Skip to content

feat: add transparent-tunnel CNI mode for GPS VFP enforcement (Windows)#4362

Draft
alam-tahmid wants to merge 2 commits intoAzure:masterfrom
alam-tahmid:tahmidalam/gps-windows-transparent-tunnel
Draft

feat: add transparent-tunnel CNI mode for GPS VFP enforcement (Windows)#4362
alam-tahmid wants to merge 2 commits intoAzure:masterfrom
alam-tahmid:tahmidalam/gps-windows-transparent-tunnel

Conversation

@alam-tahmid
Copy link
Copy Markdown
Contributor

@alam-tahmid alam-tahmid commented Apr 17, 2026

Reason for Change:
Adds Windows support for the transparent-tunnel CNI operating mode, enabling GlobalPodSecurity (GPS) VFP enforcement. Companion to #4319 (Linux).

GPS requires pod traffic to traverse the Azure VFP pipeline so NSG rules can be enforced at the pod level. On Windows with HNS, pod traffic normally bypasses VFP via direct L2 switching. The transparent-tunnel mode adds /32 host routes via the gateway for each pod IP,
forcing traffic through VFP for inspection.

Key changes:

  • Per-pod /32 routes added on endpoint create, removed on delete
  • Fail-safe rollback: partial route failure rolls back routes AND HNS endpoint
  • HNSv1 explicitly rejected for transparent-tunnel mode
  • Fixed DeleteEndpointStateless in manager.go (was hardcoding mode, skipping GPS cleanup)

Issue Fixed:

Requirements:

Notes:
 - Depends on #4319 (Linux transparent-tunnel) for shared opModeTransparentTunnel constant

  • GPS logic in dedicated transparent_tunnel_endpoint_windows.go matching Linux's file pattern
  • 15 unit tests covering gateway selection, route add/rollback, and route delete
  • No shared infrastructure (unlike Linux's iptables/ip-rule) — /32 routes are 1:1 per pod, no race conditions

@alam-tahmid alam-tahmid changed the title feat: add transparent-tunnel CNI mode for GPS VFP enforcement (Windows) feat: add transparent-tunnel CNI mode for GPS VFP enforcement (Windows) Apr 17, 2026
github-advanced-security[bot]
github-advanced-security AI found potential problems Apr 17, 2026
View reviewed changes
Comment thread network/transparent_tunnel_endpoint_windows.go Fixed
Comment thread network/transparent_tunnel_endpoint_windows.go Fixed
Comment thread network/transparent_tunnel_endpoint_windows.go Fixed
@alam-tahmid alam-tahmid force-pushed the tahmidalam/gps-windows-transparent-tunnel branch 7 times, most recently from 05622f9 to 434e1a4 Compare April 22, 2026 21:51
@alam-tahmid alam-tahmid force-pushed the tahmidalam/gps-windows-transparent-tunnel branch from 434e1a4 to 21e2cc6 Compare April 23, 2026 20:26
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 8, 2026

This pull request is stale because it has been open for 2 weeks with no activity. Remove stale label or comment or this will be closed in 7 days

@github-actions github-actions Bot added the stale Stale due to inactivity. label May 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

stale Stale due to inactivity.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alam-tahmid @github-advanced-security