Conversation
maintainer-s-little-helper
bot
added
the
dont-merge/needs-release-note-label
rgo3
force-pushed
the
pr/rgo3/ztunnel-zds-server
branch
3 times, most recently
from
7be867e to
a3e7330
Compare
rgo3
force-pushed
the
pr/rgo3/ztunnel-xds-controlplane
branch
4 times, most recently
from
1436aa1 to
8e0ce81
Compare
rgo3
force-pushed
the
pr/rgo3/ztunnel-zds-server
branch
4 times, most recently
from
0c94658 to
be2f6cb
Compare
rgo3
added
release-note/major
maintainer-s-little-helper
bot
removed
the
dont-merge/needs-release-note-label
Contributor
Author
|
/test |
rgo3
force-pushed
the
pr/rgo3/ztunnel-zds-server
branch
from
be2f6cb to
1106cd7
Compare
jrajahalme
approved these changes
Nov 26, 2025
Member
jrajahalme
left a comment
jrajahalme
left a comment
There was a problem hiding this comment.
LGTM, a few questions though.
rgo3
force-pushed
the
pr/rgo3/ztunnel-zds-server
branch
from
21a570e to
48b1506
Compare
Contributor
Author
|
/test |
squeed
reviewed
Dec 1, 2025
rgo3
force-pushed
the
pr/rgo3/ztunnel-zds-server
branch
from
48b1506 to
8073fe6
Compare
Contributor
Author
|
/test |
rgo3
force-pushed
the
pr/rgo3/ztunnel-zds-server
branch
from
8073fe6 to
f01a167
Compare
Contributor
Author
|
/test |
rgo3
force-pushed
the
pr/rgo3/ztunnel-zds-server
branch
from
f01a167 to
2fe5012
Compare
Contributor
Author
|
/ci-integration |
Contributor
Author
|
/test |
This introduces a new API for managing iptables rules when ztunnel runs in inpod mode. The CreateInPodRules() function configures the necessary network plumbing within a pod's network namespace to redirect traffic to ztunnel for processing. This also vendors the coreos/go-iptables library as a dependency for managing iptables rules programmatically. Signed-off-by: Robin Gögge <[email protected]> Co-authored-by: Quang Nguyen <[email protected]>
This change introduces a Ztunnel Discovery Service (ZDS) server in cilium. The server can communicate cilium-managed endpoints to ztunnel in order for ztunnel to be able to setup its inpod proxies. The ZDS server implementation that is added here provides an API, which can be consumed by 3rd party code to enroll/disenroll endpoints with ztunnel. For this to be possible the endpoint.Endpoint object now has a field to store the pinned netns path of a pod. This field is set from the cni plugin on CNI ADD events. For reference, the ZDS protocol can be found here: https://github.com/istio/ztunnel/blob/master/proto/zds.proto Signed-off-by: Robin Gögge <[email protected]> Co-authored-by: Quang Nguyen <[email protected]>
Introduce a reconciler-based system for managing endpoint enrollment to ztunnel based on namespace membership. The implementation uses StateDB to maintain an EnrolledNamespace table that tracks which namespaces should have their endpoints participating in ztunnel's mTLS capabilities. The reconciler subscribes to the endpoint manager and reacts to endpoint lifecycle events, enrolling endpoints when they are created in enrolled namespaces and disenrolling them upon deletion. On startup, it waits for endpoint restoration to complete before sending an initial snapshot of all eligible endpoints in enrolled namespaces to ztunnel, ensuring consistency after agent restarts. Endpoints are filtered to exclude those without network namespace paths and ztunnel pods themselves to prevent self-enrollment. When a namespace is added to the enrolled set, all existing endpoints in that namespace are enrolled in bulk. Conversely, when a namespace is removed, all its endpoints are disenrolled. This table-driven approach provides declarative enrollment management and simplifies recovery from transient failures through automatic reconciliation. Signed-off-by: Robin Gögge <[email protected]> Co-authored-by: Quang Nguyen <[email protected]>
rgo3
force-pushed
the
pr/rgo3/ztunnel-zds-server
branch
from
2fe5012 to
4feb4d2
Compare
Contributor
Author
|
/test |
maintainer-s-little-helper
bot
added
the
ready-to-merge
squeed
approved these changes
Dec 3, 2025
aanm
added
release-note/misc
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
9 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR introduces the Ztunnel Discovery Service (ZDS) server implementation in Cilium, enabling integration with ztunnel. The ZDS server provides a protocol-based interface for communicating Cilium-managed endpoints to ztunnel, allowing ztunnel to establish inpod proxies for mTLS workload traffic.
The implementation adds infrastructure for managing
iptablesrules within pod network namespaces when ztunnel operates in inpod mode, redirecting traffic through ztunnel for processing. To support this, endpoints now track their pinned network namespace paths, which are captured during CNI plugin operations.A reconciler-based enrollment system manages which endpoints participate in ztunnel's mTLS capabilities based on namespace membership. This declarative approach uses StateDB to maintain enrollment state and automatically handles endpoint lifecycle events, ensuring consistency across agent restarts through initial snapshot reconciliation. The reconciler filters out ineligible endpoints and prevents self-enrollment of ztunnel pods, while supporting bulk enrollment and disenrollment operations when namespace membership changes.