feat(transparent-proxy): deprecate argument 'redirect-inbound-port-v6' and introduce 'ip-family-mode'

UPGRADE.md

@@ -33,16 +33,21 @@ With the release of Kuma 2.6.0, we've made some changes to the implementation of
 
 To ensure a smooth transition to Kuma 2.6.0, carefully review your existing configuration files and make necessary adjustments related to denied request responses and RBAC-related Envoy stats.
 
+### Make format SI valid for bandwidth in MeshFaultInjection policy
+
+Prior to this upgrade `mbps` and `gbps` were used for units for parameter `conf.responseBandwidth.percentage`.
+These are not valid units according to the [International System of Units](https://en.wikipedia.org/wiki/International_System_of_Units) they are respectively corrected to `Gbps` and `Mbps` if using
+these invalid units convert them into `kbps` prior to upgrade to avoid invalid format.
+
 ### Deprecation of postgres driverName=postgres (lib/pq)
 
 The postgres driver `postgres` (lib/pq) is deprecated and will be removed in the future.
 Please migrate to the new postgres driver `pgx` by setting `DriverName=pgx` configuration option or `KUMA_STORE_POSTGRES_DRIVER_NAME=pgx` env variable.
 
-### Make format SI valid for bandwidth in MeshFaultInjection policy
+### Deprecation of argument to transparent-proxy
 
-Prior to this upgrade `mbps` and `gbps` were used for units for parameter `conf.responseBandwidth.percentage`.
-These are not valid units according to the [International System of Units](https://en.wikipedia.org/wiki/International_System_of_Units) they are respectively corrected to `Gbps` and `Mbps` if using
-these invalid units convert them into `kbps` prior to upgrade to avoid invalid format.
+Parameter `--redirect-inbound-port-v6` is deprecated and will be removed in the future. The proxy will now redirect IPv6 traffic using the same port (15006) as ipv4 traffic, if you want to disable traffic redirection for IPv6 traffic, please use `--disable-ipv6`.
+Hence, the matching annotation `kuma.io/transparent-proxying-inbound-v6-port` is now deprecated and we've also added a new Kubernetes annotation `kuma.io/disable-ipv6` for disabling IPv6 traffic redirection on Kubernetes pods.
 
 ## Upgrade to `2.5.x`
 

app/kumactl/cmd/completion/testdata/bash.golden

@@ -5538,6 +5538,8 @@ _kumactl_install_transparent-proxy()
     flags_with_completion=()
     flags_completion=()
 
+    flags+=("--disable-ipv6")
+    local_nonpersistent_flags+=("--disable-ipv6")
     flags+=("--dry-run")
     local_nonpersistent_flags+=("--dry-run")
     flags+=("--ebpf-bpffs-path=")

app/kumactl/cmd/install/install_transparent_proxy.go

@@ -23,6 +23,7 @@ type transparentProxyArgs struct {
 	Verbose                        bool
 	RedirectPortOutBound           string
 	RedirectInbound                bool
+	IPv6Disabled                   bool
 	RedirectPortInBound            string
 	RedirectPortInBoundV6          string
 	ExcludeInboundPorts            string
@@ -53,12 +54,15 @@ type transparentProxyArgs struct {
 
 func newInstallTransparentProxy() *cobra.Command {
 	args := transparentProxyArgs{
-		DryRun:                         false,
-		Verbose:                        false,
-		RedirectPortOutBound:           "15001",
-		RedirectInbound:                true,
-		RedirectPortInBound:            "15006",
-		RedirectPortInBoundV6:          "15010",
+		DryRun:               false,
+		Verbose:              false,
+		RedirectPortOutBound: "15001",
+		RedirectInbound:      true,
+		RedirectPortInBound:  "15006",
+		// this argument is to be deprecated, it now defaults to the same port with ipv4 (instead of 15010)
+		// before deprecation, the user can still change it as needed
+		RedirectPortInBoundV6:          "15006",
+		IPv6Disabled:                   false,
 		ExcludeInboundPorts:            "",
 		ExcludeOutboundPorts:           "",
 		ExcludeOutboundTCPPortsForUIDs: []string{},
@@ -163,7 +167,13 @@ runuser -u kuma-dp -- \
 					_, _ = cmd.ErrOrStderr().Write([]byte("# [WARNING] --skip-dns-conntrack-zone-split will be ignored when --ebpf-enabled is being used\n"))
 				}
 			}
+
 			// Backward compatibility
+			if args.RedirectPortInBoundV6 != "" &&
+				args.RedirectPortInBoundV6 != "15006" /* new default value, identical to ipv4 port */ &&
+				args.RedirectPortInBoundV6 != "15010" /* old default value, dedicated for ipv6 */ {
+				_, _ = cmd.ErrOrStderr().Write([]byte("# [WARNING] flag --redirect-inbound-port-v6 is deprecated, use --redirect-inbound-port or --disable-ipv6 instead\n"))
+			}
 			if len(args.ExcludeOutboundPorts) > 0 && (len(args.ExcludeOutboundUDPPortsForUIDs) > 0 || len(args.ExcludeOutboundTCPPortsForUIDs) > 0) {
 				return errors.Errorf("--exclude-outbound-ports-for-uids set you can't use --exclude-outbound-tcp-ports-for-uids and --exclude-outbound-udp-ports-for-uids anymore")
 			}
@@ -193,7 +203,8 @@ runuser -u kuma-dp -- \
 	cmd.Flags().StringVar(&args.RedirectPortOutBound, "redirect-outbound-port", args.RedirectPortOutBound, "outbound port redirected to Envoy, as specified in dataplane's `networking.transparentProxying.redirectPortOutbound`")
 	cmd.Flags().BoolVar(&args.RedirectInbound, "redirect-inbound", args.RedirectInbound, "redirect the inbound traffic to the Envoy. Should be disabled for Gateway data plane proxies.")
 	cmd.Flags().StringVar(&args.RedirectPortInBound, "redirect-inbound-port", args.RedirectPortInBound, "inbound port redirected to Envoy, as specified in dataplane's `networking.transparentProxying.redirectPortInbound`")
-	cmd.Flags().StringVar(&args.RedirectPortInBoundV6, "redirect-inbound-port-v6", args.RedirectPortInBoundV6, "IPv6 inbound port redirected to Envoy, as specified in dataplane's `networking.transparentProxying.redirectPortInboundV6`")
+	cmd.Flags().BoolVar(&args.IPv6Disabled, "disable-ipv6", args.IPv6Disabled, "disable ipv6 traffic redirection, on both inbound and outbound directions")
+	cmd.Flags().StringVar(&args.RedirectPortInBoundV6, "redirect-inbound-port-v6", args.RedirectPortInBoundV6, "[DEPRECATED (use --redirect-inbound-port and --disable-ipv6)] IPv6 inbound port redirected to Envoy, as specified in dataplane's `networking.transparentProxying.redirectPortInboundV6`")
 	cmd.Flags().StringVar(&args.ExcludeInboundPorts, "exclude-inbound-ports", args.ExcludeInboundPorts, "a comma separated list of inbound ports to exclude from redirect to Envoy")
 	cmd.Flags().StringVar(&args.ExcludeOutboundPorts, "exclude-outbound-ports", args.ExcludeOutboundPorts, "a comma separated list of outbound ports to exclude from redirect to Envoy")
 	cmd.Flags().StringVar(&args.User, "kuma-dp-user", args.UID, "the user that will run kuma-dp")
@@ -260,6 +271,7 @@ func configureTransparentProxy(cmd *cobra.Command, args *transparentProxyArgs) e
 		RedirectInBound:           args.RedirectInbound,
 		RedirectPortInBound:       args.RedirectPortInBound,
 		RedirectPortInBoundV6:     args.RedirectPortInBoundV6,
+		IPv6Disabled:              args.IPv6Disabled,
 		ExcludeInboundPorts:       args.ExcludeInboundPorts,
 		ExcludeOutboundPorts:      args.ExcludeOutboundPorts,
 		ExcludedOutboundsForUIDs:  args.ExcludeOutboundPortsForUIDs,

app/kumactl/cmd/install/install_transparent_proxy_test.go

@@ -115,7 +115,7 @@ var _ = Describe("kumactl install transparent proxy", func() {
 			},
 			goldenFile: "install-transparent-proxy.dns.no-conntrack.golden.txt",
 		}),
-		Entry("should generate defaults with overrides", testCase{
+		Entry("should generate defaults with overrides and log deprecate", testCase{
 			extraArgs: []string{
 				"--kuma-dp-user", "root",
 				"--redirect-outbound-port", "12345",
@@ -124,6 +124,18 @@ var _ = Describe("kumactl install transparent proxy", func() {
 				"--exclude-outbound-ports", "2000,2001",
 				"--exclude-inbound-ports", "1000,1001",
 			},
+			errorMatcher: Equal("# [WARNING] flag --redirect-inbound-port-v6 is deprecated, use --redirect-inbound-port or --disable-ipv6 instead\n"),
+			goldenFile:   "install-transparent-proxy.overrides.golden.txt",
+		}),
+		Entry("should generate when ipv6 disabled", testCase{
+			extraArgs: []string{
+				"--kuma-dp-user", "root",
+				"--redirect-outbound-port", "12345",
+				"--redirect-inbound-port", "12346",
+				"--disable-ipv6",
+				"--exclude-outbound-ports", "2000,2001",
+				"--exclude-inbound-ports", "1000,1001",
+			},
 			goldenFile: "install-transparent-proxy.overrides.golden.txt",
 		}),
 		Entry("should generate defaults with outbound exclude ports", testCase{

pkg/config/app/kuma-cp/kuma-cp.defaults.yaml

@@ -281,7 +281,10 @@ runtime:
         # Redirect port for inbound traffic.
         redirectPortInbound: 15006 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_REDIRECT_PORT_INBOUND
         # Redirect port for inbound traffic.
-        redirectPortInboundV6: 15010 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_REDIRECT_PORT_INBOUND_V6
+        # Deprecated: Use RedirectPortInbound or DisableIPv6 instead.
+        redirectPortInboundV6: 15006 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_REDIRECT_PORT_INBOUND_V6
+        # Disable ipv6 traffic redirection
+        disableIPv6: false # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_DISABLE_IPV6
         # Redirect port for outbound traffic.
         redirectPortOutbound: 15001 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_REDIRECT_PORT_OUTBOUND
         # User ID.

pkg/config/plugins/runtime/k8s/config.go

@@ -29,7 +29,8 @@ func DefaultKubernetesRuntimeConfig() *KubernetesRuntimeConfig {
 			VirtualProbesPort:    9000,
 			SidecarContainer: SidecarContainer{
 				RedirectPortInbound:   15006,
-				RedirectPortInboundV6: 15010,
+				RedirectPortInboundV6: 15006,
+				DisableIPv6:           false,
 				RedirectPortOutbound:  15001,
 				DataplaneContainer: DataplaneContainer{
 					Image:     "kuma/kuma-dp:latest",
@@ -259,7 +260,10 @@ type SidecarContainer struct {
 	// Redirect port for inbound traffic.
 	RedirectPortInbound uint32 `json:"redirectPortInbound,omitempty" envconfig:"kuma_runtime_kubernetes_injector_sidecar_container_redirect_port_inbound"`
 	// Redirect port for inbound IPv6 traffic.
+	// Deprecated: Use RedirectPortInbound or DisableIPv6 instead.
 	RedirectPortInboundV6 uint32 `json:"redirectPortInboundV6,omitempty" envconfig:"kuma_runtime_kubernetes_injector_sidecar_container_redirect_port_inbound_v6"`
+	// Disable ipv6 traffic redirection
+	DisableIPv6 bool `json:"disableIPv6,omitempty" envconfig:"kuma_runtime_kubernetes_injector_sidecar_container_disable_ipv6"`
 	// Redirect port for outbound traffic.
 	RedirectPortOutbound uint32 `json:"redirectPortOutbound,omitempty" envconfig:"kuma_runtime_kubernetes_injector_sidecar_container_redirect_port_outbound"`
 	// WaitForDataplaneReady enables a script that waits until Envoy is ready.

pkg/config/plugins/runtime/k8s/config_test.go

@@ -33,6 +33,7 @@ var _ = Describe("Config", func() {
 		Expect(cfg.Injector.SidecarContainer.RedirectPortOutbound).To(Equal(uint32(1234)))
 		Expect(cfg.Injector.SidecarContainer.RedirectPortInbound).To(Equal(uint32(1236)))
 		Expect(cfg.Injector.SidecarContainer.RedirectPortInboundV6).To(Equal(uint32(1237)))
+		Expect(cfg.Injector.SidecarContainer.DisableIPv6).To(BeTrue())
 		Expect(cfg.Injector.SidecarContainer.UID).To(Equal(int64(2345)))
 		Expect(cfg.Injector.SidecarContainer.GID).To(Equal(int64(3456)))
 		Expect(cfg.Injector.SidecarContainer.AdminPort).To(Equal(uint32(45678)))

pkg/config/plugins/runtime/k8s/testdata/default-config.golden.yaml

@@ -45,7 +45,7 @@ injector:
       successThreshold: 1
       timeoutSeconds: 3
     redirectPortInbound: 15006
-    redirectPortInboundV6: 15010
+    redirectPortInboundV6: 15006
     redirectPortOutbound: 15001
     resources:
       limits:

pkg/config/plugins/runtime/k8s/testdata/valid-config.input.yaml

@@ -9,6 +9,7 @@ injector:
     redirectPortOutbound: 1234
     redirectPortInbound: 1236
     redirectPortInboundV6: 1237
+    disableIPv6: true
     uid: 2345
     gid: 3456
     adminPort: 45678

pkg/plugins/runtime/k8s/controllers/testdata/15.dataplane.yaml

@@ -19,5 +19,4 @@ spec:
         version: "0.1"
     transparentProxying:
       redirectPortInbound: 15006
-      redirectPortInboundV6: 15010
       redirectPortOutbound: 15001

pkg/plugins/runtime/k8s/controllers/testdata/15.pod.yaml

@@ -8,7 +8,6 @@ metadata:
     kuma.io/direct-access-services: ""
     kuma.io/transparent-proxying: "enabled"
     kuma.io/transparent-proxying-inbound-port: 15006
-    kuma.io/transparent-proxying-inbound-v6-port: 15010
     kuma.io/transparent-proxying-outbound-port: 15001
 spec:
   containers:

pkg/plugins/runtime/k8s/metadata/annotations.go

@@ -124,6 +124,9 @@ var PodAnnotationDeprecations = []Deprecation{
 		Key:     KumaSidecarInjectionAnnotation,
 		Message: "WARNING: you are using kuma.io/sidecar-injection as annotation. This is not supported you should use it as a label instead",
 	},
+	NewRemoveDeprecation("kuma.io/transparent-proxying-inbound-v6-port",
+		fmt.Sprintf("if you want to disable redirection for IPv6 traffic, please use '%s' instead",
+			KumaTransparentProxyingDisableIPv6), false),
 }
 
 type Deprecation struct {
@@ -142,6 +145,17 @@ func NewReplaceByDeprecation(old, new string, removed bool) Deprecation {
 	}
 }
 
+func NewRemoveDeprecation(old string, msg string, removed bool) Deprecation {
+	fullMessage := fmt.Sprintf("'%s' will be removed in the future, '%s'", old, msg)
+	if removed {
+		fullMessage = fmt.Sprintf("'%s' is no longer supported and it will be ignored", old)
+	}
+	return Deprecation{
+		Key:     old,
+		Message: fullMessage,
+	}
+}
+
 // Annotations that are being automatically set by the Kuma Sidecar Injector.
 const (
 	KumaSidecarInjectedAnnotation                      = "kuma.io/sidecar-injected"
@@ -151,6 +165,7 @@ const (
 	KumaTransparentProxyingAnnotation                  = "kuma.io/transparent-proxying"
 	KumaTransparentProxyingInboundPortAnnotation       = "kuma.io/transparent-proxying-inbound-port"
 	KumaTransparentProxyingInboundPortAnnotationV6     = "kuma.io/transparent-proxying-inbound-v6-port"
+	KumaTransparentProxyingDisableIPv6                 = "kuma.io/disable-ipv6"
 	KumaTransparentProxyingOutboundPortAnnotation      = "kuma.io/transparent-proxying-outbound-port"
 	KumaTransparentProxyingReachableServicesAnnotation = "kuma.io/transparent-proxying-reachable-services"
 	CNCFNetworkAnnotation                              = "k8s.v1.cni.cncf.io/networks"

pkg/plugins/runtime/k8s/webhooks/injector/injector.go

@@ -517,13 +517,12 @@ func (i *KumaInjector) NewInitContainer(pod *kube_core.Pod) (kube_core.Container
 
 func (i *KumaInjector) NewAnnotations(pod *kube_core.Pod, mesh string, logger logr.Logger) (map[string]string, error) {
 	annotations := map[string]string{
-		metadata.KumaMeshAnnotation:                             mesh, // either user-defined value or default
-		metadata.KumaSidecarInjectedAnnotation:                  fmt.Sprintf("%t", true),
-		metadata.KumaSidecarUID:                                 fmt.Sprintf("%d", i.cfg.SidecarContainer.UID),
-		metadata.KumaTransparentProxyingAnnotation:              metadata.AnnotationEnabled,
-		metadata.KumaTransparentProxyingInboundPortAnnotation:   fmt.Sprintf("%d", i.cfg.SidecarContainer.RedirectPortInbound),
-		metadata.KumaTransparentProxyingInboundPortAnnotationV6: fmt.Sprintf("%d", i.cfg.SidecarContainer.RedirectPortInboundV6),
-		metadata.KumaTransparentProxyingOutboundPortAnnotation:  fmt.Sprintf("%d", i.cfg.SidecarContainer.RedirectPortOutbound),
+		metadata.KumaMeshAnnotation:                            mesh, // either user-defined value or default
+		metadata.KumaSidecarInjectedAnnotation:                 fmt.Sprintf("%t", true),
+		metadata.KumaSidecarUID:                                fmt.Sprintf("%d", i.cfg.SidecarContainer.UID),
+		metadata.KumaTransparentProxyingAnnotation:             metadata.AnnotationEnabled,
+		metadata.KumaTransparentProxyingInboundPortAnnotation:  fmt.Sprintf("%d", i.cfg.SidecarContainer.RedirectPortInbound),
+		metadata.KumaTransparentProxyingOutboundPortAnnotation: fmt.Sprintf("%d", i.cfg.SidecarContainer.RedirectPortOutbound),
 	}
 	if i.cfg.CNIEnabled {
 		annotations[metadata.CNCFNetworkAnnotation] = metadata.KumaCNI
@@ -606,6 +605,11 @@ func (i *KumaInjector) NewAnnotations(pod *kube_core.Pod, mesh string, logger lo
 	if val, _ := metadata.Annotations(pod.Annotations).GetStringWithDefault(portsToAnnotationValue(i.cfg.SidecarTraffic.ExcludeOutboundPorts), metadata.KumaTrafficExcludeOutboundPorts); val != "" {
 		annotations[metadata.KumaTrafficExcludeOutboundPorts] = val
 	}
+
+	if i.cfg.SidecarContainer.DisableIPv6 {
+		annotations[metadata.KumaTransparentProxyingDisableIPv6] = "true"
+	}
+
 	val, _, err := metadata.Annotations(pod.Annotations).GetUint32WithDefault(i.defaultAdminPort, metadata.KumaEnvoyAdminPort)
 	if err != nil {
 		return nil, err

pkg/plugins/runtime/k8s/webhooks/injector/injector_test.go

@@ -671,6 +671,40 @@ spec:
                   kuma.io/sidecar-injection: enabled`,
 			cfgFile: "inject.config.yaml",
 		}),
+		Entry("33. kuma.io/disable-ipv6", testCase{
+			num: "33",
+			mesh: `
+              apiVersion: kuma.io/v1alpha1
+              kind: Mesh
+              metadata:
+                name: default
+              spec: {}`,
+			namespace: `
+              apiVersion: v1
+              kind: Namespace
+              metadata:
+                name: default
+                labels:
+                  kuma.io/sidecar-injection: enabled`,
+			cfgFile: "inject.config.yaml",
+		}),
+		Entry("34. kuma.io/transparent-proxying-inbound-v6-port to be deleted when deprecated", testCase{
+			num: "34",
+			mesh: `
+                  apiVersion: kuma.io/v1alpha1
+                  kind: Mesh
+                  metadata:
+                    name: default
+                  spec: {}`,
+			namespace: `
+                  apiVersion: v1
+                  kind: Namespace
+                  metadata:
+                    name: default
+                    labels:
+                      kuma.io/sidecar-injection: enabled`,
+			cfgFile: "inject.config.yaml",
+		}),
 	)
 
 	DescribeTable("should not inject Kuma into a Pod",

pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.01.golden.yaml

@@ -10,7 +10,6 @@ metadata:
     kuma.io/transparent-proxying: enabled
     kuma.io/transparent-proxying-ebpf: disabled
     kuma.io/transparent-proxying-inbound-port: "15006"
-    kuma.io/transparent-proxying-inbound-v6-port: "15010"
     kuma.io/transparent-proxying-outbound-port: "15001"
     kuma.io/virtual-probes: enabled
     kuma.io/virtual-probes-port: "9000"
@@ -124,8 +123,6 @@ spec:
     - --redirect-inbound=true
     - --redirect-inbound-port
     - "15006"
-    - --redirect-inbound-port-v6
-    - "15010"
     - --kuma-dp-uid
     - "5678"
     - --exclude-inbound-ports

pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.02.golden.yaml

@@ -11,7 +11,6 @@ metadata:
     kuma.io/transparent-proxying: enabled
     kuma.io/transparent-proxying-ebpf: disabled
     kuma.io/transparent-proxying-inbound-port: "15006"
-    kuma.io/transparent-proxying-inbound-v6-port: "15010"
     kuma.io/transparent-proxying-outbound-port: "15001"
     kuma.io/virtual-probes: enabled
     kuma.io/virtual-probes-port: "9000"
@@ -132,8 +131,6 @@ spec:
     - --redirect-inbound=true
     - --redirect-inbound-port
     - "15006"
-    - --redirect-inbound-port-v6
-    - "15010"
     - --kuma-dp-uid
     - "5678"
     - --exclude-inbound-ports

pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.03.golden.yaml

@@ -10,7 +10,6 @@ metadata:
     kuma.io/transparent-proxying: enabled
     kuma.io/transparent-proxying-ebpf: disabled
     kuma.io/transparent-proxying-inbound-port: "15006"
-    kuma.io/transparent-proxying-inbound-v6-port: "15010"
     kuma.io/transparent-proxying-outbound-port: "15001"
     kuma.io/virtual-probes: enabled
     kuma.io/virtual-probes-port: "9000"
@@ -186,8 +185,6 @@ spec:
     - --redirect-inbound=true
     - --redirect-inbound-port
     - "15006"
-    - --redirect-inbound-port-v6
-    - "15010"
     - --kuma-dp-uid
     - "5678"
     - --exclude-inbound-ports

pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.04.golden.yaml

@@ -10,7 +10,6 @@ metadata:
     kuma.io/transparent-proxying: enabled
     kuma.io/transparent-proxying-ebpf: disabled
     kuma.io/transparent-proxying-inbound-port: "15006"
-    kuma.io/transparent-proxying-inbound-v6-port: "15010"
     kuma.io/transparent-proxying-outbound-port: "15001"
     kuma.io/virtual-probes: enabled
     kuma.io/virtual-probes-port: "9000"
@@ -124,8 +123,6 @@ spec:
     - --redirect-inbound=true
     - --redirect-inbound-port
     - "15006"
-    - --redirect-inbound-port-v6
-    - "15010"
     - --kuma-dp-uid
     - "5678"
     - --exclude-inbound-ports

pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.05.golden.yaml

@@ -10,7 +10,6 @@ metadata:
     kuma.io/transparent-proxying: enabled
     kuma.io/transparent-proxying-ebpf: disabled
     kuma.io/transparent-proxying-inbound-port: "15006"
-    kuma.io/transparent-proxying-inbound-v6-port: "15010"
     kuma.io/transparent-proxying-outbound-port: "15001"
     kuma.io/virtual-probes: enabled
     kuma.io/virtual-probes-port: "9000"
@@ -118,8 +117,6 @@ spec:
     - --redirect-inbound=true
     - --redirect-inbound-port
     - "15006"
-    - --redirect-inbound-port-v6
-    - "15010"
     - --kuma-dp-uid
     - "5678"
     - --exclude-inbound-ports