Pods and Services

    • Application UIDs: Ensure your pods do not run applications as a user with the user ID (UID) value of 1337.

    • and NET_RAW capabilities: If your cluster enforces pod security policies, they must allow injected pods to add the NET_ADMIN and NET_RAW capabilities. If you use the Istio CNI Plugin, this requirement no longer applies. To learn more about the NET_ADMIN and NET_RAW capabilities, see , below.

    • Deployments with app and version labels: We recommend adding an explicit app label and version label to deployments. Add the labels to the deployment specification of pods deployed using the Kubernetes Deployment. The app and labels add contextual information to the metrics and telemetry Istio collects.

      • The version label: This label indicates the version of the application corresponding to the particular deployment.

    • Named service ports: Service ports may optionally be named to explicitly specify a protocol. See Protocol Selection for more details.

    If are enforced in your cluster and unless you use the Istio CNI Plugin, your pods must have the NET_ADMIN and NET_RAW capabilities allowed. The initialization containers of the Envoy proxies require these capabilities.

    To check if the NET_ADMIN and NET_RAW capabilities are allowed for your pods, you need to check if their can use a pod security policy that allows the and NET_RAW capabilities. If you haven’t specified a service account in your pods’ deployment, the pods run using the default service account in their deployment’s namespace.

    To list the capabilities for a service account, replace <your namespace> and <your service account> with your values in the following command:

    For example, to check for the default service account in the default namespace, run the following command:

    1. $ for psp in $(kubectl get psp -o jsonpath="{range .items[*]}{@.metadata.name}{'\n'}{end}"); do if [ $(kubectl auth can-i use psp/$psp --as=system:serviceaccount:default:default) = yes ]; then kubectl get psp/$psp --no-headers -o=custom-columns=NAME:.metadata.name,CAPS:.spec.allowedCapabilities; fi; done

    If you see NET_ADMIN and NET_ADMIN or in the list of capabilities of one of the allowed policies for your service account, your pods have permission to run the Istio init containers. Otherwise, you will need to provide the permission.

    Install the Istio sidecar in application pods automatically using the sidecar injector webhook or manually using istioctl CLI.

    De-mystify how Istio manages to plugin its data-plane components into an existing deployment.

    Install Istio with the Istio CNI plugin

    Install and use Istio with the Istio CNI plugin, allowing operators to deploy services with lower privilege.

    A mechanism to acquire and share an application certificate and key through mounted files.

    DNS Certificate Management

    Provision and manage DNS certificates in Istio.

    A more secure way to manage Istio webhooks.