Hi all,
I have an issue with sidecar injections when using pod security policies.
When I use istioctl to inject sidecars into my deployment the pods are scheduled and everything is working. But if I enabled auto-injection (istio-injection=enabled) for the namespace the pods aren’t scheduled anymore.
The only error I can found:
Warning FailedCreate ReplicaSet Error creating: pods "nginx-default-5599dbc58d-fr9x6" is forbidden: unable to validate against any pod security policy: []
When I then apply a deployment with a custom service account (not default) the pods are scheduled again. That’s why I thought maybe the istio-sidecar-injector-service-account service account need a rolebinding to be allowed to access my psp but this didn’t change anything.
I’m not sure whether this is related to Topic 1762, therefore, I decided to create a new topic.
Any hints?
Kubernetes: 1.13.5
Istio: 1.1.2
My configuration:
psp:
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted
spec:
privileged: false
allowPrivilegeEscalation: false
allowedCapabilities:
- NET_ADMIN # needed by Istio side-car
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: false
clusterrole/clusterrolebinding:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: psp:restricted
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- restricted
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: psp:restricted
roleRef:
kind: ClusterRole
name: psp:restricted
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: system:serviceaccounts
namespace: kube-system
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: system:authenticated
apiGroup: rbac.authorization.k8s.io
- kind: ServiceAccount
name: default
namespace: default
- kind: ServiceAccount # istio sidecar sa
name: istio-sidecar-injector-service-account
namespace: istio-system