// +optional
  optional Capabilities capabilities = 1;

  // Run container in privileged mode.
  // Processes in privileged containers are essentially equivalent to root on the host.
  // Defaults to false.
  // Note that this field cannot be set when spec.os.name is windows.
  // +optional
  optional bool privileged = 2;

  // The SELinux context to be applied to the container.

    - [CVE-2023-3955: Insufficient input sanitization on Windows nodes leads to privilege escalation](#cve-2023-3955-insufficient-input-sanitization-on-windows-nodes-leads-to-privilege-escalation)
    - [CVE-2023-3676: Insufficient input sanitization on Windows nodes leads to privilege escalation](#cve-2023-3676-insufficient-input-sanitization-on-windows-nodes-leads-to-privilege-escalation)
  - [Changes by Kind](#changes-by-kind-7)

- Added a new `--init-only` command line flag to `kube-proxy`. Setting the flag makes `kube-proxy` perform its initial configuration that requires privileged mode, and then exit. The `--init-only` mode is intended to be executed in a privileged init container, so that the main container may run with a stricter `securityContext`. ([#120864](https://github.com/kubernetes/kubernetes/pull/120864), [@uablrek](https://github.com/uablrek)) [SIG Network...

    - [CVE-2023-3955: Insufficient input sanitization on Windows nodes leads to privilege escalation](#cve-2023-3955-insufficient-input-sanitization-on-windows-nodes-leads-to-privilege-escalation)
    - [CVE-2023-3676: Insufficient input sanitization on Windows nodes leads to privilege escalation](#cve-2023-3676-insufficient-input-sanitization-on-windows-nodes-leads-to-privilege-escalation)
  - [Changes by Kind](#changes-by-kind-2)
    - [Feature](#feature-2)

		Patch(
			context.Background(),
			pod.Name,
			types.MergePatchType,
			annotationPatch,
			metav1.PatchOptions{},
			// Both "pods" and "pods/status" can mutate the metadata. However, pods/status is lower privilege, so we use that instead.
			"status",
		)
	return err
}

func AnnotateUnenrollPod(client kubernetes.Interface, pod *metav1.ObjectMeta) error {

    install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
rules:
- apiGroups: ["security.openshift.io"]
  resources: ["securitycontextconstraints"]
  resourceNames: ["privileged"]
  verbs: ["use"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ztunnel
  labels:
    app: ztunnel
    release: {{ .Release.Name }}

      value: "{{ $value }}"
    {{- end }}
  {{- end }}
    resources:
  {{ template "resources" . }}
    securityContext:
      allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
      privileged: {{ .Values.global.proxy.privileged }}
      capabilities:
    {{- if not (or .Values.pilot.cni.enabled .Values.istio_cni.enabled) }}
        add:
        - NET_ADMIN
        - NET_RAW
    {{- end }}
        drop:

      value: "{{ $value }}"
    {{- end }}
  {{- end }}
    resources:
  {{ template "resources" . }}
    securityContext:
      allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
      privileged: {{ .Values.global.proxy.privileged }}
      capabilities:
    {{- if not (or .Values.pilot.cni.enabled .Values.istio_cni.enabled) }}
        add:
        - NET_ADMIN
        - NET_RAW
    {{- end }}
        drop:

            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
          {{- else }}
            capabilities:
              drop:
              - ALL
            allowPrivilegeEscalation: false
            privileged: false
            readOnlyRootFilesystem: true
            {{- if not (eq .Values.platform "openshift") }}
            runAsUser: 1337
            runAsGroup: 1337
            {{- end }}
            runAsNonRoot: true

            - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
          securityContext:
            runAsUser: 0
            runAsGroup: 0
            runAsNonRoot: false
            privileged: true
{{- end }}
      containers:
        - name: istio-proxy
{{- if contains "/" .Values.global.proxy.image }}
          image: "{{ .Values.global.proxy.image }}"
{{- else }}