As ztunnel aims to transparently encrypt and route users traffic, we need a mechanism to capture all traffic entering and leaving "mesh" pods.
This is a security critical task: if the ztunnel can be bypassed, authorization policies can be bypassed.

Redirection must meet these requirements:
* All traffic *egressing* a pod in the mesh should be redirected to the node-local ztunnel on port 15001.

	rootCmd.AddCommand(dashboardCmd)

	manifestCmd := mesh.ManifestCmd(ctx)
	hideInheritedFlags(manifestCmd, cli.FlagNamespace, cli.FlagIstioNamespace, FlagCharts)
	rootCmd.AddCommand(manifestCmd)

	operatorCmd := mesh.OperatorCmd(ctx)
	hideInheritedFlags(operatorCmd, cli.FlagNamespace, cli.FlagIstioNamespace, FlagCharts)
	rootCmd.AddCommand(operatorCmd)

	installCmd := mesh.InstallCmd(ctx)

		CNIMode:          false, // we are in cni, but as we do the netns ourselves, we should keep this as false.
		NetworkNamespace: "",
	}
}

// Remove pod from mesh: pod is not deleted, we just want to remove it from the mesh.
func (s *NetServer) RemovePodFromMesh(ctx context.Context, pod *corev1.Pod) error {
	log := log.WithLabels("ns", pod.Namespace, "name", pod.Name)
	log.Debugf("Pod is now opt out... cleaning up.")

- watches k8s resource for existing pods, so that pods that have already been started can be moved in or out of the ambient mesh.
- sends UDS events to ztunnel via a socket whenever a pod is enabled for ambient mesh (whether from CNI plugin or node watcher), instructing ztunnel to create the "tube" socket.

          {{- if $.Values.global.meshID }}
          - name: ISTIO_META_MESH_ID
            value: "{{ $.Values.global.meshID }}"
          {{- else if .Values.meshConfig.trustDomain }}
          - name: ISTIO_META_MESH_ID
            value: "{{ .Values.meshConfig.trustDomain }}"
          {{- end }}
          {{- if .Values.meshConfig.trustDomain }}

          {{- if $.Values.global.meshID }}
          - name: ISTIO_META_MESH_ID
            value: "{{ $.Values.global.meshID }}"
          {{- else if .Values.meshConfig.trustDomain }}
          - name: ISTIO_META_MESH_ID
            value: "{{ .Values.meshConfig.trustDomain }}"
          {{- end }}
          {{- if .Values.meshConfig.trustDomain }}

	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
	"sigs.k8s.io/yaml"

	"istio.io/api/annotation"
	"istio.io/api/label"
	meshconfig "istio.io/api/mesh/v1alpha1"
	networkingv1alpha3 "istio.io/api/networking/v1alpha3"
	clientv1alpha3 "istio.io/client-go/pkg/apis/networking/v1alpha3"
	"istio.io/istio/istioctl/pkg/cli"
	"istio.io/istio/istioctl/pkg/clioptions"

				Name:      waypointName,
				Namespace: ns,
			},
			Spec: gateway.GatewaySpec{
				GatewayClassName: constants.WaypointGatewayClassName,
				Listeners: []gateway.Listener{{
					Name:     "mesh",
					Port:     15008,
					Protocol: gateway.ProtocolType(protocol.HBONE),
				}},
			},
		}
		// Determine which traffic address type to apply the waypoint to, if none is provided it will default to "service"

		if err != nil {
			fmt.Printf("Error getting configmap %s: %v\n", configMapName, err)
		}
		meshData := make(map[string]interface{})
		if data, exists := configMap.Data["mesh"]; exists {
			if err := yaml.Unmarshal([]byte(data), &meshData); err != nil {
				fmt.Printf("Error parsing meshConfig: %v\n", err)
				return err
			}
		}

		}, idx, *client.host)
	}
	nerrs := ng.Wait()
	if freeze {
		freezeServices()
	} else {
		unfreezeServices()
	}
	return nerrs
}

// Netperf - perform mesh style network throughput test
func (sys *NotificationSys) Netperf(ctx context.Context, duration time.Duration) []madmin.NetperfNodeResult {
	length := len(sys.allPeerClients)
	if length == 0 {