Previously, any pod containing the Istio sidecar had to run under the privileged SCC. Istio CNI partially solves this, since the pod no longer contains the init container that manipulates iptables rules (and thus needs to be run as privileged: true). Using Istio CNI and MAISTRA-548, pods can now run under the anyuid SCC. Requiring the use of the anyuid SCC is still considered as requiring elevated privileges.

Application pods using Istio must be able to run with just the restricted SCC. To achieve this, we need to:

• drop additional Kernel capabilities (SETUID, SETGID, KILL) from the sidecar container just like in MAISTRA-548
• run the proxy with a userID from the project's range of allowed user IDs instead of always using user ID 1337 (each project/namespace has an annotation that specifies the range of userIDs that containers can use - example: openshift.io/sa.scc.uid-range: 1000120000/10000. By default, OpenShift runs containers with the first UID from that range, but the proxy needs to run with a different UID so that iptables rules can differentiate between app's and the proxy's packets)