Istio fails to deploy with restricted PodSecurityPolicy in Rancher v2.3 and v2.4

This document (000020148) is provided subject to the disclaimer at the end of this document.

Situation

Issue

Attempting to enable Istio in a Rancher v2.3 or v2.4 cluster, where the restricted PodSecurityPolicy (PSP) is configured on the cluster, fails with the istio-galley, istio-pilot, istio-policy, istio-sidecar-injector and istio-telemtry Deployments in a CrashLoopBackOff, with log messages of the formats below:

fatal   validation  admission webhook ListenAndServeTLS failed: listen tcp :443: bind: permission denied

or

nginx: [emerg] chown("/tmp/nginx", 101) failed (1: Operation not permitted)

In addition in namespaces with Istio sidecar auto injection enabled, an error of the following format will show for Pods upon scheduling:

Pods "nginx-7f4c54479d-" is forbidden: unable to validate against any pod security policy: [spec.initContainers[0].securityContext.capabilities.add: Invalid value: "NET_ADMIN": capability may not be added spec.initContainers[0].securityContext.capabilities.add: Invalid value: "NET_RAW": capability may not be added]

This is a result of the system capabilities required by the Istio system components (CHOWN and NET_BIND_SERVICE), as well as the Istio sidecar containers (NET_ADMIN and NET_RAW), in the default Istio configuration and which are blocked by the restricted PSP.

Pre-requisites

Resolution

The steps to configure Istio in a cluster with restrictive Pod Security Policies enabled can be found in the Rancher documentation "Enable Istio with Pod Security Policies".

Futher Reading

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020148
  • Creation Date: 06-May-2021
  • Modified Date:06-May-2021
    • SUSE Rancher

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center