- CAP_SYS_ADMIN
- CAP_NET_ADMIN
- CAP_NET_RAW

## Ambient mode details

Fundamentally, this component is responsible for the following:

      # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs.
      # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`.
      repairPods: true

      initContainerName: "istio-validation"

      brokenPodLabelKey: "cni.istio.io/uninitialized"
      brokenPodLabelValue: "true"

            # privileged is redundant with CAP_SYS_ADMIN
            # since it's redundant, hardcode it to `true`, then manually drop ALL + readd granular
            # capabilities we actually require
            capabilities:
              drop:
              - ALL
              add:
              # CAP_NET_ADMIN is required to allow ipset and route table access
              - NET_ADMIN

  // If set to true or not present, the pod will be run in the host user namespace, useful
  // for when the pod needs a feature only available to the host user namespace, such as
  // loading a kernel module with CAP_SYS_MODULE.
  // When set to false, a new userns is created for the pod. Setting false is useful for
  // mitigating container breakout vulnerabilities even allowing users to run their