HPrinz
commented
3 years ago Thanks for bringing this up! Yes, that's indeed an important difference of the service mesh implementations. I'm working on a new row in the table :)
Closed somejfn closed 3 years ago
HPrinz
commented
3 years ago Thanks for bringing this up! Yes, that's indeed an important difference of the service mesh implementations. I'm working on a new row in the table :)
HPrinz
commented
3 years ago Please let me know if this is of use for you. I'm happy to extend the table further if needed!
somejfn
commented
3 years ago thank you that is greatly helpful.
Several mesh defaults to init containers to inject an iptable rule to send traffic to the sidecar proxy. This requires more privileges than recommended PSPs (i.e. no root container and drop all caps) found in several security hardening guides (namely CIS)
Istio has the CNI approach to help on this, but is it the only one addressing the problem ?