Skip to content

helm/ztunnel: bind health check to localhost#44196

Merged
pchaigno merged 1 commit intocilium:mainfrom
nddq:ztunnel-health-check-localhost
Feb 12, 2026
Merged

helm/ztunnel: bind health check to localhost#44196
pchaigno merged 1 commit intocilium:mainfrom
nddq:ztunnel-health-check-localhost

Conversation

@nddq
Copy link
Copy Markdown
Member

@nddq nddq commented Feb 4, 2026
edited
Loading

Add host field to readiness probe to bind the health check port 15021 to 127.0.0.1 instead of 0.0.0.0. This reduces attack surface by ensuring the health check endpoint is only accessible from localhost (kubelet runs on same node).

Related PR: cilium/ztunnel#2

Please ensure your pull request adheres to the following guidelines:

  • For first time contributors, read Submitting a pull request
  • All code is covered by unit and/or runtime tests where feasible.
  • All commits contain a well written commit description including a title,
    description and a Fixes: #XXX line if the commit addresses a particular
    GitHub issue.
  • If your commit description contains a Fixes: <commit-id> tag, then
    please add the commit author[s] as reviewer[s] to this issue.
  • All commits are signed off. See the section Developer’s Certificate of Origin
  • Provide a title or release-note blurb suitable for the release notes.
  • Are you a user of Cilium? Please add yourself to the Users doc
  • Thanks for contributing!

Fixes: #issue-number

helm/ztunnel: Add host field to readiness probe to bind the health check port 15021 to 127.0.0.1 instead of 0.0.0.0

@nddq
helm/ztunnel: bind health check to localhost
257e211 
Security hardening for ztunnel running with hostNetwork: true:

Add host field to readiness probe to bind the health check port 15021
to 127.0.0.1 instead of 0.0.0.0. This reduces attack surface by ensuring
the health check endpoint is only accessible from localhost (kubelet
runs on same node).

Signed-off-by: Quang Nguyen <nguyenquang@microsoft.com>
@nddq nddq requested a review from a team as a code owner February 4, 2026 19:52
@nddq nddq requested a review from squeed February 4, 2026 19:52
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Feb 4, 2026
@github-actions github-actions bot added the kind/community-contribution This was a contribution made by a community member. label Feb 4, 2026
@ldelossa ldelossa added the release-note/bug This PR fixes an issue in a previous release of Cilium. label Feb 5, 2026
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Feb 5, 2026
@ldelossa ldelossa added area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Feb 5, 2026
@maintainer-s-little-helper maintainer-s-little-helper bot removed dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Feb 5, 2026
@ldelossa
Copy link
Copy Markdown
Contributor

ldelossa commented Feb 5, 2026

/test

@pchaigno pchaigno enabled auto-merge February 11, 2026 13:17
@pchaigno
Copy link
Copy Markdown
Member

pchaigno commented Feb 11, 2026

@squeed Looks like this is just waiting for a review from you. It's a one-line change 🥺

@pchaigno pchaigno added this pull request to the merge queue Feb 12, 2026
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Feb 12, 2026
Merged via the queue into cilium:main with commit 2f0ddd0 Feb 12, 2026
82 checks passed
@nddq nddq added the needs-backport/1.19 This PR / issue needs backporting to the v1.19 branch label Feb 24, 2026
@nebril nebril mentioned this pull request Mar 2, 2026
Merged
5 tasks
@nebril nebril added backport-pending/1.19 The backport for Cilium 1.19.x for this PR is in progress. and removed needs-backport/1.19 This PR / issue needs backporting to the v1.19 branch labels Mar 2, 2026
@github-actions github-actions bot added backport-done/1.19 The backport for Cilium 1.19.x for this PR is done. and removed backport-pending/1.19 The backport for Cilium 1.19.x for this PR is in progress. labels Mar 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@squeed squeed squeed approved these changes

@ldelossa ldelossa ldelossa approved these changes

Assignees

No one assigned

Labels

area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. backport-done/1.19 The backport for Cilium 1.19.x for this PR is done. kind/community-contribution This was a contribution made by a community member. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@nddq @ldelossa @pchaigno @squeed @nebril