1

I am running AWS EKS 1.16 with Istio Service Mesh 1.8.6. I have applied a Pod Security Policy where I am denying Privileged Containers, Running as Root and Privilege Escalation and am allowing NET_RAW and NET_ADMIN capabilities as Istio init containers need them.

But Istio_init containers run as root (UID 0) and thus fail validating against PSP. I tried changing the UID of the init containers within the Istio configmap for sidecar-injector but the istio-init container fails stating it could not get iptables.

So I am assuming istio_init definitely needs to run as root ?

How can make Istio_init containers run as non-root?

I tried enabling Istio CNI but that messes up my EKS implementation. The worker nodes immediately get marked as unhealthy so I had to disable Istio CNI and install AWS VPC CNI.

Any suggestions/direction would be greatly appreciated.

YYashwanth
  • 670
  • 1
  • 6
  • 14

1 Answers1

0

How are you installing istio? With the IstioOperator, you can set the values.global.proxy.privileged=false to have non-privileged sidecars/init containers. Concerning running with a non-root user, I'm not sure it's possible for the istio-init container: https://github.com/istio/istio/issues/23705 (uness you try out that istio CNI plugin, as already suggested).

Mark
  • 405
  • 4
  • 10
  • Hey @Mark, I am not concerned about privileged container as I have disabled it. The issue is with the container running as root user (uid - 0). Not sure how I can disable that. I am installing Istio using istioctl and have exported the istio-sidecar-injector configmap from the istio-system namespace and edited that to test the security settings. – YYashwanth May 24 '21 at 07:44
  • I'm afraid that with that setup it is not possible to use a non-root user (as already suggested by other people) – Mark May 24 '21 at 09:07