Istio fails to deploy with restricted PodSecurityPolicy in Rancher v2.3 and v2.4

Follow
Table of Contents

Issue

Attempting to enable Istio in a Rancher v2.3 or v2.4 cluster, where the restricted PodSecurityPolicy (PSP) is configured on the cluster, fails with the istio-galley, istio-pilot, istio-policy, istio-sidecar-injector and istio-telemtry Deployments in a CrashLoopBackOff, with log messages of the formats below:

fatal   validation  admission webhook ListenAndServeTLS failed: listen tcp :443: bind: permission denied

or

nginx: [emerg] chown("/tmp/nginx", 101) failed (1: Operation not permitted)

In addition in namespaces with Istio sidecar auto injection enabled, an error of the following format will show for Pods upon scheduling:

Pods "nginx-7f4c54479d-" is forbidden: unable to validate against any pod security policy: [spec.initContainers[0].securityContext.capabilities.add: Invalid value: "NET_ADMIN": capability may not be added spec.initContainers[0].securityContext.capabilities.add: Invalid value: "NET_RAW": capability may not be added]

This is a result of the system capabilities required by the Istio system components (CHOWN and NET_BIND_SERVICE), as well as the Istio sidecar containers (NET_ADMIN and NET_RAW), in the default Istio configuration and which are blocked by the restricted PSP.

Pre-requisites

Resolution

The steps to configure Istio in a cluster with restrictive Pod Security Policies enabled can be found in the Rancher documentation "Enable Istio with Pod Security Policies".

Futher Reading

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.