I am running AWS EKS 1.16 with Istio Service Mesh 1.8.6. I have applied a Pod Security Policy where I am denying Privileged Containers, Running as Root and Privilege Escalation and am allowing NET_RAW and NET_ADMIN capabilities as Istio init containers need them.
But Istio_init containers run as root (UID 0) and thus fail validating against PSP. I tried changing the UID of the init containers within the Istio configmap for sidecar-injector but the istio-init container fails stating it could not get iptables.
So I am assuming istio_init definitely needs to run as root ?
How can make Istio_init containers run as non-root?
I tried enabling Istio CNI but that messes up my EKS implementation. The worker nodes immediately get marked as unhealthy so I had to disable Istio CNI and install AWS VPC CNI.
Any suggestions/direction would be greatly appreciated.