K
Q

Istio Init Containers do not work with Pod Security Policies

5/17/2021

I am running AWS EKS 1.16 with Istio Service Mesh 1.8.6. I have applied a Pod Security Policy where I am denying Privileged Containers, Running as Root and Privilege Escalation and am allowing NET_RAW and NET_ADMIN capabilities as Istio init containers need them.

But Istio_init containers run as root (UID 0) and thus fail validating against PSP. I tried changing the UID of the init containers within the Istio configmap for sidecar-injector but the istio-init container fails stating it could not get iptables.

So I am assuming istio_init definitely needs to run as root ?

How can make Istio_init containers run as non-root?

I tried enabling Istio CNI but that messes up my EKS implementation. The worker nodes immediately get marked as unhealthy so I had to disable Istio CNI and install AWS VPC CNI.

Any suggestions/direction would be greatly appreciated.

-- YYashwanth
amazon-eks
amazon-web-services
istio
istio-sidecar
kubernetes

Similar Questions

Logstash with helm in Kubernetes : grok filter not working
Apache Presto with Kubernetes
Istio-Gateway does not obtain an external IP with EKS v2
Is it possible to convert or cast an integer anchor to a string alias in a yaml file?
RBAC Error : Error from server (Forbidden): error when creating "role-qa.yaml": roles.rbac.authorization.k8s.io "qa-role" is forbidden

1 Answer

5/18/2021

How are you installing istio? With the IstioOperator, you can set the values.global.proxy.privileged=false to have non-privileged sidecars/init containers. Concerning running with a non-root user, I'm not sure it's possible for the istio-init container: https://github.com/istio/istio/issues/23705 (uness you try out that istio CNI plugin, as already suggested).

-- Mark
Source: StackOverflow