Feature Request: possibility to add NET_ADMIN to containers

[verysonglaa]

Is your feature request related to a problem? Please describe.
We need to force all outgoing communication through a sidecar proxy (envoy) to add certain features, headers and restrict outgoing communication on layer 7 (like domain names)

Describe the solution you'd like.
We would need a way for the init_container to run with NET_ADMIN capabilities to create the necessary iptable REDIRECT rules like:

iptables -t nat -A OUTPUT -p tcp --dport 443 -j REDIRECT --to-port 9443 -m owner --uid-owner 65534

(this is the way istio does it)
Describe alternatives you've considered.
If anyone has a different solution how to force all communication through the sidecar without changing the original container I am glad to hear it.

[torosent]

Hi, We can't add this capability since we are changing the iptables as well to implement some of our functionality.
Is adding a NAT gateway or Azure Firewall not answering your requirements? What are the features you require besides restricting egress communication?

[verysonglaa]

Thanks @torosent
It is mainly restricting egress communication.
Adding a NAT Gateway + Azure Firewall is not feasible in our case since we cannot implement hub+spoke models and thus would need a dedicated Firewall for each ACA.
We are just looking for a simple setup which can restrict egress communication.
Is restricting egress communication without using a second service on the roadmap for ACA?

[mortenf1984]

Could using a Subnet with NSG help? That one can restrict outgoing traffic from subnet, if you are using CAE with vNet external, and then no Hub/Spoke is needed?

[verysonglaa]

@mortenf1984 NSG only works on layer 4 but we would need rules on layer 7 (domains),