diff --git a/.changelog/3498.txt b/.changelog/3498.txt
new file mode 100644
index 0000000000..7aed5a69af
--- /dev/null
+++ b/.changelog/3498.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+cni: When CNI is enabled, set ReadOnlyRootFilesystem=true and AllowPrivilegeEscalation=false for mesh pod init containers and AllowPrivilegeEscalation=false for consul-dataplane containers (ReadOnlyRootFilesystem was already true for consul-dataplane containers).
+```