diff --git a/docs/docs/components/service-mesh.md b/docs/docs/components/service-mesh.md
index 72d1583b94..1b51a6e90c 100644
--- a/docs/docs/components/service-mesh.md
+++ b/docs/docs/components/service-mesh.md
@@ -23,8 +23,8 @@ The service mesh container can be configured using the following object annotati
   admin interface. If not specified, no admin interface will be started.
 
 If you aren't using the automatic service mesh injection and want to configure the
-service mesh manually, set the environment variables `EDG_INGRESS_PROXY_CONFIG`,
-`EDG_EGRESS_PROXY_CONFIG` and `EDG_ADMIN_PORT` in the service mesh sidecar directly.
+service mesh manually, set the environment variables `CONTRAST_INGRESS_PROXY_CONFIG`,
+`CONTRAST_EGRESS_PROXY_CONFIG` and `CONTRAST_ADMIN_PORT` in the service mesh sidecar directly.
 
 ### Ingress
 
@@ -83,7 +83,7 @@ Contrast service mesh as an init container.
 # ...
       initContainers:
         - env:
-            - name: EDG_INGRESS_PROXY_CONFIG
+            - name: CONTRAST_INGRESS_PROXY_CONFIG
               value: "web#8080#false##metrics#7890#true"
           image: "ghcr.io/edgelesssys/contrast/service-mesh-proxy@sha256:..."
           name: contrast-service-mesh
diff --git a/internal/kuberesource/mutators.go b/internal/kuberesource/mutators.go
index b847938eb5..0f3e33f48c 100644
--- a/internal/kuberesource/mutators.go
+++ b/internal/kuberesource/mutators.go
@@ -126,7 +126,7 @@ func AddServiceMesh(
 			}
 
 			serviceMeshProxy.
-				WithEnv(NewEnvVar("EDG_ADMIN_PORT", portAnnotation)).
+				WithEnv(NewEnvVar("CONTRAST_ADMIN_PORT", portAnnotation)).
 				WithPorts(
 					ContainerPort().
 						WithName("contrast-admin").
@@ -135,10 +135,10 @@ func AddServiceMesh(
 		}
 
 		if ingressConfig != "" {
-			serviceMeshProxy.WithEnv(NewEnvVar("EDG_INGRESS_PROXY_CONFIG", ingressConfig))
+			serviceMeshProxy.WithEnv(NewEnvVar("CONTRAST_INGRESS_PROXY_CONFIG", ingressConfig))
 		}
 		if egressConfig != "" {
-			serviceMeshProxy.WithEnv(NewEnvVar("EDG_EGRESS_PROXY_CONFIG", egressConfig))
+			serviceMeshProxy.WithEnv(NewEnvVar("CONTRAST_EGRESS_PROXY_CONFIG", egressConfig))
 		}
 
 		return meta, spec.WithInitContainers(serviceMeshProxy)
diff --git a/service-mesh/iptables.go b/service-mesh/iptables.go
index 65351468f0..3efec5fabe 100644
--- a/service-mesh/iptables.go
+++ b/service-mesh/iptables.go
@@ -38,17 +38,17 @@ func IngressIPTableRules(ingressEntries []ingressConfigEntry) error {
 
 	// Reconcile to clean iptables chains.
 	// Similar to `ClearChain`, all errors are treated as "chain already exists"
-	_ = iptablesExec.NewChain("mangle", "EDG_INBOUND")
-	_ = iptablesExec.NewChain("mangle", "EDG_IN_REDIRECT")
+	_ = iptablesExec.NewChain("mangle", "CONTRAST_INBOUND")
+	_ = iptablesExec.NewChain("mangle", "CONTRAST_IN_REDIRECT")
 
-	// Route all TCP traffic to the EDG_INBOUND chain.
-	if err := iptablesExec.AppendUnique("mangle", "PREROUTING", "-p", "tcp", "-j", "EDG_INBOUND"); err != nil {
-		return fmt.Errorf("failed to append EDG_INBOUND chain to PREROUTING chain: %w", err)
+	// Route all TCP traffic to the CONTRAST_INBOUND chain.
+	if err := iptablesExec.AppendUnique("mangle", "PREROUTING", "-p", "tcp", "-j", "CONTRAST_INBOUND"); err != nil {
+		return fmt.Errorf("failed to append CONTRAST_INBOUND chain to PREROUTING chain: %w", err)
 	}
 
-	// RETURN all local traffic from the EDG_INBOUND chain back to the PREROUTING chain.
-	if err := iptablesExec.AppendUnique("mangle", "EDG_INBOUND", "-p", "tcp", "-i", "lo", "-j", "RETURN"); err != nil {
-		return fmt.Errorf("failed to append dport exception to EDG_INBOUND chain: %w", err)
+	// RETURN all local traffic from the CONTRAST_INBOUND chain back to the PREROUTING chain.
+	if err := iptablesExec.AppendUnique("mangle", "CONTRAST_INBOUND", "-p", "tcp", "-i", "lo", "-j", "RETURN"); err != nil {
+		return fmt.Errorf("failed to append dport exception to CONTRAST_INBOUND chain: %w", err)
 	}
 	// RETURN all related and established traffic.
 	// Since the mangle table executes on every packet and not just before the
@@ -61,30 +61,30 @@ func IngressIPTableRules(ingressEntries []ingressConfigEntry) error {
 	// module (see: https://github.com/istio/istio/pull/22527).
 	// In our own Contrast image the module is available, but we cannot
 	// guarantee that it is available in all environments.
-	if err := iptablesExec.AppendUnique("mangle", "EDG_INBOUND", "-p", "tcp", "-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "RETURN"); err != nil {
-		return fmt.Errorf("failed to append dport exception to EDG_INBOUND chain: %w", err)
+	if err := iptablesExec.AppendUnique("mangle", "CONTRAST_INBOUND", "-p", "tcp", "-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "RETURN"); err != nil {
+		return fmt.Errorf("failed to append dport exception to CONTRAST_INBOUND chain: %w", err)
 	}
-	// Route all other traffic to the EDG_IN_REDIRECT chain.
-	if err := iptablesExec.AppendUnique("mangle", "EDG_INBOUND", "-p", "tcp", "-j", "EDG_IN_REDIRECT"); err != nil {
-		return fmt.Errorf("failed to append EDG_IN_REDIRECT chain to EDG_INBOUND chain: %w", err)
+	// Route all other traffic to the CONTRAST_IN_REDIRECT chain.
+	if err := iptablesExec.AppendUnique("mangle", "CONTRAST_INBOUND", "-p", "tcp", "-j", "CONTRAST_IN_REDIRECT"); err != nil {
+		return fmt.Errorf("failed to append CONTRAST_IN_REDIRECT chain to CONTRAST_INBOUND chain: %w", err)
 	}
 
 	for _, entry := range ingressEntries {
 		if entry.disableTLS {
-			if err := iptablesExec.AppendUnique("mangle", "EDG_IN_REDIRECT", "-p", "tcp", "--dport", fmt.Sprintf("%d", entry.listenPort), "-j", "RETURN"); err != nil {
-				return fmt.Errorf("failed to append dport exception to EDG_IN_REDIRECT chain to disable TLS: %w", err)
+			if err := iptablesExec.AppendUnique("mangle", "CONTRAST_IN_REDIRECT", "-p", "tcp", "--dport", fmt.Sprintf("%d", entry.listenPort), "-j", "RETURN"); err != nil {
+				return fmt.Errorf("failed to append dport exception to CONTRAST_IN_REDIRECT chain to disable TLS: %w", err)
 			}
 		} else {
-			if err := iptablesExec.AppendUnique("mangle", "EDG_IN_REDIRECT", "-p", "tcp", "--dport", fmt.Sprintf("%d", entry.listenPort), "-j", "TPROXY", "--on-port", fmt.Sprintf("%d", EnvoyIngressPortNoClientCert)); err != nil {
-				return fmt.Errorf("failed to append dport exception to EDG_IN_REDIRECT chain to disable client auth: %w", err)
+			if err := iptablesExec.AppendUnique("mangle", "CONTRAST_IN_REDIRECT", "-p", "tcp", "--dport", fmt.Sprintf("%d", entry.listenPort), "-j", "TPROXY", "--on-port", fmt.Sprintf("%d", EnvoyIngressPortNoClientCert)); err != nil {
+				return fmt.Errorf("failed to append dport exception to CONTRAST_IN_REDIRECT chain to disable client auth: %w", err)
 			}
 		}
 	}
 
 	// Route all remaining traffic (TCP SYN packets that do not have a TLS exemption)
 	// to the Envoy proxy port that requires client authentication.
-	if err := iptablesExec.AppendUnique("mangle", "EDG_IN_REDIRECT", "-p", "tcp", "-j", "TPROXY", "--on-port", fmt.Sprintf("%d", EnvoyIngressPort)); err != nil {
-		return fmt.Errorf("failed to append default TPROXY rule to EDG_IN_REDIRECT chain: %w", err)
+	if err := iptablesExec.AppendUnique("mangle", "CONTRAST_IN_REDIRECT", "-p", "tcp", "-j", "TPROXY", "--on-port", fmt.Sprintf("%d", EnvoyIngressPort)); err != nil {
+		return fmt.Errorf("failed to append default TPROXY rule to CONTRAST_IN_REDIRECT chain: %w", err)
 	}
 
 	return nil
diff --git a/service-mesh/main.go b/service-mesh/main.go
index d21065a840..8872b23196 100644
--- a/service-mesh/main.go
+++ b/service-mesh/main.go
@@ -12,9 +12,9 @@ import (
 )
 
 const (
-	egressProxyConfigEnvVar  = "EDG_EGRESS_PROXY_CONFIG"
-	ingressProxyConfigEnvVar = "EDG_INGRESS_PROXY_CONFIG"
-	adminPortEnvVar          = "EDG_ADMIN_PORT"
+	egressProxyConfigEnvVar  = "CONTRAST_EGRESS_PROXY_CONFIG"
+	ingressProxyConfigEnvVar = "CONTRAST_INGRESS_PROXY_CONFIG"
+	adminPortEnvVar          = "CONTRAST_ADMIN_PORT"
 	envoyConfigFile          = "/envoy-config.yml"
 )