Platform Prerequisites

Kernel Module Requirements on Cluster Nodes

The cluster node running application pods with Istio proxy sidecar container, when using iptables interception mode, requires certain kernel modules to be loaded. Istio can also work in whitebox mode where iptables interception is not done and in such cases this section can be skipped as there is no need of any special kernel module.

The modules are needed specifically by the istio-init container or istio-cni daemon which sets up iptables rules in the pod to redirect any incoming or outgoing traffic towards the sidecar proxy in the istio-proxy container. While in many platforms, these seem to be automatically loaded, it is always good to make sure the prerequisites are met, as there were incidents reported where some of the specific modules listed down below were not available on the host or could not be automatically loaded by the iptables. For example, this selinux issue talks about selinux in RHEL sometimes preventing the automatic loading of some of the below mentioned kernel modules.

ModuleRemark
br_netfilter
ip6table_mangleOnly needed for IPv6 or dual-stack clusters
ip6table_natOnly needed for IPv6 or dual-stack clusters
ip6table_rawOnly needed for IPv6 or dual-stack clusters
iptable_mangle
iptable_nat
iptable_rawOnly needed for DNS interception
xt_REDIRECT
xt_connmarkOnly needed for TPROXY interception mode
xt_conntrack
xt_markOnly needed for TPROXY interception mode
xt_owner
xt_tcpudp
xt_multiport

The following additional modules are used by the above listed modules and should be also loaded on the cluster node:

ModuleRemark
bridge
ip6_tablesOnly needed for IPv6 or dual-stack clusters
ip_tables
nf_conntrack
nf_conntrack_ipv4
nf_conntrack_ipv6Only needed for IPv6 or dual-stack clusters
nf_nat
nf_nat_ipv4
nf_nat_ipv6Only needed for IPv6 or dual-stack clusters
nf_nat_redirect
x_tables