Make forced ordering of istio sidecar containers optional

[shriramsharma]

(This is used to request new product features, please visit https://github.com/istio/istio/discussions for questions on using Istio)

Describe the feature request Currently, Istiod forcefully orders the sidecar containers (istio-init and istio-proxy) during injection, ensuring they are the first two containers to start before any others. This approach worked well until we decided to implement the Kubernetes native sidecar feature.

Here is the code that does that https://github.com/istio/istio/blob/master/pkg/kube/inject/webhook.go#L795-L810

We have a custom sidecar container that we want to include in the initContainers list when using the native sidecar feature. Ideally, this custom container should start before any other container. However, we can't achieve this because Istio forcefully reorders the initContainers, prioritizing the istio-init and istio-proxy containers. Our custom sidecar doesn't require Istio networking.

Is there a way to disable this forced ordering so that we can maintain the container sequence specified in the injection template?

Describe alternatives you've considered Currently we don't have an alternative and this is right blocking us from using the native sidecar feature.

Affected product area (please put an X in all that apply)

[ ] Ambient [ ] Docs [ ] Dual Stack [ ] Installation [X] Networking [ ] Performance and Scalability [ ] Extensions and Telemetry [ ] Security [ ] Test and Release [X] User Experience [ ] Developer Infrastructure

Affected features (please put an X in all that apply)

[ ] Multi Cluster [ ] Virtual Machine [ ] Multi Control Plane

Additional context