Pods and Services

    • Service association: A pod must belong to at least one Kubernetesservice even if the pod does NOT expose any port.If a pod belongs to multiple Kubernetes services,the services cannot use the same port number for different protocols, forinstance HTTP and TCP.

    • Deployments with app and version labels: We recommend adding an explicitapp label and version label to deployments. Add the labels to thedeployment specification of pods deployed using the Kubernetes Deployment.The app and version labels add contextual information to the metrics andtelemetry Istio collects.

      • The app label: Each deployment specification should have a distinctapp label with a meaningful value. The label is used to addcontextual information in distributed tracing.

    • Application UIDs: Ensure your pods do not run applications as a userwith the user ID (UID) value of 1337.

    • NET_ADMIN capability: If your cluster enforces pod security policies,pods must allow the NET_ADMIN capability. If you use the ,this requirement no longer applies. To learn more about the NET_ADMINcapability, see Required pod capabilities, below.

    If are enforcedin your cluster and unless you use the Istio CNI Plugin, your pods must have theNET_ADMIN capability allowed. The initialization containers of the Envoyproxies require this capability.

    To check if the capability is allowed for your pods, you need to check if theircan use a pod security policy that allows the NET_ADMIN capability.If you haven’t specified a service account in your pods’ deployment, the pods run usingthe default service account in their deployment’s namespace.

    To list the capabilities for a service account, replace <your namespace> and <your service account>with your values in the following command:

    For example, to check for the default service account in the default namespace, run the following command:

    1. $ for psp in $(kubectl get psp -o jsonpath="{range .items[*]}{@.metadata.name}{'\n'}{end}"); do if [ $(kubectl auth can-i use psp/$psp --as=system:serviceaccount:default:default) = yes ]; then kubectl get psp/$psp --no-headers -o=custom-columns=NAME:.metadata.name,CAPS:.spec.allowedCapabilities; fi; done

    If you see or * in the list of capabilities of one of the allowedpolicies for your service account, your pods have permission to run the Istio init containers.Otherwise, you will need to provide the permission.

    Install the Istio sidecar in application pods automatically using the sidecar injector webhook or manually using istioctl CLI.

    De-mystify how Istio manages to plugin its data-plane components into an existing deployment.

    Install Istio with the Istio CNI plugin

    Install and use Istio with the Istio CNI plugin, allowing operators to deploy services with lower privilege.

    Provision and manage DNS certificates in Istio.

    Secure Webhook Management

    A more secure way to manage Istio webhooks.

    Install and configure Istio for in-depth evaluation or production use.