Enable Istio CNI plugin

charm
,
1

By default, Istio injects an init container in all Pods inside the service mesh, which configures each Pod's network traffic redirection to and from the Istio sidecar proxy. This operation requires elevated permissions: Kubernetes RBAC permissions to deploy containers with the NET_ADMIN and NET_RAW capabilities, which can conflict with some organisations’ security policies. The Istio CNI plugin is a replacement of that init container that resolves the security concerns by avoiding the need for elevated permissions while providing the same functionality.

Contents

Prerequisites

  • A running Istio control plane deployed by the istio-operators > 1.17/*

NOTE: The Istio CNI plugin is only available in >1.17/*, to upgrade to a higher version, please follow the Upgrading istio-pilot instructions.

Enable the plugin

Enabling the Istio CNI plugin is done through setting the following configuration values for the istio-pilot charm:

  • cni-bin-dir: the path where the CNI binaries, which implement the CNI specification, are located in the host system where the Kubernetes control plane is deployed
  • cni-conf-dir: the path where the CNI’s conflist files (in JSON format) are located in the host system where the Kubernetes control plane is deployed

Setting both of these will enable the Istio CNI plugin; otherwise the plugin is disabled:

  • juju config istio-pilot cni-bin-dir=<path to cni bin dir in host>
  • juju config istio-pilot cni-conf-dir=<path to cni conf dir in host>
Caution:

Before you configure these options, make sure the paths are correct and they exist, otherwise the Istio control plane installation could end up in failure.

These values vary on each Kubernetes installation and depends on the CNI’s configuration.

The defaults for some installations are /opt/cni/bin and /etc/cni/net.d respectively. In microk8s, for instance, these values are /var/snap/microk8s/current/opt/cni/bin and /var/snap/microk8s/current/args/cni-network (refer to Microk8s CNI Configuration for more information).

Considerations

Enabling the Istio CNI plugin will only affect Pods that are created in a namespace with automatic sidecar injection after the plugin has been installed in the control plane.

Reference

1 Like
2

You need to have latest/edge for istio-pilot in order these to work.

3

Thanks for reporting this. We have fixed the error, do you mind trying with the latest stable version of istio-operators 1.17? This feature should be available from revision 827 of the istio-pilot.

4

Well, it’s running now with edge, so don’t want to mess it now, since it was quite a struggle. I’ll do it during the next cluster upgrade we have upcoming.