Additional Steps for Project Network Isolation


In clusters where:

  • You are using the Canal network plugin with Rancher before v2.5.8, or you are using Rancher v2.5.8+ with an any RKE network plug-in that supports the enforcement of Kubernetes network policies, such as Canal or the Cisco ACI plugin
  • The Project Network Isolation option is enabled
  • You install the Istio Ingress module

The Istio Ingress Gateway pod won’t be able to redirect ingress traffic to the workloads by default. This is because all the namespaces will be inaccessible from the namespace where Istio is installed. You have two options.

The first option is to add a new Network Policy in each of the namespaces where you intend to have ingress controlled by Istio. Your policy should include the following lines:

  1. - podSelector:
  2. matchLabels:
  3. app: istio-ingressgateway

The second option is to move the istio-system namespace to the system project, which by default is excluded from the network isolation.