Issue

Attempting to enable Istio in a Rancher v2.3 or v2.4 cluster, where the restricted PodSecurityPolicy (PSP) is configured on the cluster, fails with the istio-galley, istio-pilot, istio-policy, istio-sidecar-injector and istio-telemtry Deployments in a CrashLoopBackOff, with log messages of the formats below:

fatal   validation  admission webhook ListenAndServeTLS failed: listen tcp :443: bind: permission denied

or

nginx: [emerg] chown("/tmp/nginx", 101) failed (1: Operation not permitted)

In addition in namespaces with Istio sidecar auto injection enabled, an error of the following format will show for Pods upon scheduling:

Pods "nginx-7f4c54479d-" is forbidden: unable to validate against any pod security policy: [spec.initContainers[0].securityContext.capabilities.add: Invalid value: "NET_ADMIN": capability may not be added spec.initContainers[0].securityContext.capabilities.add: Invalid value: "NET_RAW": capability may not be added]

This is a result of the system capabilities required by the Istio system components (CHOWN and NET_BIND_SERVICE), as well as the Istio sidecar containers (NET_ADMIN and NET_RAW), in the default Istio configuration and which are blocked by the restricted PSP.

Pre-requisites

• Rancher v2.3.x or v2.4.x with a restricted PSP configured as the default and Istio enabled

Resolution

The steps to configure Istio in a cluster with restrictive Pod Security Policies enabled can be found in the Rancher documentation "Enable Istio with Pod Security Policies".

Futher Reading

• Rancher Documentation on Istio

• Kubernetes Documentation on PSP Capabilities

• Istio Requirements Documentation