hello,
I am using Google Cloud managed istio. It is offering 1.0.3 right now and 1.1.1 will be there in about a month. My issue is version agnostic though.
I ahve following PSP enabled in my istio-enabled cluster:
apiVersion: v1
items:
- apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
annotations:
apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
name: restrictive-psp
namespace: ""
spec:
allowPrivilegeEscalation: true
allowedCapabilities:
- '*'
fsGroup:
rule: RunAsAny
hostPorts:
- max: 8000
min: 0
privileged: true
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- configMap
- secret
- emptyDir
- nfs
- persistentVolumeClaim
- hostPath
kind: List
metadata:
resourceVersion: ""
selfLink: ""
Corresponding clusterRole:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: restrictive-role
rules:
- apiGroups:
- extensions
resources:
- podsecuritypolicies
resourceNames:
- restrictive-psp
verbs:
- use
clusterRoleBinding:
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: restrict-rolebind
subjects:
- kind: Group
name: system:serviceaccounts
namespace: kube-system
roleRef:
kind: ClusterRole
name: restrictive-role
apiGroup: rbac.authorization.k8s.io
Still I am getting the following error:
Error creating: pods “encryption-9-87649bf5d-q8dbk” is forbidden: unable to validate against any pod security policy:
Pods without sidecar are coming up fine.
UPDATE:
I checked the required steps HERE:
