istio.io/content/en/docs/setup/additional-setup/pod-security-admission/index.md

114 lines
4.9 KiB
Markdown

---
title: Install Istio with Pod Security Admission
description: Install and use Istio with the Pod Security admission controller.
weight: 70
aliases:
- /docs/setup/kubernetes/install/pod-security-admission
- /docs/setup/kubernetes/additional-setup/pod-security-admission
keywords: [psa]
owner: istio/wg-networking-maintainers
test: yes
---
Follow this guide to install, configure, and use an Istio mesh with the Pod Security admission controller
([PSA](https://kubernetes.io/docs/concepts/security/pod-security-admission/)) enforcing the `baseline` [policy](https://kubernetes.io/docs/concepts/security/pod-security-standards/) on namespaces in the mesh.
By default Istio injects an init container, `istio-init`, in pods deployed in
the mesh. The `istio-init` requires the user or
service-account deploying pods to the mesh to have sufficient Kubernetes RBAC
permissions to deploy [containers with the `NET_ADMIN` and `NET_RAW` capabilities](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container).
However, the `baseline` policy does not include `NET_ADMIN` or `NET_RAW` in its [allowed capabilities](https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline). In order to avoid enforcing the `privileged` policy in all meshed namespaces, it is necessary to use Istio mesh with the [Istio Container Network Interface plugin](/docs/setup/additional-setup/cni/). The `istio-cni-node` DaemonSet in the `istio-system` namespace requires `hostPath` volumes to access local CNI directories. Since this is not allowed in the `baseline` policy, the namespace where the CNI DaemonSet will be deployed needs to enforce the `privileged` [policy](https://kubernetes.io/docs/concepts/security/pod-security-standards/#privileged). By default, this namespace is `istio-system`.
{{< warning >}}
Namespaces in the mesh may also use the `restricted` [policy](https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline). You will need to configure the `seccompProfile` for your applications according to the policy specifications.
{{< /warning >}}
## Install Istio with PSA
1. Create the `istio-system` namespace and label it to enforce the `privileged` policy.
{{< text bash >}}
$ kubectl create namespace istio-system
$ kubectl label --overwrite ns istio-system \
pod-security.kubernetes.io/enforce=privileged \
pod-security.kubernetes.io/enforce-version=latest
namespace/istio-system labeled
{{< /text >}}
1. [Install Istio with CNI](/docs/setup/additional-setup/cni/#install-cni) on a Kubernetes cluster version 1.25 or later.
{{< text bash >}}
$ istioctl install --set components.cni.enabled=true -y
✔ Istio core installed
✔ Istiod installed
✔ Ingress gateways installed
✔ CNI installed
✔ Installation complete
{{< /text >}}
## Deploy the sample application
1. Add a namespace label to enforce the `baseline` policy for the default namespace where the demo application will run:
{{< text bash >}}
$ kubectl label --overwrite ns default \
pod-security.kubernetes.io/enforce=baseline \
pod-security.kubernetes.io/enforce-version=latest
namespace/default labeled
{{< /text >}}
1. Deploy the sample application using the PSA enabled configuration resources:
{{< text bash >}}
$ kubectl apply -f @samples/bookinfo/platform/kube/bookinfo-psa.yaml@
service/details created
serviceaccount/bookinfo-details created
deployment.apps/details-v1 created
service/ratings created
serviceaccount/bookinfo-ratings created
deployment.apps/ratings-v1 created
service/reviews created
serviceaccount/bookinfo-reviews created
deployment.apps/reviews-v1 created
deployment.apps/reviews-v2 created
deployment.apps/reviews-v3 created
service/productpage created
serviceaccount/bookinfo-productpage created
deployment.apps/productpage-v1 created
{{< /text >}}
1. Verify that the app is running inside the cluster and serving HTML pages by
checking for the page title in the response:
{{< text bash >}}
$ kubectl exec "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl -sS productpage:9080/productpage | grep -o "<title>.*</title>"
<title>Simple Bookstore App</title>
{{< /text >}}
## Uninstall
1. Delete the sample application
{{< text bash >}}
$ kubectl delete -f samples/bookinfo/platform/kube/bookinfo-psa.yaml
{{< /text >}}
1. Delete the labels on the default namespace
{{< text bash >}}
$ kubectl label namespace default pod-security.kubernetes.io/enforce- pod-security.kubernetes.io/enforce-version-
{{< /text >}}
1. Uninstall Istio
{{< text bash >}}
$ istioctl uninstall -y --purge
{{< /text >}}
1. Delete the `istio-system` namespace
{{< text bash >}}
$ kubectl delete namespace istio-system
{{< /text >}}