Merged
Conversation
[ upstream commit f1c9221 ] Move the ztunnel daemonset from being managed by a controller in the operator to being managed declaratively via Helm templates. This aligns ztunnel with other components like envoy and node-init that are already managed via Helm. Changes: - Add new Helm templates for ztunnel (daemonset, secret, serviceaccount) - Add ztunnel configuration under encryption section in values.yaml - Add ztunnel serviceAccount configuration in values.yaml - Remove ztunnel daemonset controller from operator (controller.go) - Remove embedded ztunnel-daemonset.yaml from operator - Keep ztunnel config cell for enable-ztunnel flag The ztunnel resources are now conditionally deployed when: - encryption.enabled=true - encryption.type=ztunnel Signed-off-by: Quang Nguyen <nguyenquang@microsoft.com> Signed-off-by: Maciej Kwiek <mkwiek@cisco.com>
[ upstream commit 2f0ddd0 ] Security hardening for ztunnel running with hostNetwork: true: Add host field to readiness probe to bind the health check port 15021 to 127.0.0.1 instead of 0.0.0.0. This reduces attack surface by ensuring the health check endpoint is only accessible from localhost (kubelet runs on same node). Signed-off-by: Quang Nguyen <nguyenquang@microsoft.com> Signed-off-by: Maciej Kwiek <mkwiek@cisco.com>
[ upstream commit 7bfbdd5 ] Explicitly sets mode 0660 on admin.sock for both embedded and standalone envoy. Without this the socket is created world-accessible. Signed-off-by: Charlie Kenney <charles.kenney@isovalent.com> Signed-off-by: Maciej Kwiek <mkwiek@cisco.com>
[ upstream commit 0b3754e ] The logic in (*nodeNeighborHandler).NodeUpdate and (*nodeNeighborHandler).NodeDelete treats the node IPv4 address retrieved using node.GetNodeIP(false) (where false means ipv6=false) as an IPv6 address. This will lead to the address not correctly compared and propagated to the forwardableIPManager. Correct this by retrieving the node IPv6 address consistently for the IPv6 paths. Also rename an incorrectly named local variable in (*nodeNeighborHandler).NodeAdd while at it. Fixes: ccb7bd1 ("pkg/node/neighbordiscovery: Add node handler for neighbor discovery") Signed-off-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Maciej Kwiek <mkwiek@cisco.com>
Member
Author
|
/test |
joestringer
approved these changes
Mar 2, 2026
nddq
approved these changes
Mar 3, 2026
tklauser
approved these changes
Mar 3, 2026
Member
tklauser
left a comment
There was a problem hiding this comment.
My change looks good, thanks Maciej!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Once this PR is merged, a GitHub action will update the labels of these PRs: