Istio Init Containers do not work with Pod Security Policies
Question
I am running AWS EKS 1.16 with Istio Service Mesh 1.8.6. I have applied a Pod Security Policy where I am denying Privileged Containers, Running as Root and Privilege Escalation and am allowing NET_RAW and NET_ADMIN capabilities as Istio init containers need them.
But Istio_init containers run as root (UID 0) and thus fail validating against PSP. I tried changing the UID of the init containers within the Istio configmap for sidecar-injector but the istio-init container fails stating it could not get iptables.
So I am assuming istio_init definitely needs to run as root?
How can make Istio_init containers run as non-root?
I tried enabling Istio CNI but that messes up my EKS implementation. The worker nodes immediately get marked as unhealthy so I had to disable Istio CNI and install AWS VPC CNI.
Any suggestions/direction would be greatly appreciated.
1 answers
solution1
0 2021-05-18 20:55:46
How are you installing istio? With the IstioOperator, you can set the values.global.proxy.privileged=false to have non-privileged sidecars/init containers. Concerning running with a non-root user, I'm not sure it's possible for the istio-init container: https://github.com/istio/istio/issues/23705 (uness you try out that istio CNI plugin, as already suggested).
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.