Install Istio with Pod Security Admission

Follow this guide to install, configure, and use an Istio mesh with the Pod Security admission controller (PSA) enforcing the baseline policy on namespaces in the mesh.

By default Istio injects an init container, istio-init, in pods deployed in the mesh. The istio-init requires the user or service-account deploying pods to the mesh to have sufficient Kubernetes RBAC permissions to deploy containers with the NET_ADMIN and NET_RAW capabilities.

However, the baseline policy does not include NET_ADMIN or NET_RAW in its allowed capabilities. In order to avoid enforcing the privileged policy in all meshed namespaces, it is necessary to use Istio mesh with the Istio Container Network Interface plugin. The istio-cni-node DaemonSet in the istio-system namespace requires hostPath volumes to access local CNI directories. Since this is not allowed in the baseline policy, the namespace where the CNI DaemonSet will be deployed needs to enforce the privileged policy. By default, this namespace is istio-system.

Namespaces in the mesh may also use the restricted policy. You will need to configure the seccompProfile for your applications according to the policy specifications.

Install Istio with PSA

  1. Create the istio-system namespace and label it to enforce the privileged policy.

    1. $ kubectl create namespace istio-system
    2. $ kubectl label --overwrite ns istio-system \
    3. pod-security.kubernetes.io/enforce=privileged \
    4. pod-security.kubernetes.io/enforce-version=latest
    5. namespace/istio-system labeled
  2. Install Istio with CNI on a Kubernetes cluster version 1.25 or later.

    1. $ istioctl install --set components.cni.enabled=true -y
    2. Istio core installed
    3. Istiod installed
    4. Ingress gateways installed
    5. CNI installed
    6. Installation complete

Deploy the sample application

  1. Add a namespace label to enforce the baseline policy for the default namespace where the demo application will run:

    1. $ kubectl label --overwrite ns default \
    2. pod-security.kubernetes.io/enforce=baseline \
    3. pod-security.kubernetes.io/enforce-version=latest
    4. namespace/default labeled
  2. Deploy the sample application using the PSA enabled configuration resources:

    Zip

    1. $ kubectl apply -f @samples/bookinfo/platform/kube/bookinfo-psa.yaml@
    2. service/details created
    3. serviceaccount/bookinfo-details created
    4. deployment.apps/details-v1 created
    5. service/ratings created
    6. serviceaccount/bookinfo-ratings created
    7. deployment.apps/ratings-v1 created
    8. service/reviews created
    9. serviceaccount/bookinfo-reviews created
    10. deployment.apps/reviews-v1 created
    11. deployment.apps/reviews-v2 created
    12. deployment.apps/reviews-v3 created
    13. service/productpage created
    14. serviceaccount/bookinfo-productpage created
    15. deployment.apps/productpage-v1 created
  3. Verify that the app is running inside the cluster and serving HTML pages by checking for the page title in the response:

    1. $ kubectl exec "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl -sS productpage:9080/productpage | grep -o "<title>.*</title>"
    2. <title>Simple Bookstore App</title>

Uninstall

  1. Delete the sample application

    1. $ kubectl delete -f samples/bookinfo/platform/kube/bookinfo-psa.yaml
  2. Delete the labels on the default namespace

    1. $ kubectl label namespace default pod-security.kubernetes.io/enforce- pod-security.kubernetes.io/enforce-version-
  3. Uninstall Istio

    1. $ istioctl uninstall -y --purge
  4. Delete the istio-system namespace

    1. $ kubectl delete namespace istio-system