## Redirection

As ztunnel aims to transparently encrypt and route users traffic, we need a mechanism to capture all traffic entering and leaving "mesh" pods.
This is a security critical task: if the ztunnel can be bypassed, authorization policies can be bypassed.

Redirection must meet these requirements:

The ambient CNI agent is the only place where ambient network config and pod redirection machinery happens.

  # has no effect on outbound traffic: iptables REDIRECT is always used for
  # outbound connections.
  # If "REDIRECT", use iptables REDIRECT to NAT and redirect to Envoy.
  # The "REDIRECT" mode loses source addresses during redirection.
  # If "TPROXY", use iptables TPROXY to redirect to Envoy.
  # The "TPROXY" mode preserves both the source and destination IP
  # addresses and ports, so that they can be used for advanced filtering
  # and manipulation.

		return fmt.Errorf("get netns: %v", err)
	}
	log = log.WithLabels("netns", netns)

	if err := redirectRunningPod(pod, netns); err != nil {
		log.Errorf("failed to setup redirection: %v", err)
		m.With(resultLabel.Value(resultFail)).Increment()
		return err
	}
	c.repairedPods[key] = pod.UID
	log.Infof("pod repaired")
	m.With(resultLabel.Value(resultSuccess)).Increment()
	return nil

			args: args{
				namespace: namespaceWithAmbientEnabledLabel,
				pod:       podWithSidecar,
			},
			want: false,
		},
		{
			name: "pod has label to disable ambient redirection",
			args: args{
				namespace: namespaceWithAmbientEnabledLabel,
				pod:       podWithAmbientDisabledLabel,
			},
			want: false,
		},
		{
			name: "pod has sidecar, pod has ambient mode label",

    provider: "default"

    # Configure ambient settings
    ambient:
      # If enabled, ambient redirection will be enabled
      enabled: false
      # Set ambient config dir path: defaults to /etc/ambient-config
      configDir: ""
      # If enabled, and ambient is enabled, DNS redirection will be enabled
      dnsCapture: false
      # UNSTABLE: If enabled, and ambient is enabled, enables ipv6 support

		// Ztunnel and sidecar for a single pod is currently not supported; opt out.
		return false
	}
	if pod.GetLabels()[constants.DataplaneModeLabel] == constants.DataplaneModeNone {
		// Pod explicitly asked to not have ambient redirection enabled
		return false
	}
	return true
}

func podHasSidecar(pod *corev1.Pod) bool {
	if _, f := pod.GetAnnotations()[annotation.SidecarStatus.Name]; f {
		return true
	}
	return false
}

			// choose to do so.
			//
			// NOTE: This is a warning and not an error because the user may not intend to label their namespace as ambient.
			//
			// e.g. Users are handling ambient redirection per workload rather than at the namespace level.
			if enrollNamespace {
				namespaceIsLabeledAmbient, err := namespaceIsLabeledAmbient(kubeClient, ns)
				if err != nil {

	}
	sort.Slice(clusters, func(i, j int) bool {
		iDirection, iSubset, iName, iPort := safelyParseSubsetKey(clusters[i].Name)
		jDirection, jSubset, jName, jPort := safelyParseSubsetKey(clusters[j].Name)
		if iName == jName {
			if iSubset == jSubset {
				if iPort == jPort {
					return iDirection < jDirection
				}
				return iPort < jPort
			}
			return iSubset < jSubset
		}

platforms (e.g. OpenShift) privileged: false # Custom configuration happens based on the CNI provider. # Possible values: "default", "multus" provider: "default" # Configure ambient settings ambient: # If enabled, ambient redirection will be enabled enabled: false # Set ambient redirection mode: "iptables" or "ebpf" redirectMode: "iptables" # Set ambient config dir path: defaults to /etc/ambient-config configDir: "" repair: enabled: true hub: "" tag: "" labelPods: true deletePods: true initContainerName:...