Istio integration
Calico policy integrates with Istio to allow you to write policies that enforce against application layer attributes like HTTP methods or paths as well as against cryptographically secure identities. In this lab we will enable this integration and test it out.
Install CSI driver
Calico uses a Container Storage Interface (CSI) driver to enable secure connectivity between Felix and the Dikastes container running in each pod. It mounts a shared volume into which Felix inserts a Unix Domain Socket.
Execute the following command to install the CSI driver.
kubectl apply -f https://raw.githubusercontent.com/projectcalico/calico/v3.28.2/manifests/csi-driver.yaml
Verify the csi-node-driver
pods are running.
kubectl get pods -n calico-system
You should see something similar to the following:
csi-node-driver-gk9mq 2/2 Running 0 2m9s
csi-node-driver-jhngv 2/2 Running 0 2m9s
csi-node-driver-kcqnj 2/2 Running 0 2m9s
csi-node-driver-n78lx 2/2 Running 0 2m9s
csi-node-driver-nrbvd 2/2 Running 0 2m9s
Install Istio
Follow the instructions here to enable application layer policy, install Istio, update the Istio sidecar injector and add Calico authorization services to the Istio mesh.
Add Istio namespace label to the default namespace
Application layer policy is only enforced on pods that are started with the Envoy and Dikastes sidecars. Pods that do not have these sidecars will only enforce standard Calico network policy.
You can control this on a per-namespace basis. To enable Istio and application layer policy in a namespace, add the label istio-injection=enabled
.
Label the default namespace, which you will use for the tutorial.
kubectl label namespace default istio-injection=enabled
Test application layer policy
You can test application layer policy by following the Application Layer Policy tutorial.