When the sidecar is injected into an application pod, the pod fails the SecurityContextConstraint (SCC) check, because it doesn't drop the CAP_MKNOD capability. The SCC admission controller tries to drop it, but it tries to do that in the validation phase instead of the mutation phase (admission controllers get invoked twice - during the first invocation, they are supposed to mutate the pod if needed, during the second invocation, they should only validate the pod). The reason behind this is that the sidecar was injected after the SCC admission controller was invoked the first time.

To ensure the SCC controller doesn't need to mutate the pod during the validation phase, the sidecar spec must drop all capabilities that the applied SCC requires to be dropped. For the anyuid SCC, it needs to drop CAP_MKNOD.