Document the requirement for the NET_RAW capability (#6643)

Fixes https://github.com/istio/istio/issues/21625

content/en/docs/ops/common-problems/observability-issues/index.md

@@ -29,7 +29,7 @@ If the Istio Dashboard or the Prometheus queries don’t show the expected metri
 
 ### Verify Istio CNI pods are running (if used)
 
-The Istio CNI plugin performs the Istio mesh pod traffic redirection in the Kubernetes pod lifecycle’s network setup phase, thereby removing the [`NET_ADMIN` capability requirement](/docs/ops/deployment/requirements/) for users deploying pods into the Istio mesh. The Istio CNI plugin replaces the functionality provided by the `istio-init` container.
+The Istio CNI plugin performs the Istio mesh pod traffic redirection in the Kubernetes pod lifecycle’s network setup phase, thereby removing the [requirement for the `NET_ADMIN` and `NET_RAW` capabilities](/docs/ops/deployment/requirements/) for users deploying pods into the Istio mesh. The Istio CNI plugin replaces the functionality provided by the `istio-init` container.
 
 1. Verify that the `istio-cni-node` pods are running:
 
@@ -37,7 +37,7 @@ The Istio CNI plugin performs the Istio mesh pod traffic redirection in the Kube
     $ kubectl -n kube-system get pod -l k8s-app=istio-cni-node
     {{< /text >}}
 
-1. If `PodSecurityPolicy` is being enforced in your cluster, ensure the `istio-cni` service account can use a `PodSecurityPolicy` with the [`NET_ADMIN` capability requirement](/docs/ops/deployment/requirements/)
+1. If `PodSecurityPolicy` is being enforced in your cluster, ensure the `istio-cni` service account can use a `PodSecurityPolicy` which [allows the `NET_ADMIN` and `NET_RAW` capabilities](/docs/ops/deployment/requirements/)
 ### Verify Mixer is receiving report calls
 
 Mixer generates metrics to monitor its own behavior. The first step is to check these metrics:

content/en/docs/ops/deployment/requirements/index.md

@@ -51,10 +51,11 @@ requirements:
 - **Application UIDs**: Ensure your pods do **not** run applications as a user
   with the user ID (UID) value of **1337**.
 
-- **`NET_ADMIN` capability**: If your cluster enforces pod security policies,
-  pods must allow the `NET_ADMIN` capability. If you use the [Istio CNI Plugin](/docs/setup/additional-setup/cni/),
-  this requirement no longer applies. To learn more about the `NET_ADMIN`
-  capability, see [Required pod capabilities](#required-pod-capabilities), below.
+- **`NET_ADMIN` and `NET_RAW` capabilities**: If your cluster enforces pod security policies,
+  they must allow injected pods to add the `NET_ADMIN` and `NET_RAW` capabilities.
+  If you use the [Istio CNI Plugin](/docs/setup/additional-setup/cni/),
+  this requirement no longer applies. To learn more about the `NET_ADMIN` and `NET_RAW`
+  capabilities, see [Required pod capabilities](#required-pod-capabilities), below.
 
 ## Ports used by Istio
 
@@ -90,12 +91,12 @@ TCP headless services using a TCP port used by one of Istio's services.
 If [pod security policies](https://kubernetes.io/docs/concepts/policy/pod-security-policy/)
 are [enforced](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#enabling-pod-security-policies)
 in your cluster and unless you use the Istio CNI Plugin, your pods must have the
-`NET_ADMIN` capability allowed. The initialization containers of the Envoy
-proxies require this capability.
+`NET_ADMIN` and `NET_RAW` capabilities allowed. The initialization containers of the Envoy
+proxies require these capabilities.
 
-To check if the `NET_ADMIN` capability is allowed for your pods, you need to check if their
+To check if the `NET_ADMIN` and `NET_RAW` capabilities are allowed for your pods, you need to check if their
 [service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/)
-can use a pod security policy that allows the `NET_ADMIN` capability.
+can use a pod security policy that allows the `NET_ADMIN` and `NET_RAW` capabilities.
 If you haven't specified a service account in your pods' deployment, the pods run using
 the `default` service account in their deployment's namespace.
 
@@ -112,6 +113,6 @@ For example, to check for the `default` service account in the `default` namespa
 $ for psp in $(kubectl get psp -o jsonpath="{range .items[*]}{@.metadata.name}{'\n'}{end}"); do if [ $(kubectl auth can-i use psp/$psp --as=system:serviceaccount:default:default) = yes ]; then kubectl get psp/$psp --no-headers -o=custom-columns=NAME:.metadata.name,CAPS:.spec.allowedCapabilities; fi; done
 {{< /text >}}
 
-If you see `NET_ADMIN` or `*` in the list of capabilities of one of the allowed
+If you see `NET_ADMIN` and `NET_ADMIN` or `*` in the list of capabilities of one of the allowed
 policies for your service account, your pods have permission to run the Istio init containers.
 Otherwise, you will need to [provide the permission](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#authorizing-policies).

content/en/docs/setup/additional-setup/cni/index.md

@@ -16,7 +16,7 @@ By default Istio injects an `initContainer`, `istio-init`, in pods deployed in
 the mesh.  The `istio-init` container sets up the pod network traffic
 redirection to/from the Istio sidecar proxy.  This requires the user or
 service-account deploying pods to the mesh to have sufficient Kubernetes RBAC
-permissions to deploy [`NET_ADMIN` containers](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container).
+permissions to deploy [containers with the `NET_ADMIN` and `NET_RAW` capabilities](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container).
 Requiring Istio users to have elevated Kubernetes RBAC permissions is
 problematic for some organizations' security compliance.  The Istio CNI plugin
 is a replacement for the `istio-init` container that performs the same
@@ -24,7 +24,7 @@ networking functionality but without requiring Istio users to enable elevated
 Kubernetes RBAC permissions.
 
 The Istio CNI plugin performs the Istio mesh pod traffic redirection in the Kubernetes pod lifecycle's network
-setup phase, thereby removing the [`NET_ADMIN` capability requirement](/docs/ops/deployment/requirements/)
+setup phase, thereby removing the [requirement for the `NET_ADMIN` and `NET_RAW` capabilities](/docs/ops/deployment/requirements/)
 for users deploying pods into the Istio mesh.  The Istio CNI plugin
 replaces the functionality provided by the `istio-init` container.
 
@@ -238,8 +238,8 @@ Avoid this traffic loss with one or both of the following settings:
 
 ### Compatibility with other CNI plugins
 
-The Istio CNI plugin maintains compatibility with the same set of CNI plugins as the current `NET_ADMIN`
-`istio-init` container.
+The Istio CNI plugin maintains compatibility with the same set of CNI plugins as the current
+`istio-init` container which requires the `NET_ADMIN` and `NET_RAW` capabilities.
 
 The Istio CNI plugin operates as a chained CNI plugin.  This means its configuration is added to the existing
 CNI plugins configuration as a new configuration list element.  See the