Issue with Istio sidecar injection and psp

Hi all,

I have an issue with sidecar injections when using pod security policies.

When I use istioctl to inject sidecars into my deployment the pods are scheduled and everything is working. But if I enabled auto-injection (istio-injection=enabled) for the namespace the pods aren’t scheduled anymore.

The only error I can found:

Warning FailedCreate ReplicaSet Error creating: pods "nginx-default-5599dbc58d-fr9x6" is forbidden: unable to validate against any pod security policy: []

When I then apply a deployment with a custom service account (not default) the pods are scheduled again. That’s why I thought maybe the istio-sidecar-injector-service-account service account need a rolebinding to be allowed to access my psp but this didn’t change anything.

I’m not sure whether this is related to Topic 1762, therefore, I decided to create a new topic.

Any hints?

Kubernetes: 1.13.5
Istio: 1.1.2

My configuration:

psp:

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: restricted
spec:
  privileged: false
  allowPrivilegeEscalation: false
  allowedCapabilities:
    - NET_ADMIN # needed by Istio side-car
  volumes:
    - 'configMap'
    - 'emptyDir'
    - 'projected'
    - 'secret'
    - 'downwardAPI'
    - 'persistentVolumeClaim'
  hostNetwork: false
  hostIPC: false
  hostPID: false
  runAsUser:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
      - min: 1
        max: 65535
  fsGroup:
    rule: 'MustRunAs'
    ranges:
      - min: 1
        max: 65535
  readOnlyRootFilesystem: false

clusterrole/clusterrolebinding:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: psp:restricted
rules:
- apiGroups: ['policy']
  resources: ['podsecuritypolicies']
  verbs:     ['use']
  resourceNames:
    - restricted
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: psp:restricted
roleRef:
  kind: ClusterRole
  name: psp:restricted 
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: system:serviceaccounts
  namespace: kube-system
  apiGroup: rbac.authorization.k8s.io
- kind: Group
  name: system:authenticated
  apiGroup: rbac.authorization.k8s.io
- kind: ServiceAccount
  name: default
  namespace: default
- kind: ServiceAccount # istio sidecar sa
  name: istio-sidecar-injector-service-account
  namespace: istio-system

Okay, I think I finally found the root cause. When I deploy a unrestricted psp everything is working. Is there any documentation what Istio needs (I do not find any except for the NET_ADMIN Capability which I already allow)?

It looks like “allowPrivilegeEscalation: true” is needed as well.

Update: