added a statement about running trusted code in sidecars

Author: tulikac

articles/app-service/configure-sidecar.md

@@ -12,6 +12,9 @@ ms.service: azure-app-service
 
 This article provides practical steps for enabling and configuring sidecars in your App Service app.
 
+> [!IMPORTANT]
+> Because sidecars share the same network namespace and environment as your main app, only run trusted code and container images as sidecars.
+
 ## Create a sidecar in the Azure portal
 
 1. Go to your App Service resource in the Azure portal.

articles/app-service/overview-sidecar.md

@@ -25,6 +25,10 @@ Sidecars enable you to add new capabilities, such as monitoring, caching, AI, or
 
 - **Container roles:** Each sidecar-enabled app has one main container (`isMain: true`) and up to nine sidecar containers (`isMain: false`). In the container configuration, `isMain: true` designates the main app container. All others must have `isMain: false`.
 - **Networking:** All containers in the app share the same network namespace and communicate over `localhost`. There is no need for service name resolution, so use `localhost:<port>`. Each container must listen on a unique port. Only ports 80 and 8080 are supported for external HTTP traffic. For internal communication, use any available unique port.
+
+> [!IMPORTANT]
+> Because sidecars share the same network namespace and environment as your main app, only run trusted code and container images as sidecars.
+
 - **Lifecycle:** Sidecars start, stop, and scale together with the main app container. When your app scales out or in, all associated sidecar containers follow the same lifecycle automatically.
 - **Configuration:** Sidecars can be configured via the Azure portal, ARM templates, or CLI. You specify the container image, environment variables, and other settings for each container. App settings are shared across all containers. You can also set container-specific environment variables.
 - **Volume mounts:** Each container can have its own volume mounts.