- CAP_SYS_ADMIN
- CAP_NET_ADMIN
- CAP_NET_RAW

## Ambient mode details

Fundamentally, this component is responsible for the following:

  # The "TPROXY" mode preserves both the source and destination IP
  # addresses and ports, so that they can be used for advanced filtering
  # and manipulation.
  # The "TPROXY" mode also configures the sidecar to run with the
  # CAP_NET_ADMIN capability, which is required to use TPROXY.
  #interceptionMode: REDIRECT
  #
  # Port where Envoy listens (on local host) for admin commands
  # You can exec into the istio-proxy container in a pod and

      # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs.
      # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`.
      repairPods: true

      initContainerName: "istio-validation"

      brokenPodLabelKey: "cni.istio.io/uninitialized"
      brokenPodLabelValue: "true"

            # privileged is redundant with CAP_SYS_ADMIN
            # since it's redundant, hardcode it to `true`, then manually drop ALL + readd granular
            # capabilities we actually require
            capabilities:
              drop:
              - ALL
              add:
              # CAP_NET_ADMIN is required to allow ipset and route table access
              - NET_ADMIN

  // If set to true or not present, the pod will be run in the host user namespace, useful
  // for when the pod needs a feature only available to the host user namespace, such as
  // loading a kernel module with CAP_SYS_MODULE.
  // When set to false, a new userns is created for the pod. Setting false is useful for
  // mitigating container breakout vulnerabilities even allowing users to run their