If the Cilium agent flags are passed via a mounted ConfigMap (cilium-agent --config-dir=/tmp/cilium/config-map), the default for Helm deployments, the flag values are not validated.

To reproduce you need to edit the ConfigMap and add a nonsense flag such as restore: 0SO##ME5_RANDOM. Then restart the agent pods and observe that the agent happily ate that nonsense:

$ kubectl -n cilium edit configmap
$ kubectl -n cilium get configmap -o yaml | grep restore
    restore: 0SO##ME5_RANDOM
$ kubectl -n cilium delete pod/cilium-xxxx
$ kubectl -n cilium logs cilium-xxxxx | grep restore=
level=info msg="  --restore='0SO##ME5_RANDOM'" subsys=daemon
$ kubectl -n cilium logs cilium-xxxxx | grep "Endpoints restored"
# Value was interpreted as false, so no restoration happened.

If you try to do the same by passing flags directly to the agent, you'll get yelled at:

$ grep restore= contrib/vagrant/start.sh 
    cilium_options=" --debug --pprof --enable-hubble --hubble-listen-address :4244 --enable-k8s-event-handover --k8s-require-ipv4-pod-cidr --auto-direct-node-routes --restore='0SO##ME5_RANDOM'"
$ make -j$(nproc) && K8S=1 NFS=1 NO_BUILD=1 ./contrib/vagrant/start.sh
[...]
cilium-agent[8654]: invalid argument "0SO##ME5_RANDOM" for "--restore" flag: strconv.ParseBool: parsing "0SO##ME5_RANDOM": invalid syntax

We should ensure we have the same type checks when passing Cilium agent flags via a mounted ConfigMap.