Closed somejfn closed 3 years ago
Thanks for bringing this up! Yes, that's indeed an important difference of the service mesh implementations. I'm working on a new row in the table :)
Please let me know if this is of use for you. I'm happy to extend the table further if needed!
thank you that is greatly helpful.
Several mesh defaults to init containers to inject an iptable rule to send traffic to the sidecar proxy. This requires more privileges than recommended PSPs (i.e. no root container and drop all caps) found in several security hardening guides (namely CIS)
Istio has the CNI approach to help on this, but is it the only one addressing the problem ?