diff --git a/kube/deploy/core/_networking/cilium/app/config/biohazard/helm-values.yaml b/kube/deploy/core/_networking/cilium/app/config/biohazard/helm-values.yaml
index e6ebc4cc..28f50b07 100644
--- a/kube/deploy/core/_networking/cilium/app/config/biohazard/helm-values.yaml
+++ b/kube/deploy/core/_networking/cilium/app/config/biohazard/helm-values.yaml
@@ -6,6 +6,14 @@ securityContext:
   capabilities:
     ciliumAgent: [CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,NET_BIND_SERVICE,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID]
     cleanCiliumState: [NET_ADMIN,SYS_ADMIN,SYS_RESOURCE]
+# podSecurityContext:
+#   appArmorProfile:
+#     type: "Unconfined"
+# # podAnnotations:
+# #   "container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites": "runtime/default"
+# #   "container.apparmor.security.beta.kubernetes.io/cilium-agent": "runtime/default"
+# #   "container.apparmor.security.beta.kubernetes.io/clean-cilium-state": "runtime/default"
+# #   "container.apparmor.security.beta.kubernetes.io/mount-cgroup": "runtime/default"
 cgroup:
   autoMount:
     enabled: false
@@ -21,7 +29,7 @@ routingMode: native
 devices: 'br0'
 autoDirectNodeRoutes: true
 ipv4NativeRoutingCIDR: "${IP_POD_CIDR_V4}"
-endpointRoutes: # supposedly helps with LB routing...? 1.16 introduced a bug where BGP LBs (L2 untested) would randomly timeout requests at unknown intervals, most noticeably is loading SearXNG front page would usually load practically instantly but would be stuck until timeout, FortiGate pcaps show connection does establish but TCP Previous Segment Not Captured
+endpointRoutes: # supposedly helps with LB routing...?
   enabled: true
 loadBalancer:
   algorithm: maglev
@@ -43,11 +51,10 @@ bpf:
   tproxy: true # L7 netpols stuff
   preallocateMaps: true # reduce latency, increased memory usage
   policyMapMax: 40960 # 2.5x default, Increase Cilium map sizes due to amount of netpols and identities, when BPF map pressure hits 100 endpoint creation starts failing, max dynamic size ratio doesn't increase this
-  enableTCX: true # testing if it causes Cilium 1.16 BGP LB timeouts
 l7Proxy: true # enables L7 netpols (including DNS) via proxy, e.g. Envoy
 socketLB:
   enabled: true # faster and more direct same-node pod routing than tc/tcx # supposed to be default off, but it's enabled anyway if unspecified, and looks fun lol
-  #hostNamespaceOnly: true # KubeVirt compatibility with k8s services # disabled because KubeVirt VMs now use Multus bridging rather than CNI
+  hostNamespaceOnly: true # KubeVirt, gvisor and Kata compatibility with k8s services
 enableIPv4BIGTCP: true
 enableIPv6BIGTCP: true
 bandwidthManager:
@@ -90,5 +97,3 @@ hubble:
   ui:
     enabled: true
     rollOutPods: true
-
-### endpointStatus + enableCnpStatusUpdates no longer enabled since it can cause large apiserver resource usage and latency spikes, removed from Cilium 1.16, since netpols now have validation status