diff --git a/cni-plugin/main.go b/cni-plugin/main.go
index b966da66..5cfac75b 100644
--- a/cni-plugin/main.go
+++ b/cni-plugin/main.go
@@ -193,14 +193,6 @@ func cmdAdd(args *skel.CmdArgs) error {
 			return err
 		}
 
-		containsLinkerdProxy := false
-		for _, container := range pod.Spec.Containers {
-			if container.Name == "linkerd-proxy" {
-				containsLinkerdProxy = true
-				break
-			}
-		}
-
 		containsInitContainer := false
 		for _, container := range pod.Spec.InitContainers {
 			if container.Name == "linkerd-init" {
@@ -209,7 +201,7 @@ func cmdAdd(args *skel.CmdArgs) error {
 			}
 		}
 
-		if containsLinkerdProxy && !containsInitContainer {
+		if !containsInitContainer && containsLinkerdProxy(&pod.Spec) {
 			logEntry.Debugf("linkerd-cni: setting up iptables firewall for %s/%s", namespace, pod)
 			options := cmd.RootOptions{
 				IncomingProxyPort:     conf.ProxyInit.IncomingProxyPort,
@@ -366,6 +358,23 @@ func cmdDel(_ *skel.CmdArgs) error {
 	return nil
 }
 
+func containsLinkerdProxy(spec *v1.PodSpec) bool {
+	for _, container := range spec.Containers {
+		if container.Name == "linkerd-proxy" {
+			return true
+		}
+	}
+
+	// native sidecar proxy
+	for _, container := range spec.InitContainers {
+		if container.Name == "linkerd-proxy" {
+			return true
+		}
+	}
+
+	return false
+}
+
 func getAPIServerPorts(ctx context.Context, api *kubernetes.Clientset) ([]string, error) {
 	service, err := api.CoreV1().Services("default").Get(ctx, "kubernetes", metav1.GetOptions{})
 	if err != nil {