On my EKS cluster, we tried to set-up Istio and Calico together. It seemed right until we deployed a service.
We receive these errors
spec.initContainers.securityContext.capabilities.add: Invalid value: "NET_RAW": capability may not be added] spec.initContainers.securityContext.capabilities.add: Invalid value: "NET_ADMIN": capability may not be added]
We thought for a long time that it was a problem with our Pod Security Policy. (And all that I found on internet was related to PSP or Calico issues) But not at all.
It was an issue with our Network Policies. A port was missing to our network policy definition.
I found it when I randomly delete all the network policies to test.
I hope it will help you!
Don't hesitate to give some feedback to help me to improve my writing skills. Thanks!