From 36a41750909576b8286a34a5d3fbcbe801b9190e Mon Sep 17 00:00:00 2001
From: Caleb Bron <caleb@rancher.com>
Date: Thu, 12 Mar 2020 08:49:20 -0700
Subject: [PATCH] Removed istio psp block on binding lib modules for iptables

As far as I can tell this has been fixed in upstream,
if anyone reports otherwise in the future we can revert.
Also I fixed the code block layout.
---
 .../enable-istio-with-psp/_index.md           | 32 +++++--------------
 1 file changed, 8 insertions(+), 24 deletions(-)

diff --git a/content/rancher/v2.x/en/cluster-admin/tools/istio/setup/enable-istio-in-cluster/enable-istio-with-psp/_index.md b/content/rancher/v2.x/en/cluster-admin/tools/istio/setup/enable-istio-in-cluster/enable-istio-with-psp/_index.md
index 6cd21ae4475..07b3f104f5a 100644
--- a/content/rancher/v2.x/en/cluster-admin/tools/istio/setup/enable-istio-in-cluster/enable-istio-with-psp/_index.md
+++ b/content/rancher/v2.x/en/cluster-admin/tools/istio/setup/enable-istio-in-cluster/enable-istio-with-psp/_index.md
@@ -8,34 +8,18 @@ If you have restrictive Pod Security Policies enabled, then Istio may not be abl
 
 The Istio CNI plugin removes the need for each application pod to have a privileged `NET_ADMIN` container. For further information, see the [Istio CNI Plugin docs](https://istio.io/docs/setup/additional-setup/cni). Please note that the [Istio CNI Plugin is in alpha](https://istio.io/about/feature-stages/).
 
-- 1. [Allow access to iptables.](#1-allow-access-to-iptables)
-- 2. [Configure the System Project Policy to allow Istio install.](#2-configure-the-system-project-policy-to-allow-istio-install)
-- 3. [Install the CNI plugin in the System project.](#3-install-the-cni-plugin-in-the-system-project)
-- 4. [Install Istio.](#4-install-istio)
+- 1. [Configure the System Project Policy to allow Istio install.](#2-configure-the-system-project-policy-to-allow-istio-install)
+- 2. [Install the CNI plugin in the System project.](#3-install-the-cni-plugin-in-the-system-project)
+- 3. [Install Istio.](#4-install-istio)
 
-### 1. Allow access to iptables
-
-Configure the cluster to allow the CNI plugin to set networking rules via iptables modules:
-
-1. From the **Global** view, navigate to the cluster where you want to enable Istio.
-1. Select the **Ellipsis (...) > Edit**.
-1. Click "Edit as YAML", find the services block, and edit to include:
-
-```
-services:
-  kubelet:
-    extra_binds:
-      - '/lib/modules:/lib/modules'
-```
-
-### 2. Configure the System Project Policy to allow Istio install
+### 1. Configure the System Project Policy to allow Istio install
 
 1. From the main menu of the **Dashboard**, select **Projects/Namespaces**.
 1. Find the **Project: System** project and select the **Ellipsis (...) > Edit**.
 1. Change the Pod Security Policy option to be unrestricted, then click Save.
 
 
-### 3. Install the CNI Plugin in the System Project
+### 2. Install the CNI Plugin in the System Project
 
 1. From the main menu of the **Dashboard**, select **Projects/Namespaces**.
 1. Select the **Project: System** project.
@@ -47,7 +31,8 @@ services:
 1. From the main menu select **Apps**
 1. Click Launch and select istio-cni
 1. Update the namespace to be "kube-system"
-1. In the answers section, click "Edit as YAML", and paste in the following:
+1. In the answers section, click "Edit as YAML" and paste in the following, then click launch:
+
 ```
 ---
   logLevel: "info"
@@ -55,9 +40,8 @@ services:
     - "istio-system"
     - "kube-system"
 ```
-1. Click Launch
 
-### 4. Install Istio
+### 3. Install Istio
 
 Follow the [primary instructions]({{<baseurl>}}/rancher/v2.x/en/cluster-admin/tools/istio/setup/enable-istio-in-cluster/), adding a custom answer: `istio_cni.enabled: true`.