verbs: ["watch", "get", "list"]
{{- if .Values.cni.repair.repairPods }}
{{- /*  No privileges needed*/}}
{{- else if .Values.cni.repair.deletePods }}
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["delete"]
{{- else if .Values.cni.repair.labelPods }}
  - apiGroups: [""]
    {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}}
    resources: ["pods/status"]

              port: 8000
          securityContext:
            privileged: true # always requires privilege to be useful (install node plugin, etc)
            runAsGroup: 0
            runAsUser: 0
            runAsNonRoot: false
            # Both ambient and sidecar repair mode require elevated node privileges to function.
            # But we don't need _everything_ in `privileged`, so drop+readd capabilities based on feature.

## Privileges required

```

This tells Traefik to listen on port 9999 and to use another file `routes.toml`.

!!! tip
    We are using port 9999 instead of the standard HTTP port 80 so that you don't have to run it with admin (`sudo`) privileges.

Now create that other file `routes.toml`:

```TOML hl_lines="5  12  20"
[http]
  [http.middlewares]

    [http.middlewares.api-stripprefix.stripPrefix]
      prefixes = ["/api/v1"]

      # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs.
      # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`.
      repairPods: true

      initContainerName: "istio-validation"

      brokenPodLabelKey: "cni.istio.io/uninitialized"
      brokenPodLabelValue: "true"

		Patch(
			context.Background(),
			pod.Name,
			types.MergePatchType,
			annotationPatch,
			metav1.PatchOptions{},
			// Both "pods" and "pods/status" can mutate the metadata. However, pods/status is lower privilege, so we use that instead.
			"status",
		)
	return err
}

func AnnotateUnenrollPod(client kubernetes.Interface, pod *metav1.ObjectMeta) error {

    install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
rules:
- apiGroups: ["security.openshift.io"]
  resources: ["securitycontextconstraints"]
  resourceNames: ["privileged"]
  verbs: ["use"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ztunnel
  labels:
    app: ztunnel
    release: {{ .Release.Name }}

{
  "name": "istio build-tools",
  "image": "gcr.io/istio-testing/build-tools:master-b0f2fd3b4240c8178b14de4689d0e663e11868ff",
  "privileged": true,
  "remoteEnv": {
    "USE_GKE_GCLOUD_AUTH_PLUGIN": "True",
    "BUILD_WITH_CONTAINER": "0",
    "CARGO_HOME": "/home/.cargo",
    "RUSTUP_HOME": "/home/.rustup"
  },
  "features": {
    "ghcr.io/devcontainers/features/docker-outside-of-docker:1": {},
    "ghcr.io/mpriscella/features/kind:1": {}
  },

            port: 15021
            scheme: HTTP
          initialDelaySeconds: 0
          periodSeconds: 15
          successThreshold: 1
          timeoutSeconds: 1
        securityContext:
          privileged: false
          runAsGroup: 1337
          runAsUser: 0
          capabilities:
            drop:
            - ALL
        volumeMounts:
        - name: workload-socket

{{ toYaml .Values.resources | trim | indent 10 }}
{{- end }}
{{- with .Values.imagePullPolicy }}
        imagePullPolicy: {{ . }}
{{- end }}
        securityContext:
          allowPrivilegeEscalation: false
          privileged: false
          capabilities:
            drop:
            - ALL
            add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html
            - NET_ADMIN # Required for TPROXY and setsockopt