7.127
ip6tables -t nat -N ISTIO_POSTRT
ip6tables -t nat -A POSTROUTING -j ISTIO_POSTRT

          privileged: false
          runAsGroup: 1337
          runAsUser: 0
          capabilities:
            drop:
            - ALL
        volumeMounts:
        - name: workload-socket
          mountPath: /var/run/secrets/workload-spiffe-uds
        - mountPath: /var/run/secrets/istio
          name: istiod-ca-cert
        - mountPath: /var/lib/istio/data
          name: istio-data

			./pkg/istio-agent/... | sort | uniq |\
		grep -Pv '^k8s.io/(utils|klog|apimachinery)/' |\
		grep -Pv 'envoy/type/|envoy/annotations|envoy/config/core/' |\
		grep -Pv 'envoy/extensions/transport_sockets/tls/' |\
		grep -Pv 'envoy/service/discovery/v3' |\
		grep -Pv 'envoy/extensions/wasm/' |\
		grep -Pv 'envoy/extensions/filters/(http|network)/wasm/' |\

	//
	// We want to do the same thing in ambient but can't rely on podSpec injection. So, do effectively the same thing,
	// but with iptables rules - use `--socket-exists` as a proxy for "is this a forwarded packet" vs "is this originating from
	// a local node socket". If the latter, outside the pod in the host netns, redirect that traffic to a hardcoded/custom proxy

      runAsUser: {{ .ProxyUID | default "1337" }}
      {{- end }}
      {{- end }}
    resources:
  {{ template "resources" . }}
    volumeMounts:
    - name: workload-socket
      mountPath: /var/run/secrets/workload-spiffe-uds
    - name: credential-socket
      mountPath: /var/run/secrets/credential-uds
    {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
    - name: gke-workload-certificate

      runAsUser: {{ .ProxyUID | default "1337" }}
      {{- end }}
      {{- end }}
    resources:
  {{ template "resources" . }}
    volumeMounts:
    - name: workload-socket
      mountPath: /var/run/secrets/workload-spiffe-uds
    - name: credential-socket
      mountPath: /var/run/secrets/credential-uds
    {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
    - name: gke-workload-certificate