istio-init
container responsible for setting up the networking functionality for the Istio sidecar proxy. Unfortunately, to manage such workloads, their owners needed to have elevated Kubernetes RBAC permissions. The requirement of enabling elevated permissions for every user willing to deploy Pods to Service Mesh caused a security concern that we decided to address. Therefore, we introduced the Istio CNI plugin which does not require the user to have elevated permissions to be able to manage workloads in Service Mesh. Running centrally, it transfers the requirement for elevated permissions from the workload owner to the Service Mesh Namespace. Because the Istio CNI plugin replaces the functionality of the istio-init
container, enabling it might cause some network connectivity problems to the custom initContainers
relying on network connectivity during the workload initialization phase.
|
initContainers
field defined. Here's an example of a Pod with the defined initContainers
:
|
example-workload
container and the istio-proxy
container. Since this workload is part of Service Mesh it also has the istio-init
container with the securityContext
which configures the NET_ADMIN
and NET_RAW
capabilities as well as elevated values for the runAs*
settings. The fact that a workload is listed after executing the command does not mean that it will face errors after the Istio CNI plugin rollout. Each workload should be further analyzed to verify whether its initContainers
require network. Only the workloads which do rely on network in the initialization phase need to be configured to mitigate connectivity errors. To eliminate the risk of having networking issues, configure these workloads with one of the following settings:UID
of the initContainer
to 1337
using runAsUser
. 1337
is the UID
used by the sidecar proxy. The traffic sent by this UID is not captured by the Istio’s iptables rule. Application container traffic is still captured as usual.traffic.sidecar.istio.io/excludeOutboundIPRanges
annotation to disable
. It disables redirecting traffic to any CIDRs the initContainers
communicate with.traffic.sidecar.istio.io/excludeOutboundPorts
annotation to disable
. It disables redirecting traffic to the specific outbound ports the initContainers
use.WARNING: Be aware that the excludeOutbound*
annotations affect all the containers in a workload, so setting them might introduce issues in those containers that don't need to be configured.
|
|
istio-init
container with the elevatedsecurityContext
is gone from your workload.istio-validation initContainer
, which checks the correctness of the network setup without the need for elevated permissions, is added to the initContainers
field.initContainers
do not report any network-related errors.
|
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
15 | |
11 | |
10 | |
9 | |
8 | |
8 | |
7 | |
7 | |
7 | |
7 |