Attempting to enable Istio in a Rancher v2.3 or v2.4 cluster, where the restricted PodSecurityPolicy (PSP) is configured on the cluster, fails with the istio-galley, istio-pilot, istio-policy, istio-sidecar-injector and istio-telemtry Deployments in a CrashLoopBackOff, with log messages of the formats below:
fatal validation admission webhook ListenAndServeTLS failed: listen tcp :443: bind: permission denied
nginx: [emerg] chown("/tmp/nginx", 101) failed (1: Operation not permitted)
In addition in namespaces with Istio sidecar auto injection enabled, an error of the following format will show for Pods upon scheduling:
Pods "nginx-7f4c54479d-" is forbidden: unable to validate against any pod security policy: [spec.initContainers.securityContext.capabilities.add: Invalid value: "NET_ADMIN": capability may not be added spec.initContainers.securityContext.capabilities.add: Invalid value: "NET_RAW": capability may not be added]
This is a result of the system capabilities required by the Istio system components (
NET_BIND_SERVICE), as well as the Istio sidecar containers (
NET_RAW), in the default Istio configuration and which are blocked by the restricted PSP.
The steps to configure Istio in a cluster with restrictive Pod Security Policies enabled can be found in the Rancher documentation "Enable Istio with Pod Security Policies".