Hello,
I have been reading about setting up CNI for istio. Like most of the things in istio documentation everything is coupled with helm and very little information is there if you want to edit something manually.
i was able to install CNI:
NAME: istio-cni
LAST DEPLOYED: Tue Apr 2 17:16:19 2019
NAMESPACE: istio-system
STATUS: DEPLOYED
RESOURCES:
==> v1beta1/DaemonSet
NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
istio-cni-node 0 0 0 0 0 beta.kubernetes.io/os=linux 0s
==> v1/ConfigMap
NAME DATA AGE
istio-cni-config 1 0s
==> v1/ServiceAccount
NAME SECRETS AGE
istio-cni 1 0s
==> v1beta1/ClusterRole
NAME AGE
istio-cni 0s
==> v1beta1/ClusterRoleBinding
NAME AGE
istio-cni 0s
Now, I want to manual add the entry " istio_cni.enabled=true" in istio sidecar configmap. How can I do that, where can I add this option manually in config map to achieve CNI ?
Hi Sourabh,
To make sure I understand, you want to modify an existing Istio install’s istio-sidecar-injector configmap to enable Istio CNI, right? If that’s the case, what needs to be done is to edit the template and remove the istio-init entry in the initContainers section. That will allow you to use auto-sidecar injection OR istioctl as shown in the Istio CNI install guide.
You can see a detailed example of what the istio_cni.enabled=true helm setting does via:
~/tmp/istio/istio-1.1.1 helm template install/kubernetes/helm/istio --name istio --namespace istio-system \
--set istio_cni.enabled=true > ~/tmp/istio_instalL_cni.yaml
~/tmp/istio/istio-1.1.1 helm template install/kubernetes/helm/istio --name istio --namespace istio-system > ~/tmp/istio_instalL_nocni.yaml
~/tmp/istio/istio-1.1.1 diff ~/tmp/istio_instalL_cni.yaml ~/tmp/istio_instalL_nocni.yaml
658a659,695
> initContainers:
> [[ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) "NONE" ]]
> - name: istio-init
> image: "docker.io/istio/proxy_init:1.1.1"
> args:
> - "-p"
> - [[ .MeshConfig.ProxyListenPort ]]
> - "-u"
> - 1337
> - "-m"
> - [[ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode ]]
> - "-i"
> - "[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` "*" ]]"
> - "-x"
> - "[[ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` "" ]]"
> - "-b"
> - "[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) ]]"
> - "-d"
> - "[[ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` 15020 ) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` "" ) ]]"
> [[ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -]]
> - "-k"
> - "[[ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` ]]"
> [[ end -]]
> imagePullPolicy: IfNotPresent
> resources:
> requests:
> cpu: 10m
> memory: 10Mi
> limits:
> cpu: 100m
> memory: 50Mi
> securityContext:
> capabilities:
> add:
> - NET_ADMIN
> restartPolicy: Always
> [[ end -]]
Hope this helps!
–Tim
Hey @tiswanso,
Thanks a lot for the detailed information.
Indeed, I was trying to enable istio-CNI. I removed the init-container part from the sidecar config but unfortunately I am using Goggle managed istio in GKE and I cant edit objects in istio-system namespace.
Now my deployments are failing with following error:
Error creating: pods “encryption-9-87649bf5d-q8dbk” is forbidden: unable to validate against any pod security policy:
Even after All capabilities are allowed
