Istio Init Containers do not work with Pod Security Policies

I am running AWS EKS 1.16 with Istio Service Mesh 1.8.6. I have applied a Pod Security Policy where I am denying Privileged Containers, Running as Root and Privilege Escalation and am allowing NET_RAW and NET_ADMIN capabilities as Istio init containers need them.

But Istio_init containers run as root (UID 0) and thus fail validating against PSP. I tried changing the UID of the init containers within the Istio configmap for sidecar-injector but the istio-init container fails stating it could not get iptables.

So I am assuming istio_init definitely needs to run as root ?

How can make Istio_init containers run as non-root?

I tried enabling Istio CNI but that messes up my EKS implementation. The worker nodes immediately get marked as unhealthy so I had to disable Istio CNI and install AWS VPC CNI.

Any suggestions/direction would be greatly appreciated.