docs: add Cilium transparent mTLS deep dive blog post by nddq · Pull Request #5672 · Azure/AKS

nddq · 2026-03-23T18:37:27Z

New blog post covering the engineering details behind Cilium's transparent mTLS
support using ztunnel, now available in ACNS as a public preview.

The post covers:

Architecture: Cilium agent + operator as control plane, ztunnel as data plane
Control plane channels: ZDS (workload lifecycle + netns FD passing), xDS (workload discovery), CA (certificate signing)
Traffic interception: iptables rules in the pod's network namespace with packet marks to prevent redirection loops
SPIRE integration: Operator-side identity registration and ztunnel-side PID attestation via Delegated Identity API
Permissive mode: Incremental namespace-level enrollment without disrupting non-enrolled traffic

Also includes an embedded interactive animation with theme sync and author entries
for the three contributors.

Copilot

Pull request overview

Adds a new AKS engineering blog post that deep-dives Cilium’s transparent mTLS implementation with ztunnel (as shipped in ACNS public preview), including author metadata updates to support the post.

Changes:

Added three new author entries to website/blog/authors.yml.
Added a new blog post at website/blog/2026-03-23-transparent-mtls-cilium-ztunnel/index.md covering architecture, control-plane channels, interception, SPIRE, and permissive mode.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 7 comments.

File	Description
`website/blog/authors.yml`	Adds author definitions for the new post contributors and cleans up trailing whitespace.
`website/blog/2026-03-23-transparent-mtls-cilium-ztunnel/index.md`	Introduces the new transparent mTLS deep dive post content (including an embedded interactive walkthrough).

Copilot

Pull request overview

Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.

Copilot

Pull request overview

Copilot reviewed 2 out of 3 changed files in this pull request and generated 6 comments.

Copilot

Pull request overview

Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.

Copilot

Pull request overview

Copilot reviewed 2 out of 3 changed files in this pull request and generated no new comments.

Copilot

Pull request overview

Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.

mikemorris

Minor suggested revisions, overall LGTM

Copilot

Pull request overview

Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.

rahulrai-in

LGTM.
Suggest to add sequence numbers to the diagram and then number the steps in the description.

Copilot

Pull request overview

Copilot reviewed 3 out of 5 changed files in this pull request and generated 4 comments.

Add a new blog post covering Cilium's transparent mTLS support using ztunnel as the data plane, now available in ACNS as a public preview. The post details the three control plane channels (ZDS, xDS, CA), iptables-based traffic interception, SPIRE integration for production identity, and the permissive mode rollout model. The interactive walkthrough animation ships alongside the post as a self-contained HTML asset, with icons inlined as data URIs so it has no runtime dependency on external CDNs. A small webpack rule in docusaurus.config.ts emits .html imports as static asset URLs so the iframe loads from this site rather than an external GitHub Pages deployment. Signed-off-by: Quang Nguyen <nguyenquang@microsoft.com>

nddq force-pushed the nddq/2026-03-12-transparent-mtls-cilium-ztunnel branch from 65cd9a2 to a35dc24 Compare March 23, 2026 18:41

nddq marked this pull request as ready for review March 23, 2026 18:47

nddq requested review from a team, Copilot and kevinkrp93 March 23, 2026 18:47

Copilot started reviewing on behalf of nddq March 23, 2026 18:48 View session

Copilot AI reviewed Mar 23, 2026

View reviewed changes

nddq force-pushed the nddq/2026-03-12-transparent-mtls-cilium-ztunnel branch from a35dc24 to 07273b6 Compare March 23, 2026 19:09

nddq requested a review from Copilot March 23, 2026 19:18

Copilot started reviewing on behalf of nddq March 23, 2026 19:19 View session

Copilot AI reviewed Mar 23, 2026

View reviewed changes

Comment thread website/blog/2026-03-23-transparent-mtls-cilium-ztunnel/index.md Outdated

Comment thread website/blog/2026-03-23-transparent-mtls-cilium-ztunnel/index.md Outdated

nddq force-pushed the nddq/2026-03-12-transparent-mtls-cilium-ztunnel branch from 07273b6 to 8ab8db8 Compare March 23, 2026 20:02

achevuru reviewed Mar 23, 2026

View reviewed changes

Copilot AI review requested due to automatic review settings March 23, 2026 21:16

nddq force-pushed the nddq/2026-03-12-transparent-mtls-cilium-ztunnel branch from 8ab8db8 to da7c000 Compare March 23, 2026 21:16

Copilot started reviewing on behalf of nddq March 23, 2026 21:17 View session

Copilot AI reviewed Mar 23, 2026

View reviewed changes

nddq force-pushed the nddq/2026-03-12-transparent-mtls-cilium-ztunnel branch from da7c000 to 2ecdee8 Compare March 23, 2026 21:45

nddq requested a review from achevuru March 24, 2026 16:43

mikemorris reviewed Apr 3, 2026

View reviewed changes

Comment thread website/blog/2026-03-23-transparent-mtls-cilium-ztunnel/index.md Outdated

Copilot AI review requested due to automatic review settings April 6, 2026 18:33

nddq force-pushed the nddq/2026-03-12-transparent-mtls-cilium-ztunnel branch from 2ecdee8 to b46ff00 Compare April 6, 2026 18:33

Copilot started reviewing on behalf of nddq April 6, 2026 18:33 View session

Copilot AI reviewed Apr 6, 2026

View reviewed changes

Comment thread website/blog/2026-03-23-transparent-mtls-cilium-ztunnel/index.md Outdated

nddq force-pushed the nddq/2026-03-12-transparent-mtls-cilium-ztunnel branch from b46ff00 to 2b891a2 Compare April 6, 2026 18:38

nddq requested review from Copilot and mikemorris April 6, 2026 18:39

nddq force-pushed the nddq/2026-03-12-transparent-mtls-cilium-ztunnel branch from 2b891a2 to 6f1bb45 Compare April 6, 2026 20:20

Copilot started reviewing on behalf of nddq April 6, 2026 20:20 View session

Copilot AI reviewed Apr 6, 2026

View reviewed changes

nddq force-pushed the nddq/2026-03-12-transparent-mtls-cilium-ztunnel branch from 6f1bb45 to a0ea7ee Compare April 14, 2026 15:42

Copilot AI review requested due to automatic review settings April 24, 2026 16:03

nddq force-pushed the nddq/2026-03-12-transparent-mtls-cilium-ztunnel branch from a0ea7ee to b38be1e Compare April 24, 2026 16:03

Copilot started reviewing on behalf of nddq April 24, 2026 16:03 View session

Copilot AI reviewed Apr 24, 2026

View reviewed changes

Comment thread website/blog/2026-04-24-transparent-mtls-cilium-ztunnel/index.md

nddq force-pushed the nddq/2026-03-12-transparent-mtls-cilium-ztunnel branch from b38be1e to 5e43a43 Compare April 24, 2026 16:22

mikemorris reviewed Apr 24, 2026

View reviewed changes

Copilot AI review requested due to automatic review settings April 24, 2026 21:46

nddq force-pushed the nddq/2026-03-12-transparent-mtls-cilium-ztunnel branch from 5e43a43 to 0a85de5 Compare April 24, 2026 21:46

Copilot started reviewing on behalf of nddq April 24, 2026 21:49 View session

Copilot AI reviewed Apr 24, 2026

View reviewed changes

Comment thread website/blog/2026-04-24-transparent-mtls-cilium-ztunnel/index.md Outdated

Comment thread website/blog/2026-04-24-transparent-mtls-cilium-ztunnel/index.md

nddq requested a review from mikemorris April 27, 2026 23:28

mikemorris approved these changes Apr 28, 2026

View reviewed changes

sjwaight approved these changes Apr 29, 2026

View reviewed changes

rahulrai-in approved these changes Apr 29, 2026

View reviewed changes

nddq force-pushed the nddq/2026-03-12-transparent-mtls-cilium-ztunnel branch from 0a85de5 to 94db42f Compare April 29, 2026 22:34

Copilot AI review requested due to automatic review settings April 29, 2026 22:51

nddq force-pushed the nddq/2026-03-12-transparent-mtls-cilium-ztunnel branch from 94db42f to 091f234 Compare April 29, 2026 22:51

Copilot started reviewing on behalf of nddq April 29, 2026 22:52 View session

Copilot AI reviewed Apr 29, 2026

View reviewed changes

nddq force-pushed the nddq/2026-03-12-transparent-mtls-cilium-ztunnel branch from 091f234 to 384599e Compare April 29, 2026 23:06

nddq requested review from mikemorris, rahulrai-in and sjwaight April 30, 2026 18:41

rahulrai-in approved these changes May 1, 2026

View reviewed changes

Conversation

nddq commented Mar 23, 2026

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

mikemorris left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

rahulrai-in left a comment

Choose a reason for hiding this comment

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees