Installing CNI - update sidecar config

#1

Hello,

I have been reading about setting up CNI for istio. Like most of the things in istio documentation everything is coupled with helm and very little information is there if you want to edit something manually.

i was able to install CNI:

NAME:   istio-cni
LAST DEPLOYED: Tue Apr  2 17:16:19 2019
NAMESPACE: istio-system
STATUS: DEPLOYED

RESOURCES:
==> v1beta1/DaemonSet
NAME            DESIRED  CURRENT  READY  UP-TO-DATE  AVAILABLE  NODE SELECTOR                AGE
istio-cni-node  0        0        0      0           0          beta.kubernetes.io/os=linux  0s

==> v1/ConfigMap
NAME              DATA  AGE
istio-cni-config  1     0s

==> v1/ServiceAccount
NAME       SECRETS  AGE
istio-cni  1        0s

==> v1beta1/ClusterRole
NAME       AGE
istio-cni  0s

==> v1beta1/ClusterRoleBinding
NAME       AGE
istio-cni  0s

Now, I want to manual add the entry " istio_cni.enabled=true" in istio sidecar configmap. How can I do that, where can I add this option manually in config map to achieve CNI ?

#2

Hi Sourabh,

To make sure I understand, you want to modify an existing Istio install’s istio-sidecar-injector configmap to enable Istio CNI, right? If that’s the case, what needs to be done is to edit the template and remove the istio-init entry in the initContainers section. That will allow you to use auto-sidecar injection OR istioctl as shown in the Istio CNI install guide.

You can see a detailed example of what the istio_cni.enabled=true helm setting does via:

~/tmp/istio/istio-1.1.1 helm template install/kubernetes/helm/istio --name istio --namespace istio-system \
  --set istio_cni.enabled=true > ~/tmp/istio_instalL_cni.yaml

~/tmp/istio/istio-1.1.1 helm template install/kubernetes/helm/istio --name istio --namespace istio-system > ~/tmp/istio_instalL_nocni.yaml

~/tmp/istio/istio-1.1.1 diff ~/tmp/istio_instalL_cni.yaml ~/tmp/istio_instalL_nocni.yaml
658a659,695
>       initContainers:
>       [[ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) "NONE" ]]
>       - name: istio-init
>         image: "docker.io/istio/proxy_init:1.1.1"
>         args:
>         - "-p"
>         - [[ .MeshConfig.ProxyListenPort ]]
>         - "-u"
>         - 1337
>         - "-m"
>         - [[ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode ]]
>         - "-i"
>         - "[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges`  "*"  ]]"
>         - "-x"
>         - "[[ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges`  ""  ]]"
>         - "-b"
>         - "[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) ]]"
>         - "-d"
>         - "[[ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port`  15020 ) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts`  "" ) ]]"
>         [[ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -]]
>         - "-k"
>         - "[[ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` ]]"
>         [[ end -]]
>         imagePullPolicy: IfNotPresent
>         resources:
>           requests:
>             cpu: 10m
>             memory: 10Mi
>           limits:
>             cpu: 100m
>             memory: 50Mi
>         securityContext:
>           capabilities:
>             add:
>             - NET_ADMIN
>         restartPolicy: Always
>       [[ end -]]

Hope this helps!
–Tim

Istio CNI integration with Istio 1.0.x
#3

Hey @tiswanso,

Thanks a lot for the detailed information.

Indeed, I was trying to enable istio-CNI. I removed the init-container part from the sidecar config but unfortunately I am using Goggle managed istio in GKE and I cant edit objects in istio-system namespace.

Now my deployments are failing with following error:
Error creating: pods “encryption-9-87649bf5d-q8dbk” is forbidden: unable to validate against any pod security policy:

Even after All capabilities are allowed