## Redirection

As ztunnel aims to transparently encrypt and route users traffic, we need a mechanism to capture all traffic entering and leaving "mesh" pods.
This is a security critical task: if the ztunnel can be bypassed, authorization policies can be bypassed.

Redirection must meet these requirements:
* All traffic *egressing* a pod in the mesh should be redirected to the node-local ztunnel on port 15001.

      #     Redirect only selected ports:            --includeInboundPorts="80,8080"
      excludeInboundPorts: ""
      includeInboundPorts: "*"

      # istio egress capture allowlist
      # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
      # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
      # would only capture egress traffic on those two IP Ranges, all other outbound traffic would

- [readiness probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/)
- [replica count](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/)
- [HorizontalPodAutoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/)

// 2. Adding the pod's IPs to the hostnetns ipsets for node probe checks
// 3. Creating iptables rules inside the pod's netns
// 4. Notifying ztunnel via GRPC to create a proxy for the pod
//
// You may ask why we pass the pod IPs separately from the pod manifest itself (which contains the pod IPs as a field)
// - this is because during add specifically, if CNI plugins have not finished executing,

			if err := checkFields(un); err != nil {
				return nil, err
			}
			// IstioOperator isn't part of pkg/config/schema/collections,
			// usual conversion not available.  Convert unstructured to string
			// and ask operator code to check.
			un.SetCreationTimestamp(metav1.Time{}) // UnmarshalIstioOperator chokes on these
			by := util.ToYAML(un)
			iop, err := operatoristio.UnmarshalIstioOperator(by, false)
			if err != nil {

# KinD cluster like its name, pod and service subnets and network_id. If two cluster
# have the same network_id then they belong to the same network and their pods can
# talk to each other directly.
#
# [{ "cluster_name": "cluster1","pod_subnet": "10.10.0.0/16","svc_subnet": "10.255.10.0/24","network_id": "0" },

.PHONY: test

# This target sets JUNIT_REPORT to the location of the  go-junit-report binary.
# This binary is provided in the build container. If it is not found, the build
# container is not being used, so ask the user to install go-junit-report.
JUNIT_REPORT := $(shell which go-junit-report 2> /dev/null || echo "${ISTIO_BIN}/go-junit-report")

${ISTIO_BIN}/go-junit-report:

      #     Redirect only selected ports:            --includeInboundPorts="80,8080"
      excludeInboundPorts: ""
      includeInboundPorts: "*"
      # istio egress capture allowlist
      # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
      # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
      # would only capture egress traffic on those two IP Ranges, all other outbound traffic would

readinessProbe | [readiness probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/)
replicaCount | [replica count](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/)
hpaSpec | [HorizontalPodAutoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/)

    # rules should be exported to. Currently only one value can be provided in this list. This value
    # should be one of the following two options:
    # * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar.
    # . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host
    defaultConfigVisibilitySettings: []