istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Specify the requirement for the NET_ADMIN capability (#2891) 

* add a bullet about the privileged mode

* change privileged mode to NET_ADMIN capability

* Rewrite the sentence: it is required for...

Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>

* Simplify the sentence about the default service account

Co-Authored-By: vadimeisenbergibm <vadime@il.ibm.com>

* remove leftover from a previous commit

* remove another leftover from a previous commit

* add a missing whitespace after a dot

* remove capitalization of Service Account and Pod Security Policy

* add a remark about pod security policies being enforced in the cluster

* split the content between spec-requirements and required-pod-capabilities in the operations guide

* Fix the link to required-pod-capabilities
This commit is contained in:
Vadim Eisenberg 2019-01-07 22:46:02 +02:00 committed by Lin Sun
parent 4fd40a24c7
commit 0b9f47a8ca
2 changed files with 37 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
content/docs/setup/kubernetes/spec-requirements/index.md
View File

@ -31,3 +31,7 @@ cluster must satisfy the following requirements:
in the metric telemetry collected by Istio.
* _**Application UIDs**_: Do **not** run applications as a user with the user ID (UID) value of **1337**.
* _**`NET_ADMIN` capability**:_ If pod security policies are enforced in your cluster and unless you use Istio
CNI Plugin, your pods must have the `NET_ADMIN` capability allowed.
See [Required Pod Capabilities](/help/ops/setup/required-pod-capabilities/).

33
content/help/ops/setup/required-pod-capabilities/index.md Normal file
View File

@ -0,0 +1,33 @@
---
title: Required Pod Capabilities
description: Describes how to check which capabilities are allowed for your pods.
weight: 40
---
If [pod security policies](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) are [enforced](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#enabling-pod-security-policies) in your
cluster and unless you use Istio CNI Plugin, your pods must have the `NET_ADMIN` capability allowed.
The initialization containers of the Envoy proxies require this capability. To check which capabilities are allowed for
your pods, check if their
[service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) can use a
pod security policy that allows the `NET_ADMIN` capability.
If you don't specify a service account in your pods' deployment, the pods run as the `default` service account in
their deployment's namespace.
To check which capabilities are allowed for the service account of your pods, run the
following command:
{{< text bash >}}
$ for psp in $(kubectl get psp); do if [ $(kubectl auth can-i use psp/$psp --as=system:serviceaccount:<your namespace>:<your service account>) = yes ]; then kubectl get psp $psp -o=custom-columns=NAME:.metadata.name,CAPS:.spec.allowedCapabilities; fi; done
{{< /text >}}
For example, to check which capabilities are allowed for the `default` service account in the `default` namespace,
run the following command:
{{< text bash >}}
$ for psp in $(kubectl get psp); do if [ $(kubectl auth can-i use psp/$psp --as=system:serviceaccount:default:default) = yes ]; then kubectl get psp $psp -o=custom-columns=NAME:.metadata.name,CAPS:.spec.allowedCapabilities; fi; done
{{< /text >}}
If you see `NET_ADMIN` or `*` in the list of capabilities of one of the allowed policies for your service account,
your pods have permission to run the Istio init containers. Otherwise, you must
[provide such permission](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#authorizing-policies).