Istio with Pod Security Policy (in GKE)

#1

hello,

I am using Google Cloud managed istio. It is offering 1.0.3 right now and 1.1.1 will be there in about a month. My issue is version agnostic though.

I ahve following PSP enabled in my istio-enabled cluster:

apiVersion: v1
items:
- apiVersion: extensions/v1beta1
  kind: PodSecurityPolicy
  metadata:
    annotations:
      apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
      apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
      seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
      seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
    name: restrictive-psp
    namespace: ""
  spec:
    allowPrivilegeEscalation: true
    allowedCapabilities:
    - '*'
    fsGroup:
      rule: RunAsAny
    hostPorts:
    - max: 8000
      min: 0
    privileged: true
    runAsUser:
      rule: RunAsAny
    seLinux:
      rule: RunAsAny
    supplementalGroups:
      rule: RunAsAny
    volumes:
    - configMap
    - secret
    - emptyDir
    - nfs
    - persistentVolumeClaim
    - hostPath
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""

Corresponding clusterRole:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: restrictive-role
rules:
- apiGroups:
  - extensions
  resources:
  - podsecuritypolicies
  resourceNames:
  - restrictive-psp
  verbs:
  - use

clusterRoleBinding:

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: restrict-rolebind
subjects:
- kind: Group
  name: system:serviceaccounts
  namespace: kube-system
roleRef:
  kind: ClusterRole
  name: restrictive-role
  apiGroup: rbac.authorization.k8s.io

Still I am getting the following error:

Error creating: pods “encryption-9-87649bf5d-q8dbk” is forbidden: unable to validate against any pod security policy:

Pods without sidecar are coming up fine.

UPDATE:

I checked the required steps HERE:

1 Like
Issue with Istio sidecar injection and psp
#2

Can someone help me with how to troubleshoot this ?

#3

Hi Sourabh,
Please file issues against security channel https://discuss.istio.io/c/security for better tracking purpose going forward.

@YangminZhu @liminwang any ideas?
#4

Sure Tao… I will do that.

An update on this:

I made it working when I removed annotations from PSP. Now I only have following annotation in PSP:

seccomp.security.alpha.kubernetes.io/allowedProfileNames: *

I am testing my environment’s call flow now but not sure why it was failing with annotation. What does allowing seccomp profile does ? and how it is related to istio proxy containers ?