assertEquals("1guest", permissionHelper.encode("(allow){user}guest"));
        assertEquals("Rguest", permissionHelper.encode("(allow){role}guest"));
        assertEquals("2guest", permissionHelper.encode("(allow){group}guest"));
        assertEquals("1guest", permissionHelper.encode("(allow){USER}guest"));
        assertEquals("Rguest", permissionHelper.encode("(allow){ROLE}guest"));

#### Calico

For Calico, you must also modify the settings to allow source spoofing:

- if deployed by operator,  `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'`
- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. )

compile_pip_requirements_3_9(
    name = "requirements_3_9",
    extra_args = ["--allow-unsafe"],
    requirements_in = REQUIREMENTS_FILE_NAME,
    requirements_txt = "requirements_lock_3_9.txt",
)

compile_pip_requirements_3_10(
    name = "requirements_3_10",
    extra_args = ["--allow-unsafe"],
    requirements_in = REQUIREMENTS_FILE_NAME,
    requirements_txt = "requirements_lock_3_10.txt",
)

        env:
          GITHUB_CONTEXT: ${{ toJson(github) }}
        run: echo "$GITHUB_CONTEXT"
      - uses: actions/checkout@v4
        with:
          # To allow latest-changes to commit to the main branch
          token: ${{ secrets.FASTAPI_LATEST_CHANGES }}
      # Allow debugging with tmate
      - name: Setup tmate session
        uses: mxschmitt/action-tmate@v3

    protected static final String ACCESS_CONTROL_ALLOW_ORIGIN = "Access-Control-Allow-Origin";

    protected static final String ACCESS_CONTROL_ALLOW_HEADERS = "Access-Control-Allow-Headers";

    protected static final String ACCESS_CONTROL_ALLOW_METHODS = "Access-Control-Allow-Methods";

    protected static final String ACCESS_CONTROL_ALLOW_PRIVATE_NETWORK = "Access-Control-Allow-Private-Network";

        httpResponse.addHeader(ACCESS_CONTROL_ALLOW_ORIGIN, origin);
        httpResponse.addHeader(ACCESS_CONTROL_ALLOW_METHODS, fessConfig.getApiCorsAllowMethods());
        httpResponse.addHeader(ACCESS_CONTROL_ALLOW_HEADERS, fessConfig.getApiCorsAllowHeaders());
        httpResponse.addHeader(ACCESS_CONTROL_MAX_AGE, fessConfig.getApiCorsMaxAge());
        httpResponse.addHeader(ACCESS_CONTROL_ALLOW_CREDENTIALS, fessConfig.getApiCorsAllowCredentials());

## Read the Tutorial first

The next sections assume you already read the main [Tutorial - User Guide: Security](../../tutorial/security/index.md){.internal-link target=_blank}.

  logLevel: info
  privileged: true
  provider: "multus"
pilot:
  cni:
    enabled: true
    provider: "multus"
  variant: distroless
  env:
    PILOT_ENABLE_AMBIENT: "true"
    # Allow sidecars/ingress to send/receive HBONE. This is required for interop.
    PILOT_ENABLE_SENDING_HBONE: "true"
    PILOT_ENABLE_SIDECAR_LISTENING_HBONE: "true"
    CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel"

            capabilities:
              drop:
              - ALL
              add:
              # CAP_NET_ADMIN is required to allow ipset and route table access
              - NET_ADMIN
              # CAP_NET_RAW is required to allow iptables mutation of the `nat` table
              - NET_RAW
              # CAP_SYS_ADMIN is required for both ambient and repair, in order to open

lint-markdown:
	@${FINDFILES} -name '*.md' -print0 | ${XARGS} mdl --ignore-front-matter --style common/config/mdl.rb

lint-links:
	@${FINDFILES} -name '*.md' -print0 | ${XARGS} awesome_bot --skip-save-results --allow_ssl --allow-timeout --allow-dupe --allow-redirect --white-list ${MARKDOWN_LINT_ALLOWLIST}

lint-sass:
	@${FINDFILES} -name '*.scss' -print0 | ${XARGS} sass-lint -c common/config/sass-lint.yml --verbose

lint-typescript: