m.With(resultLabel.Value(resultSuccess)).Increment()
	return nil
}

func (c *Controller) labelBrokenPod(pod *corev1.Pod) error {
	// Added for safety, to make sure no healthy pods get labeled.
	m := podsRepaired.With(typeLabel.Value(labelType))
	repairLog.Infof("Pod detected as broken, adding label: %s/%s", pod.Namespace, pod.Name)

	labels := pod.GetLabels()

import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";

// Package-wide variables from generator "generated".
option go_package = "k8s.io/api/policy/v1";

// Eviction evicts a pod from its node subject to certain policies and safety constraints.
// This is a subresource of Pod.  A request to cause such an eviction is
// created by POSTing to .../pods/<pod name>/evictions.
message Eviction {
  // ObjectMeta describes the pod that is being evicted.

			resp, err := conn.sendDataAndWaitForAck(update.Update, update.Fd)
			if err != nil {
				log.Errorf("ztunnel acked error: err %v ackErr %s", err, resp.GetAck().GetError())
			}
			log.Debugf("ztunnel acked")
			// Safety: Resp is buffered, so this will not block
			update.Resp <- updateResponse{
				err:  err,
				resp: resp,
			}

		case <-time.After(ztunnelKeepAliveCheckInterval):

    "istiocoredns.enabled" "the in-proxy DNS capturing (ISTIO_META_DNS_CAPTURE)"
}}
{{- range $dep, $replace := $deps }}
{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}}
{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(")  ".Values." (replace "." ")." $dep) ")}}") $}}
{{- if not (eq $res "")}}

// the set of authorizers the server is configured with and any errors experienced during evaluation.
// Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission,
// even if that list is incomplete.
message SubjectRulesReviewStatus {
  // ResourceRules is the list of actions the subject is allowed to perform on resources.

    {{- toJsonMap
      .InfrastructureLabels
      (strdict
        "gateway.networking.k8s.io/gateway-name" .Name
        "istio.io/gateway-name" .Name
      ) | nindent 4 }}
  {{- if ge .KubeVersion 128 }}
  # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412
  ownerReferences:
  - apiVersion: gateway.networking.k8s.io/v1beta1
    kind: Gateway
    name: "{{.Name}}"
    uid: "{{.UID}}"
  {{- end }}
---

		// Add IP/port combo to set. Note that we set Replace to true - a pod ip/port combo already being
		// in the set is perfectly fine, and something we can always safely overwrite, so we will.
		if err := hostsideProbeSet.AddIP(pip, ipProto, podUID, true); err != nil {
			ipsetAddrErrs = append(ipsetAddrErrs, err)
			log.Warnf("failed adding pod %s to ipset %s with ip %s, error was %s",

      serviceAccountName: {{ include "gateway.serviceAccountName" . }}
      securityContext:
      {{- if .Values.securityContext }}
        {{- toYaml .Values.securityContext | nindent 8 }}
      {{- else }}
        # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
        sysctls:
        - name: net.ipv4.ip_unprivileged_port_start
          value: "0"
      {{- end }}
      {{- with .Values.volumes }}
      volumes:

				// not as optimal but at least always safe to do.
				runtime.UnlockOSThread()
			}
		}()

		return toRun()
	}

	var wg sync.WaitGroup
	wg.Add(1)

	// Start the callback in a new green thread so that if we later fail
	// to switch the namespace back to the original one, we can safely
	// leave the thread locked to die without a risk of the current thread

// the set of authorizers the server is configured with and any errors experienced during evaluation.
// Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission,
// even if that list is incomplete.
message SubjectRulesReviewStatus {
  // ResourceRules is the list of actions the subject is allowed to perform on resources.