cluster.local default behavior in ambient

[costinm]

One of the main goals for ambient is to be 'on by default' and easy to enable. We fixed almost all bugs and incompatibilities with K8S - enabling ztunnel will not change how existing applications work, so the admin does not need to do namespace-by-namespace and deal with obscure breakages.

One feature that is not yet fixed is the behavior of service.ns.svc.cluster.local - in K8S requests are sent to local pods, while in Istio and current ztunnel implementation they may go to other clusters/regions. Istio does have a MeshConfig setting to opt-out of this behavior and apps broken by this change - but it is hard for an admin to know when an app would break and keeping this would prevent 'on-by-default'.

We should have ztunnel and Waypoints in ambient default to the K8S behavior for cluster.local - with an opt-in option to send traffic to all clusters. There are different API options to enable the opt-in, including Service/ServiceEntry annotations, using K8S ServiceImport, etc.