Why iptables rule setup in initContainer `istio-init` works in application container?

Question

I am reading the doc of istio. It says:

istio-init This init container is used to setup the iptables rules so that inbound/outbound traffic will go through the sidecar proxy.

In my understanding, initContainer and application container are separated except that they share same network namespace. So why would iptables setup in initContainer still persist in application container?

Answer 1

As I mentioned in the comments, Iptables rules are briefly described here.

There is also a Iptables Schematic:

Answer 2

A single network namespace shares a (virtual) network adapter between all the process namespaces (which means the other containers the pod will start). This is where changes are persisted.

Iptables configures rules that are set in a network namespace configure that shared adapter, so changes to networking in an init container persist when the application containers and sidecars start later in the same network namespace, and use the same adapter.