## Redirection

As ztunnel aims to transparently encrypt and route users traffic, we need a mechanism to capture all traffic entering and leaving "mesh" pods.
This is a security critical task: if the ztunnel can be bypassed, authorization policies can be bypassed.

Redirection must meet these requirements:

	}
	return nil
}

// Alpine and some distros struggles with this - ipset CLI utilities support this, but
// the kernel can be out of sync with the CLI utility, leading to errors like:
//
// ipset v7.10: Argument `comment' is supported in the kernel module of the set type hash:ip
// starting from the revision 3 and you have installed revision 1 only.
// Your kernel is behind your ipset utility.

	// test flakes with the fake kube client in `pkg/kube/client.go` -
	// because we are using `List()` in the handler, without this requeue,
	// the fake client will sometimes drop pod events leading to test flakes.
	//
	// WaitForCacheSync *helps*, but does not entirely fix this problem
	s.namespaces = kclient.New[*corev1.Namespace](kubeClient)

## PeerAuthentication and the Waypoint Proxy

(Note: this section is not yet implemented and is dependent upon discussion in the [ztunnel hairpinning doc](https://docs.google.com/document/d/1uM1c3zzoehiijh1ZpZuJ1-SzuVVupenv8r5yuCaFshs/edit#heading=h.dwbqvwmg6ud3))

func (s *NetServer) RemovePodFromMesh(ctx context.Context, pod *corev1.Pod) error {
	log := log.WithLabels("ns", pod.Namespace, "name", pod.Name)
	log.Debugf("Pod is now opt out... cleaning up.")

	openNetns := s.currentPodSnapshot.Take(string(pod.UID))
	if openNetns == nil {
		log.Warn("failed to find pod netns")
		return fmt.Errorf("failed to find pod netns")
	}

	}

	log.Info("CNI ambient server marking ready")
	s.Ready()
	s.dataplane.Start(s.ctx)
	s.handlers.Start()
}

func (s *Server) Stop() {
	log.Info("CNI ambient server terminating, cleaning up node net rules")

	s.cniServerStopFunc()
	s.dataplane.Stop()
}

type meshDataplane struct {
	kubeClient kubernetes.Interface
	netServer  MeshDataplane
}

		if err != nil {
			return nil, nil, err
		}
		injectConfig, err := readInjectConfigFile(injectionConfig)
		if err != nil {
			return nil, nil, multierror.Append(err, fmt.Errorf("loading --injectConfigFile"))
		}
		*sidecarTemplate = injectConfig
	} else {
		injector, err = setUpExternalInjector(cliContext, revision, injectorAddress)
		if err != nil || injector.clientConfig == nil {

  // DeallocationRequested indicates that a ResourceClaim is to be
  // deallocated.
  //
  // The driver then must deallocate this claim and reset the field
  // together with clearing the Allocation field.
  //
  // While DeallocationRequested is set, no new consumers may be added to
  // ReservedFor.
  // +optional
  optional bool deallocationRequested = 4;
}

function cleanup_kind_cluster() {
  echo "Test exited with exit code $?."
  NAME="${1}"
  kind export logs --name "${NAME}" "${ARTIFACTS}/kind" -v9 || true
  if [[ -z "${SKIP_CLEANUP:-}" ]]; then
    echo "Cleaning up kind cluster"
    kind delete cluster --name "${NAME}" -v9 || true
  fi
}

# check_default_cluster_yaml checks the presence of default cluster YAML
# It returns 1 if it is not present

`Deployment.spec.selector` labels must match. If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to: ```yaml app: istio-gateway istio: gateway # the release name with leading istio- prefix stripped ``` If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels `foo=bar,istio=ingressgateway`: ```yaml name: my-custom-gateway...