Install Istio with Pod Security Admission

Follow this guide to install, configure, and use an Istio mesh with the Pod Security admission controller (PSA) enforcing the baseline policy on namespaces in the mesh.

By default Istio injects an init container, istio-init, in pods deployed in the mesh. The istio-init requires the user or service-account deploying pods to the mesh to have sufficient Kubernetes RBAC permissions to deploy containers with the NET_ADMIN and NET_RAW capabilities.

However, the baseline policy does not include NET_ADMIN or NET_RAW in its allowed capabilities. In order to avoid enforcing the privileged policy in all meshed namespaces, it is necessary to use Istio mesh with the Istio Container Network Interface plugin. The istio-cni-node DaemonSet in the istio-system namespace requires hostPath volumes to access local CNI directories. Since this is not allowed in the baseline policy, the namespace where the CNI DaemonSet will be deployed needs to enforce the privileged policy. By default, this namespace is istio-system.

Install Istio with PSA

  1. Create the istio-system namespace and label it to enforce the privileged policy.

    $ kubectl create namespace istio-system
    $ kubectl label --overwrite ns istio-system \
        pod-security.kubernetes.io/enforce=privileged \
        pod-security.kubernetes.io/enforce-version=latest
    namespace/istio-system labeled
    
  2. Install Istio with CNI on a Kubernetes cluster version 1.25 or later.

    $ istioctl install --set components.cni.enabled=true -y
    ✔ Istio core installed
    ✔ Istiod installed
    ✔ Ingress gateways installed
    ✔ CNI installed
    ✔ Installation complete
    

Deploy the sample application

  1. Add a namespace label to enforce the baseline policy for the default namespace where the demo application will run:

    $ kubectl label --overwrite ns default \
        pod-security.kubernetes.io/enforce=baseline \
        pod-security.kubernetes.io/enforce-version=latest
    namespace/default labeled
    
  2. Deploy the sample application using the PSA enabled configuration resources:

    Zip
    $ kubectl apply -f @samples/bookinfo/platform/kube/bookinfo-psa.yaml@
    service/details created
    serviceaccount/bookinfo-details created
    deployment.apps/details-v1 created
    service/ratings created
    serviceaccount/bookinfo-ratings created
    deployment.apps/ratings-v1 created
    service/reviews created
    serviceaccount/bookinfo-reviews created
    deployment.apps/reviews-v1 created
    deployment.apps/reviews-v2 created
    deployment.apps/reviews-v3 created
    service/productpage created
    serviceaccount/bookinfo-productpage created
    deployment.apps/productpage-v1 created
    
  3. Verify that the app is running inside the cluster and serving HTML pages by checking for the page title in the response:

    $ kubectl exec "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl -sS productpage:9080/productpage | grep -o "<title>.*</title>"
    <title>Simple Bookstore App</title>
    

Uninstall

  1. Delete the sample application

    $ kubectl delete -f samples/bookinfo/platform/kube/bookinfo-psa.yaml
    
  2. Delete the labels on the default namespace

    $ kubectl label namespace default pod-security.kubernetes.io/enforce- pod-security.kubernetes.io/enforce-version-
    
  3. Uninstall Istio

    $ istioctl uninstall -y --purge
    
  4. Delete the istio-system namespace

    $ kubectl delete namespace istio-system
    
Was this information useful?
Do you have any suggestions for improvement?

Thanks for your feedback!