# The "TPROXY" mode preserves both the source and destination IP
  # addresses and ports, so that they can be used for advanced filtering
  # and manipulation.
  # The "TPROXY" mode also configures the sidecar to run with the
  # CAP_NET_ADMIN capability, which is required to use TPROXY.
  #interceptionMode: REDIRECT
  #
  # Port where Envoy listens (on local host) for admin commands
  # You can exec into the istio-proxy container in a pod and

      # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs.
      # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`.
      repairPods: true

      initContainerName: "istio-validation"

      brokenPodLabelKey: "cni.istio.io/uninitialized"
      brokenPodLabelValue: "true"

            # privileged is redundant with CAP_SYS_ADMIN
            # since it's redundant, hardcode it to `true`, then manually drop ALL + readd granular
            # capabilities we actually require
            capabilities:
              drop:
              - ALL
              add:
              # CAP_NET_ADMIN is required to allow ipset and route table access
              - NET_ADMIN