By default, Istio injects an init container in all Pods inside the service mesh, which configures each Pod'
s network traffic redirection to and from the Istio sidecar proxy. This operation requires elevated permissions: Kubernetes RBAC permissions to deploy containers with the NET_ADMIN and NET_RAW capabilities, which can conflict with some organisations’ security policies. The Istio CNI plugin is a replacement of that init container that resolves the security concerns by avoiding the need for elevated permissions while providing the same functionality.
Contents
Prerequisites
- A running Istio control plane deployed by the
istio-operators > 1.17/*
NOTE: The Istio CNI plugin is only available in >
1.17/*
, to upgrade to a higher version, please follow the Upgrading istio-pilot instructions.
Enable the plugin
Enabling the Istio CNI plugin is done through setting the following configuration values for the istio-pilot
charm:
-
cni-bin-dir
: the path where the CNI binaries, which implement the CNI specification, are located in the host system where the Kubernetes control plane is deployed -
cni-conf-dir
: the path where the CNI’s conflist files (in JSON format) are located in the host system where the Kubernetes control plane is deployed
Setting both of these will enable the Istio CNI plugin; otherwise the plugin is disabled:
juju config istio-pilot cni-bin-dir=<path to cni bin dir in host>
juju config istio-pilot cni-conf-dir=<path to cni conf dir in host>
Before you configure these options, make sure the paths are correct and they exist, otherwise the Istio control plane installation could end up in failure.
These values vary on each Kubernetes installation and depends on the CNI’s configuration.
The defaults for some installations are /opt/cni/bin
and /etc/cni/net.d
respectively. In microk8s
, for instance, these values are /var/snap/microk8s/current/opt/cni/bin
and /var/snap/microk8s/current/args/cni-network
(refer to Microk8s CNI Configuration for more information).
Considerations
Enabling the Istio CNI plugin will only affectPods
that are created in a namespace with automatic sidecar injection after the plugin has been installed in the control plane.