Istio

Istio is a service mesh that lets you connect, secure, control, and observe services. Istio can be deployed on Tarmak Kubernetes clusters.

However, if you have enabled Tarmak’s default PodSecurityPolicy (see User Guide), then privileged sidecar containers injected by Istio will be blocked. Events such as this will show on the ReplicaSet:

Warning  FailedCreate  3m               replicaset-controller  Error creating: pods "details-v1-6865b9b99d-rm26k" is forbidden: unable to validate against any pod security policy: [capabilities.add: Invalid value: "NET_ADMIN": capability may not be added]

More details about the access requirements of the Istio containers can be found here

For now, we recommend only enabling use of the psp:privileged in the namespaces containing Istio-managed workloads - rather than allowing it across the entire cluster.

To enable psp:privileged in a single namespace (called foobar in our example), apply the following RoleBinding in that namespace.

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
 name: default:privileged
 namespace: foobar
roleRef:
 apiGroup: rbac.authorization.k8s.io
 kind: ClusterRole
 name: psp:privileged
subjects:
- apiGroup: rbac.authorization.k8s.io
 kind: Group
 name: system:serviceaccounts:foobar