func (cfg *IptablesConfigurator) CreateHostRulesForHealthChecks(hostSNATIP *netip.Addr) error {
	// Append our rules here
	builder := cfg.appendHostRules(hostSNATIP)

	log.Info("Adding host netnamespace iptables rules")
	if err := cfg.executeCommands(builder); err != nil {
		log.Errorf("failed to add host netnamespace iptables rules: %v", err)
		return err
	}

	return nil
}

		inpodMarkRule.Priority = 32764
		rules = append(rules, inpodMarkRule)
	}

	for _, rule := range rules {
		log.Debugf("Iterating netlink rule : %+v", rule)
		if err := f(rule); err != nil {
			return fmt.Errorf("failed to configure netlink rule: %w", err)
		}
	}

	return nil
}

func AddLoopbackRoutes(cfg *Config) error {
	return forEachLoopbackRoute(cfg, netlink.RouteReplace)
}

- and the other end is in ztunnel's pod

and setting up iptables rules to funnel traffic thru that socket "tube" to ztunnel and back.

This effectively behaves like ztunnel is an in-pod sidecar, without actually requiring the injection of ztunnel as a sidecar into the pod manifest, or mutatating the application pod in any way.

  repeated NonResourceRule nonResourceRules = 2;

  // Incomplete is true when the rules returned by this call are incomplete. This is most commonly
  // encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation.
  optional bool incomplete = 3;

  // EvaluationError can appear in combination with Rules. It indicates an error occurred during

kind: ClusterRole
metadata:
  name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
  labels:
    app: istio-reader
    release: {{ .Release.Name }}
rules:
  - apiGroups:
      - "config.istio.io"
      - "security.istio.io"
      - "networking.istio.io"
      - "authentication.istio.io"
      - "rbac.istio.io"
    resources: ["*"]
    verbs: ["get", "list", "watch"]

	} else if c.cfg.LabelPods {
		return c.labelBrokenPod(pod)
	}
	return nil
}

// repairPod actually dynamically repairs a pod. This is done by entering the pods network namespace and setting up rules.
// This differs from the general CNI plugin flow, which triggers before the pod fully starts.
// Additionally, we need to jump through hoops to find the network namespace.
func (c *Controller) repairPod(pod *corev1.Pod) error {

    service:
      name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
      namespace: {{ .namespace }}
      path: "{{ .injectionPath }}"
      port: 443
    {{- end }}
  sideEffects: None
  rules:
  - operations: [ "CREATE" ]
    apiGroups: [""]
    apiVersions: ["v1"]
    resources: ["pods"]
  failurePolicy: Fail
  admissionReviewVersions: ["v1beta1", "v1"]
{{- end }}

                items:
                  type: string
                type: array
              http:
                description: An ordered list of route rules for HTTP traffic.
                items:
                  properties:
                    corsPolicy:
                      description: Cross-Origin Resource Sharing policy (CORS).
                      properties:

  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;

  // Rules holds all the PolicyRules for this ClusterRole
  // +optional
  repeated PolicyRule rules = 2;

  // AggregationRule is an optional field that describes how to build the Rules for this ClusterRole.
  // If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be
  // stomped by the controller.
  // +optional

  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;

  // Rules holds all the PolicyRules for this ClusterRole
  // +optional
  repeated PolicyRule rules = 2;

  // AggregationRule is an optional field that describes how to build the Rules for this ClusterRole.
  // If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be
  // stomped by the controller.
  // +optional