From d6f9fdbbe2c0fdf32ddf6f30dc3feecac87e3deb Mon Sep 17 00:00:00 2001 From: "Juan J. Jimenez-Anca" Date: Sat, 10 Oct 2020 12:24:27 +0100 Subject: [PATCH] Update Istio docs for Network Isolation In clusters with namespace Network Isolation enabled, the default installation of Istio needs further tweaking for it to work --- .../setup/enable-istio-in-cluster/_index.md | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/content/rancher/v2.x/en/istio/setup/enable-istio-in-cluster/_index.md b/content/rancher/v2.x/en/istio/setup/enable-istio-in-cluster/_index.md index 06fc840f7d0..59df49bae16 100644 --- a/content/rancher/v2.x/en/istio/setup/enable-istio-in-cluster/_index.md +++ b/content/rancher/v2.x/en/istio/setup/enable-istio-in-cluster/_index.md @@ -22,6 +22,22 @@ Only a user with the following [Kubernetes default roles](https://kubernetes.io/ Automatic sidecar injection is disabled by default. To enable this, set the `sidecarInjectorWebhook.enableNamespacesByDefault=true` in the values.yaml on install or upgrade. This automatically enables Istio sidecar injection into all new namespaces that are deployed. +>**Note:** In clusters where: +> +> - The [Canal network plug-in]({{}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/#canal) is in use. +> - The Project Network Isolation option is enabled. +> - You install the Istio Ingress module +> +>The Istio Ingress Gateway pod won't be able to redirect ingress traffic to the workloads by default. This is because all the namespaces will be innacessible from the namespace where Istio is installed. You have two options: +> 1. You add a new Network Policy in each of the namespaces where you intend to have ingress controlled by Istio. Your policy should include the following lines: +> ``` +> ... +> - podSelector: +> matchLabels: +> app: istio-ingressgateway +>``` +> 2. You move the `ingress-system` namespace to the `system` project, which by default is excluded from the network isolation + ## Additonal Config Options ### Overlay File @@ -147,4 +163,4 @@ This enables monitoring accross namespaces by giving prometheus additional scrap - source_labels: [__meta_kubernetes_pod_name] action: replace target_label: pod_name -``` \ No newline at end of file +```