diff --git a/internal/kuberesource/parts.go b/internal/kuberesource/parts.go
index f943366883..2622d16df4 100644
--- a/internal/kuberesource/parts.go
+++ b/internal/kuberesource/parts.go
@@ -469,8 +469,8 @@ func ServiceMeshProxy() *applycorev1.ContainerApplyConfiguration {
 			WithInitialDelaySeconds(1).
 			WithPeriodSeconds(5).
 			WithFailureThreshold(5).
-			WithTCPSocket(TCPSocketAction().
-				WithPort(intstr.FromInt(15006))),
+			WithExec(ExecAction().
+				WithCommand("test", "-f", "/ready")),
 		).
 		WithArgs(
 			"-l", "debug",
diff --git a/internal/kuberesource/wrappers.go b/internal/kuberesource/wrappers.go
index 13db827937..0400b19574 100644
--- a/internal/kuberesource/wrappers.go
+++ b/internal/kuberesource/wrappers.go
@@ -336,6 +336,11 @@ func TCPSocketAction() *applycorev1.TCPSocketActionApplyConfiguration {
 	return applycorev1.TCPSocketAction()
 }
 
+// ExecAction creates a new ExecActionApplyConfiguration.
+func ExecAction() *applycorev1.ExecActionApplyConfiguration {
+	return applycorev1.ExecAction()
+}
+
 // RuntimeClassConfig wraps applypodsv1.RuntimeClassApplyConfiguration for a runtime class.
 type RuntimeClassConfig struct {
 	*applynodev1.RuntimeClassApplyConfiguration
diff --git a/packages/containers.nix b/packages/containers.nix
index 46fdca1563..b9e386028a 100644
--- a/packages/containers.nix
+++ b/packages/containers.nix
@@ -108,13 +108,14 @@ let
       name = "service-mesh-proxy";
       tag = "v${pkgs.service-mesh.version}";
       copyToRoot = with pkgs; [
+        busybox
         envoy
         iptables-legacy
       ];
       config = {
         # Use Entrypoint so we can append arguments.
         Entrypoint = [ "${pkgs.service-mesh}/bin/service-mesh" ];
-        Env = [ "PATH=/bin" ]; # This is only here for policy generation.
+        Env = [ "PATH=/bin" ];
       };
     };
 
diff --git a/service-mesh/main.go b/service-mesh/main.go
index 2d8ba26d85..41171c88f3 100644
--- a/service-mesh/main.go
+++ b/service-mesh/main.go
@@ -59,6 +59,11 @@ func run() (retErr error) {
 		return fmt.Errorf("failed to set up iptables rules: %w", err)
 	}
 
+	// Signal readiness for startup probe.
+	if err := os.WriteFile("/ready", nil, 0o644); err != nil {
+		return err
+	}
+
 	// execute the envoy binary
 	envoyBin, err := exec.LookPath("envoy")
 	if err != nil {