# The control plane has different scopes depending on component, but can configure default log level across all components
    # If empty, default scope and level will be used as configured in code
    logging:
      level: "default:info"

    omitSidecarInjectorConfigMap: false

    # Configure whether Operator manages webhook configurations. The current behavior

defaults:
  global:

    # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace
    # to use for pulling any images in pods that reference this ServiceAccount.
    # Must be set for any cluster configured with private docker registry.
    imagePullSecrets: []

    # Used to locate istiod.
    istioNamespace: istio-system

    externalIstiod: false
    remotePilotAddress: ""

	udsSock := filepath.Join(udsSockDir, "cni.sock")
	logger := NewUDSLogger()
	pluginLog.SetOutputLevel(log.DebugLevel) // this will be configured by global.logging.level
	stop := make(chan struct{})
	defer close(stop)
	assert.NoError(t, logger.StartUDSLogServer(udsSock, stop))

	// Configure log to tee to UDS server
	stdout := os.Stdout
	r, w, _ := os.Pipe()
	os.Stdout = w
	loggingOptions := log.DefaultOptions()

  //
  //   1. Old signer that is unaware of the field (such as the in-tree
  //      implementations prior to v1.22)
  //   2. Signer whose configured maximum is shorter than the requested duration
  //   3. Signer whose configured minimum is longer than the requested duration
  //
  // The minimum valid value for expirationSeconds is 600, i.e. 10 minutes.
  //
  // +optional

    # The control plane has different scopes depending on component, but can configure default log level across all components
    # If empty, default scope and level will be used as configured in code
    logging:
      level: "default:info"
    omitSidecarInjectorConfigMap: true
    # Configure whether Operator manages webhook configurations. The current behavior

This offered performance benefits that were too large to leave on the table, as well as opportunities to tune to our specific needs.

## Configuration protocol

Ztunnel, of course, needs to be dynamically configured in order to make decisions on how it should handle traffic.
For this purpose, we chose to use xDS transport protocol due to our expertise and existing infrastructure, and because the protocol is well suited to our needs.

- In ambient mode, the CNI plugin does not configure any networking, but is only responsible for synchronously pushing new pod events back up to an ambient watch server which runs as part of the Istio CNI node agent. The ambient server will find the pod netns and configure networking inside that pod via iptables. The ambient server will additionally watch enabled namespaces, and enroll already-started-but-newly-enrolled...

  // +optional
  optional string evaluationError = 3;
}

// SubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on
// the set of authorizers the server is configured with and any errors experienced during evaluation.
// Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission,
// even if that list is incomplete.

  // An empty or nil nodeSelector selects all nodes.
  // This field is immutable.
  // +optional
  optional k8s.io.api.core.v1.NodeSelector nodeSelector = 1;

  // perNodeHostBits defines the number of host bits to be configured per node.
  // A subnet mask determines how much of the address is used for network bits
  // and host bits. For example an IPv4 address of 192.168.0.0/24, splits the

  // +optional
  optional string evaluationError = 3;
}

// SubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on
// the set of authorizers the server is configured with and any errors experienced during evaluation.
// Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission,
// even if that list is incomplete.