diff --git a/content/docs/setup/kubernetes/spec-requirements/index.md b/content/docs/setup/kubernetes/spec-requirements/index.md index 9aa140297a..8d055ad482 100644 --- a/content/docs/setup/kubernetes/spec-requirements/index.md +++ b/content/docs/setup/kubernetes/spec-requirements/index.md @@ -31,3 +31,7 @@ cluster must satisfy the following requirements: in the metric telemetry collected by Istio. * _**Application UIDs**_: Do **not** run applications as a user with the user ID (UID) value of **1337**. + +* _**`NET_ADMIN` capability**:_ If pod security policies are enforced in your cluster and unless you use Istio +CNI Plugin, your pods must have the `NET_ADMIN` capability allowed. +See [Required Pod Capabilities](/help/ops/setup/required-pod-capabilities/). diff --git a/content/help/ops/setup/required-pod-capabilities/index.md b/content/help/ops/setup/required-pod-capabilities/index.md new file mode 100644 index 0000000000..fca3ce43d4 --- /dev/null +++ b/content/help/ops/setup/required-pod-capabilities/index.md @@ -0,0 +1,33 @@ +--- +title: Required Pod Capabilities +description: Describes how to check which capabilities are allowed for your pods. +weight: 40 +--- + +If [pod security policies](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) are [enforced](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#enabling-pod-security-policies) in your +cluster and unless you use Istio CNI Plugin, your pods must have the `NET_ADMIN` capability allowed. +The initialization containers of the Envoy proxies require this capability. To check which capabilities are allowed for +your pods, check if their +[service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) can use a +pod security policy that allows the `NET_ADMIN` capability. + +If you don't specify a service account in your pods' deployment, the pods run as the `default` service account in +their deployment's namespace. + +To check which capabilities are allowed for the service account of your pods, run the +following command: + +{{< text bash >}} +$ for psp in $(kubectl get psp); do if [ $(kubectl auth can-i use psp/$psp --as=system:serviceaccount::) = yes ]; then kubectl get psp $psp -o=custom-columns=NAME:.metadata.name,CAPS:.spec.allowedCapabilities; fi; done +{{< /text >}} + +For example, to check which capabilities are allowed for the `default` service account in the `default` namespace, +run the following command: + +{{< text bash >}} +$ for psp in $(kubectl get psp); do if [ $(kubectl auth can-i use psp/$psp --as=system:serviceaccount:default:default) = yes ]; then kubectl get psp $psp -o=custom-columns=NAME:.metadata.name,CAPS:.spec.allowedCapabilities; fi; done +{{< /text >}} + +If you see `NET_ADMIN` or `*` in the list of capabilities of one of the allowed policies for your service account, +your pods have permission to run the Istio init containers. Otherwise, you must +[provide such permission](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#authorizing-policies).