4.9 KiB
| title | description | weight | aliases | keywords | owner | test | |||
|---|---|---|---|---|---|---|---|---|---|
| Install Istio with Pod Security Admission | Install and use Istio with the Pod Security admission controller. | 70 |
|
|
istio/wg-networking-maintainers | yes |
Follow this guide to install, configure, and use an Istio mesh with the Pod Security admission controller
(PSA) enforcing the baseline policy on namespaces in the mesh.
By default Istio injects an init container, istio-init, in pods deployed in
the mesh. The istio-init requires the user or
service-account deploying pods to the mesh to have sufficient Kubernetes RBAC
permissions to deploy containers with the NET_ADMIN and NET_RAW capabilities.
However, the baseline policy does not include NET_ADMIN or NET_RAW in its allowed capabilities. In order to avoid enforcing the privileged policy in all meshed namespaces, it is necessary to use Istio mesh with the Istio Container Network Interface plugin. The istio-cni-node DaemonSet in the istio-system namespace requires hostPath volumes to access local CNI directories. Since this is not allowed in the baseline policy, the namespace where the CNI DaemonSet will be deployed needs to enforce the privileged policy. By default, this namespace is istio-system.
{{< warning >}}
Namespaces in the mesh may also use the restricted policy. You will need to configure the seccompProfile for your applications according to the policy specifications.
{{< /warning >}}
Install Istio with PSA
-
Create the
istio-systemnamespace and label it to enforce theprivilegedpolicy.{{< text bash >}} $ kubectl create namespace istio-system $ kubectl label --overwrite ns istio-system
pod-security.kubernetes.io/enforce=privileged
pod-security.kubernetes.io/enforce-version=latest namespace/istio-system labeled {{< /text >}} -
Install Istio with CNI on a Kubernetes cluster version 1.25 or later.
{{< text bash >}} $ istioctl install --set components.cni.enabled=true -y ✔ Istio core installed ✔ Istiod installed ✔ Ingress gateways installed ✔ CNI installed ✔ Installation complete {{< /text >}}
Deploy the sample application
-
Add a namespace label to enforce the
baselinepolicy for the default namespace where the demo application will run:{{< text bash >}} $ kubectl label --overwrite ns default
pod-security.kubernetes.io/enforce=baseline
pod-security.kubernetes.io/enforce-version=latest namespace/default labeled {{< /text >}} -
Deploy the sample application using the PSA enabled configuration resources:
{{< text bash >}} $ kubectl apply -f @samples/bookinfo/platform/kube/bookinfo-psa.yaml@ service/details created serviceaccount/bookinfo-details created deployment.apps/details-v1 created service/ratings created serviceaccount/bookinfo-ratings created deployment.apps/ratings-v1 created service/reviews created serviceaccount/bookinfo-reviews created deployment.apps/reviews-v1 created deployment.apps/reviews-v2 created deployment.apps/reviews-v3 created service/productpage created serviceaccount/bookinfo-productpage created deployment.apps/productpage-v1 created {{< /text >}}
-
Verify that the app is running inside the cluster and serving HTML pages by checking for the page title in the response:
{{< text bash >}}
{{< /text >}}kubectl exec "(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl -sS productpage:9080/productpage | grep -o ""
Uninstall
-
Delete the sample application
{{< text bash >}} $ kubectl delete -f samples/bookinfo/platform/kube/bookinfo-psa.yaml {{< /text >}}
-
Delete the labels on the default namespace
{{< text bash >}} $ kubectl label namespace default pod-security.kubernetes.io/enforce- pod-security.kubernetes.io/enforce-version- {{< /text >}}
-
Uninstall Istio
{{< text bash >}} $ istioctl uninstall -y --purge {{< /text >}}
-
Delete the
istio-systemnamespace{{< text bash >}} $ kubectl delete namespace istio-system {{< /text >}}