public/rancher-docs
1
0
Fork 0
mirror of https://github.com/rancher/rancher-docs.git synced 2026-05-29 16:15:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

Removed istio psp block on binding lib modules for iptables

Browse Source 
As far as I can tell this has been fixed in upstream,
if anyone reports otherwise in the future we can revert.
Also I fixed the code block layout.
This commit is contained in:
Caleb Bron
2020-03-12 08:49:20 -07:00
parent ba9b14dcac
commit 36a4175090
1 changed files with 8 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files
content/rancher/v2.x/en/cluster-admin/tools/istio/setup/enable-istio-in-cluster/enable-istio-with-psp/_index.md
+8 -24
View File
@@ -8,34 +8,18 @@ If you have restrictive Pod Security Policies enabled, then Istio may not be abl
The Istio CNI plugin removes the need for each application pod to have a privileged `NET_ADMIN` container. For further information, see the [Istio CNI Plugin docs](https://istio.io/docs/setup/additional-setup/cni). Please note that the [Istio CNI Plugin is in alpha](https://istio.io/about/feature-stages/).
- 1. [Allow access to iptables.](#1-allow-access-to-iptables)
- 2. [Configure the System Project Policy to allow Istio install.](#2-configure-the-system-project-policy-to-allow-istio-install)
- 3. [Install the CNI plugin in the System project.](#3-install-the-cni-plugin-in-the-system-project)
- 4. [Install Istio.](#4-install-istio)
- 1. [Configure the System Project Policy to allow Istio install.](#2-configure-the-system-project-policy-to-allow-istio-install)
- 2. [Install the CNI plugin in the System project.](#3-install-the-cni-plugin-in-the-system-project)
- 3. [Install Istio.](#4-install-istio)
### 1. Allow access to iptables
Configure the cluster to allow the CNI plugin to set networking rules via iptables modules:
1. From the **Global** view, navigate to the cluster where you want to enable Istio.
1. Select the **Ellipsis (...) > Edit**.
1. Click "Edit as YAML", find the services block, and edit to include:
```
services:
kubelet:
extra_binds:
- '/lib/modules:/lib/modules'
```
### 2. Configure the System Project Policy to allow Istio install
### 1. Configure the System Project Policy to allow Istio install
1. From the main menu of the **Dashboard**, select **Projects/Namespaces**.
1. Find the **Project: System** project and select the **Ellipsis (...) > Edit**.
1. Change the Pod Security Policy option to be unrestricted, then click Save.
### 3. Install the CNI Plugin in the System Project
### 2. Install the CNI Plugin in the System Project
1. From the main menu of the **Dashboard**, select **Projects/Namespaces**.
1. Select the **Project: System** project.
@@ -47,7 +31,8 @@ services:
1. From the main menu select **Apps**
1. Click Launch and select istio-cni
1. Update the namespace to be "kube-system"
1. In the answers section, click "Edit as YAML", and paste in the following:
1. In the answers section, click "Edit as YAML" and paste in the following, then click launch:
```
---
logLevel: "info"
@@ -55,9 +40,8 @@ services:
- "istio-system"
- "kube-system"
```
1. Click Launch
### 4. Install Istio
### 3. Install Istio
Follow the [primary instructions]({{<baseurl>}}/rancher/v2.x/en/cluster-admin/tools/istio/setup/enable-istio-in-cluster/), adding a custom answer: `istio_cni.enabled: true`.