• OpenShift
    • Automatic sidecar injection
    • Privileged security context constraints for application sidecars

    OpenShift

    OpenShift 4.1 and above use nftables, which is incompatible with the Istio proxy-init container. Make sure to use CNI instead.

    Follow these instructions to prepare an OpenShift cluster for Istio.

    By default, OpenShift doesn’t allow containers running with user ID 0.You must enable containers running with UID 0 for Istio’s service accountsby running the command below. Make sure to replace istio-system if you aredeploying Istio in another namespace:

    1. $ oc adm policy add-scc-to-group anyuid system:serviceaccounts -n istio-system

    Now you can install Istio using the CNI instructions.

    After installation is complete, expose an OpenShift route for the ingress gateway.

    1. $ oc -n istio-system expose svc/istio-ingressgateway --port=80

    Automatic sidecar injection

    This setup is not necessary if you are running OpenShift 4.1 or higher. If this is the case, skip to the next section.

    Webhook and certificate signing requests support must be enabled for automatic injection to work. Modify the master configuration file on the master node for the cluster as follows.

    By default, the master configuration file can be found in /etc/origin/master/master-config.yaml.

    In the same directory as the master configuration file, create a file named master-config.patch with the following contents:

    1. admissionConfig:
    2. pluginConfig:
    3. MutatingAdmissionWebhook:
    4. configuration:
    5. apiVersion: apiserver.config.k8s.io/v1alpha1
    6. kubeConfigFile: /dev/null
    7. kind: WebhookAdmission
    8. ValidatingAdmissionWebhook:
    9. configuration:
    10. apiVersion: apiserver.config.k8s.io/v1alpha1
    11. kubeConfigFile: /dev/null
    12. kind: WebhookAdmission

    In the same directory, execute:

    1. $ cp -p master-config.yaml master-config.yaml.prepatch
    2. $ oc ex config patch master-config.yaml.prepatch -p "$(cat master-config.patch)" > master-config.yaml
    3. $ master-restart api
    4. $ master-restart controllers

    Privileged security context constraints for application sidecars

    The Istio sidecar injected into each application pod runs with user ID 1337, which is not allowed by default in OpenShift. To allow this user ID to be used, execute the following commands. Replace <target-namespace> with the appropriate namespace.

    1. $ oc adm policy add-scc-to-group privileged system:serviceaccounts -n <target-namespace>
    2. $ oc adm policy add-scc-to-group anyuid system:serviceaccounts -n <target-namespace>

    When removing your application, remove the permissions as follows.

    1. $ oc adm policy remove-scc-from-group privileged system:serviceaccounts -n <target-namespace>
    2. $ oc adm policy remove-scc-from-group anyuid system:serviceaccounts -n <target-namespace>