Install Istio with Pod Security Admission
Follow this guide to install, configure, and use an Istio mesh with the Pod Security admission controller (PSA) enforcing the baseline
policy on namespaces in the mesh.
By default Istio injects an init container, istio-init
, in pods deployed in the mesh. The istio-init
requires the user or service-account deploying pods to the mesh to have sufficient Kubernetes RBAC permissions to deploy containers with the NET_ADMIN and NET_RAW capabilities.
However, the baseline
policy does not include NET_ADMIN
or NET_RAW
in its allowed capabilities. In order to avoid enforcing the privileged
policy in all meshed namespaces, it is necessary to use Istio mesh with the Istio Container Network Interface plugin. The istio-cni-node
DaemonSet in the istio-system
namespace requires hostPath
volumes to access local CNI directories. Since this is not allowed in the baseline
policy, the namespace where the CNI DaemonSet will be deployed needs to enforce the privileged
policy. By default, this namespace is istio-system
.
Namespaces in the mesh may also use the restricted
policy. You will need to configure the seccompProfile
for your applications according to the policy specifications.
Install Istio with PSA
Create the
istio-system
namespace and label it to enforce theprivileged
policy.$ kubectl create namespace istio-system
$ kubectl label --overwrite ns istio-system \
pod-security.kubernetes.io/enforce=privileged \
pod-security.kubernetes.io/enforce-version=latest
namespace/istio-system labeled
Install Istio with CNI on a Kubernetes cluster version 1.25 or later.
$ istioctl install --set components.cni.enabled=true -y
✔ Istio core installed
✔ Istiod installed
✔ Ingress gateways installed
✔ CNI installed
✔ Installation complete
Deploy the sample application
Add a namespace label to enforce the
baseline
policy for the default namespace where the demo application will run:$ kubectl label --overwrite ns default \
pod-security.kubernetes.io/enforce=baseline \
pod-security.kubernetes.io/enforce-version=latest
namespace/default labeled
Deploy the sample application using the PSA enabled configuration resources:
$ kubectl apply -f @samples/bookinfo/platform/kube/bookinfo-psa.yaml@
service/details created
serviceaccount/bookinfo-details created
deployment.apps/details-v1 created
service/ratings created
serviceaccount/bookinfo-ratings created
deployment.apps/ratings-v1 created
service/reviews created
serviceaccount/bookinfo-reviews created
deployment.apps/reviews-v1 created
deployment.apps/reviews-v2 created
deployment.apps/reviews-v3 created
service/productpage created
serviceaccount/bookinfo-productpage created
deployment.apps/productpage-v1 created
Verify that the app is running inside the cluster and serving HTML pages by checking for the page title in the response:
$ kubectl exec "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl -sS productpage:9080/productpage | grep -o "<title>.*</title>"
<title>Simple Bookstore App</title>
Uninstall
Delete the sample application
$ kubectl delete -f samples/bookinfo/platform/kube/bookinfo-psa.yaml
Delete the labels on the default namespace
$ kubectl label namespace default pod-security.kubernetes.io/enforce- pod-security.kubernetes.io/enforce-version-
Uninstall Istio
$ istioctl uninstall -y --purge
Delete the
istio-system
namespace$ kubectl delete namespace istio-system