-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Istio does not work in cluster with restricted psp as default #22469
Comments
With the default configurations, Istio proxy sidecars require NET_ADMIN capability to set iptable rules, which is not ideal from security perspective. Here is the workflow to do that at the moment, which requires the system project to have a unrestricted PSP.
So that the cni plugin can leverage the iptables module to set networking rules.
After these steps, Istio injected sidecars can work with restricted PSP. NB: The Istio CNI plugin is in alpha phase at the moment, see. |
Tested the above steps on a PSP enabled master setup. With the workaround, Istio is functional.Graphs are displayed correctly. Note: With the Istio CNI plugin, only Istio-proxy sidecar is deployed. Istio-init sidecar is not deployed . (In a regular setup without PSP enabled, both istio-proxy and istio-init containers are deployed) |
The namespace that uses istio also needs at least NET_ADMIN and NET_RAW psp-permissions, not only the default. |
@rancher-max Please follow these instructions to get PSPs working with Istio. https://rancher.com/docs/rancher/v2.x/en/cluster-admin/tools/istio/setup/enable-istio-in-cluster/enable-istio-with-psp/ |
These instructions have been validated as working exactly as is. Please note that this uses istio-cni, which is currently in Alpha status at the time of the writeup: https://istio.io/about/feature-stages/ |
Rancher Version
master 8/28
Similar to #20229, but for validating Istio.
Steps to reproduce
The text was updated successfully, but these errors were encountered: