Would it be be trivial to have a init container to do CA injection? Maybe though mutating admission controller? Then some CNI magic to redirect outbound traffic to do transparent proxying?

I don't how an init container would help?

Unless you inject them into your own images I think the most straightforward is to just mount the CA cert or bundle as a read-only volume.