istio-init fails with "can't initialize iptables table 'nat': Permission denied #316
Comments
|
Hi Fuzz, Did you have solution for this issue, Even I am getting this issue after installing istio 0.8.0 with manual injection of side car into samples sleep.
|
|
I also have this issue with running redis through a helm template :( |
|
What Version of Istio and Kubernetes are you using, where did you get Istio from, Installation details istioctl version - 0.8.0 What happened: The istio-init fails with the error can't initialize iptables table 'nat': Permission denied What you expected to happen: How to reproduce it:
|
|
Temporary workaround here: https://github.com/bitnami/bitnami-docker-redis/issues/106 I'm running the init container as root...Works for now on master only. Getting some other errors on the slave I need to debug. |
|
+1 # k logs prometheus-operator-6547d55767-bgwn8 -c istio-init
Environment:
------------
ENVOY_PORT=
ISTIO_INBOUND_INTERCEPTION_MODE=
ISTIO_INBOUND_TPROXY_MARK=
ISTIO_INBOUND_TPROXY_ROUTE_TABLE=
ISTIO_INBOUND_PORTS=
ISTIO_LOCAL_EXCLUDE_PORTS=
ISTIO_SERVICE_CIDR=
ISTIO_SERVICE_EXCLUDE_CIDR=
Variables:
----------
PROXY_PORT=15001
INBOUND_CAPTURE_PORT=15001
PROXY_UID=1337
INBOUND_INTERCEPTION_MODE=REDIRECT
INBOUND_TPROXY_MARK=1337
INBOUND_TPROXY_ROUTE_TABLE=133
INBOUND_PORTS_INCLUDE=8080,
INBOUND_PORTS_EXCLUDE=
OUTBOUND_IP_RANGES_INCLUDE=*
OUTBOUND_IP_RANGES_EXCLUDE=
+ iptables -t nat -N ISTIO_REDIRECT
iptables v1.6.0: can't initialize iptables table `nat': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
+ dump
+ iptables-save |
|
Ran into this issue too when trying to Not sure what user it's running as by default but as a workaround setting the user to 0 a.k.a. root works (as @sprutner suggested). Example: Assuming you've enabled sidecar auto injection: kubectl label namespace default istio-injection=enabledEdit the and replace it with: Rebuild your pods and they should get past the init now 😄 Fine as a workaround but I'm not super keen on this lack of security even for a simple init container. |
|
@maxmilton this unfortunately won't help: |
|
I hit this problem on latest istio 1.0.4 |
|
Previously the Istio init-container required privileged mode. Recent work eliminates that requirement. See: IMO - this issue should be closed. |
|
I've no idea why anyone is calling for this issue to be closed, I see no resolution apart from workarounds that involve hacking into the istio-sidecar-injector yaml. I've recently hit this issue on a Before closing this issue could someone provide a proper explanation? Recent work may eliminate the requirement for root level access, but it doesn't explain the error reported, or how to avoid it. |
|
Did you try it with Istio master branch as described in the links I provided above? The links also have some background on why it occurs and additional links for even more background. It's no biggie for me if you want to keep this open, but it is extremely unlikely to get any further attention since from everything I can tell this issue is due to not allowing net_admin privileges as required by Istio prior to the CNI changes. Perhaps your request is the work be backported to the 1.0.X release. If so you should make that clear. |
|
Thanks @john-a-joyce, I wasn't able to get much from the links. The first link requires access I do not have. I don't know enough about the issue to be requesting a backport, so definitely not that. Just chasing down yet another K8s version clash. I'm late to this party but hitting the same issue trying to install 1.0.1 on a 1.13.1 Calico based cluster. I'm not sure how istio CNI fits into the picture, but it wasn't in any install guides. Oddly I don't hit this issue installing Istio 1.0.1 to a 1.13.1 Canal based cluster. With my limited knowledge I would deduce that this is because Calico requires iptables access that flannel does not. I've been stuck in a loop where the current release of Knative 0.2.2 seems to only work with Istio 1.0.1 or 1.0.2, but Istio pre-1.0.4 doesn't play well with Calico 3.4 on 1.13.1 (or 1.12.x)... Calico 3.4 only seems to work with Istio 1.0.4... its a sort of I take it from your comments that 1.1 is the future and 1.0 is dead - but everything online leads to 1.0.x. It's alpha stuff, I know... Only combo that works seems to be one where Canal is the network plugin. Then I can layer Istio and Knative on without issue... Ok, this should be closed. Any information contained is already out of date. |
|
@seanhig - I would not say 1.0 is dead, but it does require net_admin privileges without some awkward workarounds. In some environments having net_admin privileges is a non-starter, while others it isn't a big deal. If you are looking just for how to set this up on Istio without all the background the in-flight PR is your best source. istio/istio.io#2902 (review) the link in prior comment was to the rendered version which maybe you can't access. |
|
I have the same issue when trying to install mariadb using helm chart (https://github.com/helm/charts/tree/master/stable/mariadb) on the top of OpenShift. I am running a microservice application and we have both MySQL and MariaDB running (which are quite similar). Everything is fine for MySQL and I got the issue only with MariaDB. I am curious to know why this happens to some applications and not others. In my understand, this should happens for every deployed application if istio-init doesn't have the required permissions to perform iptables configuration. |
|
same here with istio-1.0.5: init pods always got stuck:
ᐅ kubectl version --short ᐅ minikube version |
|
Alright; problem solved; it has nothing to do with istio. The culprit seems to be the chart itself. It happens to Postgresql chart or Redis chart which was published by I suggest you to clone the chart then comment out all parts with sth like following:
Then it should work ! Now you could pack this new chart and maybe push to some chart repo and use it instead. However in my case, my postgresql service is perfectly to run as ROOT user ; but maybe it is not case for you, you could double check with its official docs: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ |
|
or you could just edit your values.yaml to set redis or postgresql's securityContext enabled to false.
|
|
|
|
@tuo, in my case (mariadb) this workaround was been working with OpenShift 3.10 (Kubernetes 1.10) but no longer working after upgrading to OpenShift 3.11 (Kubernetes 1.11). |
Yep, confirmed. This solution works and fixed problem with init container permissions. |
|
@sfesfizh, have you been able to plug Istio CNI with Istio 1.0.x? AFAIK, Istio CNI will be an experimental feature in 1.1. |
Yes. name: cni I've just downloaded CNI separately and moved chart as a subchart to the istio. I'm deploying it manually from my artifactory. |
|
In my case, I was been able to fix this issue by adding the security context configuration as below: I am using mariadb as an subchart (via requirement.yaml) and if I put only the configuration below I still get the init issue: I am still digging to know why I should add these two extra configurations (fsGroup and runAsUser) even if the security context is disabled. |
Great, nice to know that! |
I know but this is not an option for us. We need to keep security as well. So CNI is better solution. |
|
performing the securityContext: enabled = false didn't work for me unfortunately :( I have I ended up following @maxmilton and manually editing the |
Yes! I've fixed a configmap by adding "runAsUser: 0" and "runAsNonRoot: false" too. It works! |
…ssion denied (you must be root)" error when installed on an Istio-enabled cluster. Only define the `securityContext` on the main container instead of defining it on the top level `spec` which results into injected containers by Istio inheriting this definition (i.e. istio-init). Related topic: istio/old_issues_repo#316 Signed-off-by: Alexander Awitin <alexanderawitin@gmail.com>
… denied (you must be root)" error when installed on an Istio-enabled cluster. Only define the `securityContext` on the main container instead of defining it on the top level `spec` which results into injected containers by Istio inheriting this definition (i.e. istio-init). Related topic: istio/old_issues_repo#316 Signed-off-by: Alexander Awitin <alexanderawitin@gmail.com>
|
I've issued PRs that fixes this particular issue for the following charts: |
…ssion denied (you must be root)" error when installed on an Istio-enabled cluster. (#11226) Only define the `securityContext` on the main container instead of defining it on the top level `spec` which results into injected containers by Istio inheriting this definition (i.e. istio-init). Related topic: istio/old_issues_repo#316 Signed-off-by: Alexander Awitin <alexanderawitin@gmail.com>
…on denied (you must be root)" error when installed on an Istio-enabled cluster. Only define the `securityContext.runAsUser` on the main container instead of defining it on the top level `spec` which results into injected containers by Istio inheriting this definition (i.e. istio-init). Related topic: istio/old_issues_repo#316, helm#10682 (comment) Signed-off-by: Alexander Awitin <alexanderawitin@gmail.com>
…on denied (you must be root)" error when installed on an Istio-enabled cluster. Only define the `securityContext.runAsUser` on the main container instead of defining it on the top level `spec` which results into injected containers by Istio inheriting this definition (i.e. istio-init). Related topic: istio/old_issues_repo#316, helm#10682 (comment), helm#11226 (comment) Signed-off-by: Alexander Awitin <alexanderawitin@gmail.com>
…ssion denied (you must be root)" error when installed on an Istio-enabled cluster. (helm#11226) Only define the `securityContext` on the main container instead of defining it on the top level `spec` which results into injected containers by Istio inheriting this definition (i.e. istio-init). Related topic: istio/old_issues_repo#316 Signed-off-by: Alexander Awitin <alexanderawitin@gmail.com>
…on denied (you must be root)" error when installed on an Istio-enabled cluster. (helm#11367) Only define the `securityContext.runAsUser` on the main container instead of defining it on the top level `spec` which results into injected containers by Istio inheriting this definition (i.e. istio-init). Related topic: istio/old_issues_repo#316, helm#10682 (comment), helm#11226 (comment) Signed-off-by: Alexander Awitin <alexanderawitin@gmail.com>
Is this a BUG or FEATURE REQUEST?:
Did you review https://istio.io/help/ and existing issues to identify if this is already solved or being worked on?: Yes
Bug:
Y
What Version of Istio and Kubernetes are you using, where did you get Istio from, Installation details
Is Istio Auth enabled or not ?
Disabled
What happened:
When creating the following redis helm-chart: https://github.com/kubernetes/charts/tree/master/stable/redis
The istio-init fails with the error
can't initialize iptables table 'nat': Permission deniedThe StatefulSet has a defined set of securityContexts, that when they are enabled cause the error. When they are disabled, istio-init is successful.
What you expected to happen:
For the service to come up normally
How to reproduce it:
Attempt to install the helm chart in a namespace where auto-injection is ON.
The text was updated successfully, but these errors were encountered: