Istio uses the user/group of 1337 as a special user/group meant for the sidecar only. Allowing access to run as this user/group can provide an pathway of attack/way to bypass the sidecar.
We should add a new policy to block usage of this user/group except by the istio proxy. This policy should also have an exemption for consistency, likely called something like RestrictIstioUser.
Istio uses the user/group of 1337 as a special user/group meant for the sidecar only. Allowing access to run as this user/group can provide an pathway of attack/way to bypass the sidecar.
We should add a new policy to block usage of this user/group except by the istio proxy. This policy should also have an exemption for consistency, likely called something like
RestrictIstioUser.