Add document for kernel module requirements under platform setup (#11344)

* Add document for kernel module requirements under platform setup Signed-off-by: Faseela K <faseela.k@est.tech> * Add TPROXY mode requirements Signed-off-by: Faseela K <faseela.k@est.tech> * Incorporate review comments Signed-off-by: Faseela K <faseela.k@est.tech> * Fix lint error Signed-off-by: Faseela K <faseela.k@est.tech>
2022-05-24 22:01:36 +02:00 · 2022-05-24 22:01:36 +02:00 · 79529ce74f
parent 9689696934
commit 79529ce74f
2 changed files with 56 additions and 0 deletions
--- a/.spelling
+++ b/.spelling
@ -329,6 +329,7 @@ docker-compose's
 docker.io
 dogfood
 double-tls
 dual-stack
 Drucker
 Dubbo
 Duggirala
--- a/content/en/docs/setup/platform-setup/prerequisites/index.md
+++ b/content/en/docs/setup/platform-setup/prerequisites/index.md
@ -0,0 +1,55 @@
 ---
 title: Platform Prerequisites
 description: Prerequisites for platform setup for Istio.
 weight: 1
 skip_seealso: true
 keywords: [platform-setup,prerequisites]
 owner: istio/wg-environments-maintainers
 test: no
 ---
 ## Kernel Module Requirements on Cluster Nodes
 The cluster node running application pods with Istio proxy sidecar container, when using iptables interception mode,
 requires certain kernel modules to be loaded. Istio can also work in `whitebox` mode where iptables interception is not done
 and in such cases this section can be skipped as there is no need of any special kernel module.
 The modules are needed specifically by the `istio-init` container or `istio-cni` daemon which sets up iptables rules in the pod to
 redirect any incoming or outgoing traffic towards the sidecar proxy in the istio-proxy container. While in many platforms, these seem
 to be automatically loaded, it is always good to make sure the prerequisites are met, as there were incidents reported where some of
 the specific modules listed down below were not available on the host or could not be automatically loaded by the iptables. For example,
 this [`selinux issue`](https://www.suse.com/support/kb/doc/?id=000020241) talks about selinux in RHEL sometimes preventing
 the automatic loading of some of the below mentioned kernel modules.
 | Module | Remark |
 | --- | --- |
 | `br_netfilter` |  |
 | `ip6table_mangle` | Only needed for IPv6 or dual-stack clusters |
 | `ip6table_nat` | Only needed for IPv6 or dual-stack clusters |
 | `ip6table_raw` | Only needed for IPv6 or dual-stack clusters |
 | `iptable_mangle` |  |
 | `iptable_nat` |  |
 | `iptable_raw` | Only needed for `DNS` interception |
 | `xt_REDIRECT` |  |
 | `xt_connmark` | Only needed for `TPROXY` interception mode |
 | `xt_conntrack` |  |
 | `xt_mark` | Only needed for `TPROXY` interception mode |
 | `xt_owner` |  |
 | `xt_tcpudp` |  |
 The following additional modules are used by the above listed modules and should be also loaded on the cluster node:
 | Module | Remark |
 | --- | --- |
 | `bridge` |  |
 | `ip6_tables` | Only needed for IPv6 or dual-stack clusters |
 | `ip_tables` |  |
 | `nf_conntrack` |  |
 | `nf_conntrack_ipv4` |  |
 | `nf_conntrack_ipv6` | Only needed for IPv6 or dual-stack clusters |
 | `nf_nat` |  |
 | `nf_nat_ipv4` |  |
 | `nf_nat_ipv6` | Only needed for IPv6 or dual-stack clusters |
 | `nf_nat_redirect` |  |
 | `x_tables` |  |