Istio is a service mesh that lets you connect, secure, control, and observe services. Istio can be deployed on Tarmak Kubernetes clusters.
However, if you have enabled Tarmak’s default PodSecurityPolicy (see User Guide), then privileged sidecar containers injected by Istio will be blocked. Events such as this will show on the ReplicaSet:
Warning FailedCreate 3m replicaset-controller Error creating: pods "details-v1-6865b9b99d-rm26k" is forbidden: unable to validate against any pod security policy: [capabilities.add: Invalid value: "NET_ADMIN": capability may not be added]
More details about the access requirements of the Istio containers can be found here
For now, we recommend only enabling use of the
psp:privileged in the
namespaces containing Istio-managed workloads - rather than allowing it across
the entire cluster.
psp:privileged in a single namespace (called
foobar in our
example), apply the following RoleBinding in that namespace.
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: default:privileged namespace: foobar roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: psp:privileged subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:serviceaccounts:foobar