Istio fails to deploy with restricted PodSecurityPolicy in Rancher v2.3 and v2.4
This document (000020148) is provided subject to the disclaimer at the end of this document.
Attempting to enable Istio in a Rancher v2.3 or v2.4 cluster, where the restricted PodSecurityPolicy (PSP) is configured on the cluster, fails with the istio-galley, istio-pilot, istio-policy, istio-sidecar-injector and istio-telemtry Deployments in a CrashLoopBackOff, with log messages of the formats below:
fatal validation admission webhook ListenAndServeTLS failed: listen tcp :443: bind: permission denied
nginx: [emerg] chown("/tmp/nginx", 101) failed (1: Operation not permitted)
In addition in namespaces with Istio sidecar auto injection enabled, an error of the following format will show for Pods upon scheduling:
Pods "nginx-7f4c54479d-" is forbidden: unable to validate against any pod security policy: [spec.initContainers.securityContext.capabilities.add: Invalid value: "NET_ADMIN": capability may not be added spec.initContainers.securityContext.capabilities.add: Invalid value: "NET_RAW": capability may not be added]
This is a result of the system capabilities required by the Istio system components (
NET_BIND_SERVICE), as well as the Istio sidecar containers (
NET_RAW), in the default Istio configuration and which are blocked by the restricted PSP.
The steps to configure Istio in a cluster with restrictive Pod Security Policies enabled can be found in the Rancher documentation "Enable Istio with Pod Security Policies".
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000020148
- Creation Date: 06-May-2021
- Modified Date:06-May-2021
- SUSE Rancher
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com