Lack of permission definitions for Istio automatic sidecar injection

Question

Lack of permission definitions for Istio automatic sidecar injection

zhanggbj opened this issue 6 years ago · 3 comments

If you try Istio automatic sidecar injection following the instructions here ->https://istio.io/docs/setup/kubernetes/sidecar-injection/, after the restart, pod cannot be created, there will be an error like below

$ kubectl get events
2m32s       Warning   FailedCreate              ReplicaSet   (combined from similar events): Error creating: pods "sleep-68648fd5b5-w5vh8" is forbidden: unable to validate against any pod security policy: [spec.initContainers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed spec.initContainers[0].securityContext.capabilities.add: Invalid value: "NET_ADMIN": capability may not be added spec.containers[0].securityContext.allowPrivilegeEscalation: Invalid value: true: Allowing privilege escalation for containers is not allowed]

Answer 1 · 2019-02-09T14:24:43.000Z

Istio needs to inject sidecar into the original deployment. And the sidecar requires extra permissions to run privileged container and add Linux capability – NET_ADMIN.

Answer 2 · 2019-08-13T05:48:46.000Z

This issue still exists and @f0rmiga is helping the investigation. Thanks.
Debugging details:
#2082 (comment)

Answer 3 · 2020-08-11T23:08:13.000Z

Closing due to inactivity.