Skip to main content
Version: 0.9.x

Istio CNI

By default, Istio injects sidecar proxies into applications pods in order to handle the traffic for the pod. These sidecars need to be privileged containers as they need to manipulate iptables rules in the pod network namespace to be able to intercept the traffic coming in and out the pod.

In such situations, this is not desirable from a security stand point as it effectively grants the application pods to run with such privileges. The alternative Istio provides to this is the use of a CNI plugin that handles the pod network namespace modifications at pod creation time.

Enable Istio CNI in control plane

In order to enable the Istio CNI in your control plane, you will need to edit the ControlPlane custom resource to include the CNI configuration.

apiVersion: install.tetrate.io/v1alpha1
kind: ControlPlane
metadata:
  name: controlplane
  namespace: istio-system
spec:
  components:
    istio:
      kubeSpec:
        CNI:
          chained: true
          binaryDirectory: /opt/cni/bin
          configurationDirectory: /etc/cni/net.d
      traceSamplingRate: 100
  hub: ${HUB}
  managementPlane:
    clusterName: cni-cluster
    environment: my-env
    host: ${TSBIP}
    port: ${TSBPORT}
    tenant: tenant
  telemetryStore:
    elastic:
      host: ${TSBIP}
      port: ${TSBPORT}
      protocol: https

The snippet above shows the default ControlPlane CR with the addition of spec.components.istio.kubeSpec.CNI. The configuration values might change depending on the Kubernetes distribution you use, please refer to Istio documentation for more information.

OpenShift

OpenShift 4.1 and newer use nftables instead of iptables, so the use of the CNI plugin becomes mandatory. A reference ControlPlane CR for enabling CNI in OpenShift is shown below.

apiVersion: install.tetrate.io/v1alpha1
kind: ControlPlane
metadata:
  name: controlplane
  namespace: istio-system
spec:
  components:
    istio:
      kubeSpec:
        CNI:
          binaryDirectory: /var/lib/cni/bin
          chained: false
          configurationDirectory: /etc/cni/multus/net.d
          configurationFileName: istio-cni.conf
        overlays:
          - apiVersion: install.istio.io/v1alpha1
            kind: IstioOperator
            name: tsb-istiocontrolplane
            patches:
              - path: spec.values.cni.chained
                value: false
              - path: spec.values.sidecarInjectorWebhook
                value:
                  injectedAnnotations:
                    k8s.v1.cni.cncf.io/networks: istio-cni
      traceSamplingRate: 100
  hub: ${HUB}
  managementPlane:
    clusterName: cni-cluster
    environment: my-env
    host: ${TSBIP}
    port: ${TSBPORT}
    tenant: tenant
  telemetryStore:
    elastic:
      host: ${TSBIP}
      port: ${TSBPORT}
      protocol: https

Besides enabling CNI, OpenShift will require some additional configurations to be in place in your application namespace like creating a NetworkAttachmentDefinition. Please refer to Istio OpenShift documentation for additional information.