feat: add transparent-tunnel CNI mode for GPS VFP enforcement (Linux)

[alam-tahmid]

Reason for Change:
 Add transparent-tunnel CNI mode that forces same-node pod-to-pod traffic through the host's
physical interface (and therefore through VFP) so Azure NSG rules are enforced on intra-node
communication. This implements GPS (GlobalPodSecurity) for Linux using iptables fwmark-based
policy routing, including:

• A fix for a conntrack tuple collision bug that caused ~50% DNS packet loss on same-node
  ClusterIP UDP traffic (service CIDR RETURN rules inserted before MARK rule)
• Race-safe shared ip rule management (tolerates "File exists" to avoid TOCTOU on concurrent
  pod creates; ref-counted cleanup using real iptables -S output patterns on delete)
• Nil gateway early-exit to prevent partial setup that would black-hole all marked traffic

Issue Fixed:

Requirements:

• uses conventional commit messages
• includes documentation
• adds unit tests
• relevant PR labels added

Notes:

This is PR 1 of 2 for the GPS feature:

1. This PR — transparent-tunnel mode + Linux iptables/ip-rule implementation
2. PR 2 — Windows /32 host route implementation (separate PR)

The mode is opt-in via conflist: "mode": "transparent-tunnel". No behavioral change to existing
transparent or other modes.

Replaces the previous GlobalPodSecurity: true boolean flag approach with a dedicated CNI mode
that uses Go struct embedding (zero code copy from TransparentEndpointClient).

[Copilot]

Pull request overview

This PR introduces GlobalPodSecurity configuration plumbing to carry a new boolean knob from CNI network config into endpoint metadata, and updates default CNI conflists to surface the option (defaulting to false).

Changes:

• Added globalPodSecurity to CNI NetworkConfig (JSON) and plumbed it into network.EndpointInfo.
• Extended network endpoint-related structs to carry GlobalPodSecurity.
• Added unit tests for config unmarshalling and createEpInfo propagation, and updated default Linux/Windows conflists to include the flag (set to false).

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
network/endpoint.go	Adds GlobalPodSecurity fields to endpoint and EndpointInfo structs.
cni/network/network.go	Wires NetworkConfig.GlobalPodSecurity into generated EndpointInfo.
cni/network/network_test.go	Adds coverage to ensure createEpInfo propagates the flag into EndpointInfo.
cni/netconfig.go	Adds GlobalPodSecurity to CNI JSON config (globalPodSecurity).
cni/netconfig_test.go	Adds JSON unmarshal tests for globalPodSecurity defaulting/values.
cni/azure-windows.conflist	Adds "globalPodSecurity": false to default Windows conflist.
cni/azure-linux.conflist	Adds "globalPodSecurity": false to default Linux conflist.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[QxBytes]

Assuming your iptables changes will be going in the existing transparent client endpoint code, (unless it's a new scenario)? Also assuming this change affects nodesubnet (no azure cns present)?

[QxBytes]

Just a note that for transparent-vlan I needed to run something for rp_filter. If you already tested and it works then should be fine but just bringing it to your attention if something pops up in the future.

Also for the ExecuteRawCommand it should be fine since you control the command input but just for future reference.

[tamilmani1989]

lets not use GPS term in CNI code

[tamilmani1989]

can you explain why this is required?

[tamilmani1989]

why do we need iptable rule to mark packet? can we not add ip rule to lookup custome routing table based on pod cidr?

something like this:

ip rule add from 10.9.255.0/24 table 100
ip route add default via 10.9.255.1 dev eth1 table 100

[tamilmani1989]

also lets use netlink apis to do this..