Istio CNI and Rancher

Today when we use Rancher to deploy Istio, it uses the istio-init container to manipulate the networking in order to direct traffic through the proxy. This of course requires that every app pod run with net-admin privileges which is very undesirable. Istio offers the CNI route which eliminates the need for the init container. Although I understand the CNI is still alpha, is there a planned date to offer the CNI method in Rancher? If not, are there any gotchas if we decide to implement Istio “manually” so that we could leverage the CNI plugin?