OpenShift
Follow these instructions to prepare an OpenShift cluster for Istio.
By default, OpenShift doesn’t allow containers running with user ID 0.
You must enable containers running with UID 0 for Istio’s service accounts
by running the command below. Make sure to replace istio-system
if you are
deploying Istio in another namespace:
Now you can install Istio using the CNI1 instructions.
After installation is complete, expose an OpenShift route for the ingress gateway.
Automatic sidecar injection
Webhook and certificate signing requests support must be enabled for automatic injection to work. Modify the master configuration file on the master node for the cluster as follows.
In the same directory as the master configuration file, create a file named master-config.patch
with the following contents:
In the same directory, execute:
Privileged security context constraints for application sidecars
The Istio sidecar injected into each application pod runs with user ID 1337, which is not allowed by default in OpenShift. To allow this user ID to be used, execute the following commands. Replace <target-namespace>
with the appropriate namespace.
When removing your application, remove the permissions as follows.
Additional requirements for the application namespace
CNI on OpenShift is managed by Multus
, and it requires a NetworkAttachmentDefinition
to be present in the application namespace in order to invoke the istio-cni
plugin. Execute the following commands. Replace <target-namespace>
with the appropriate namespace.
When removing your application, remove the NetworkAttachmentDefinition
as follows.