OpenShift

    Follow these instructions to prepare an OpenShift cluster for Istio.

    By default, OpenShift doesn’t allow containers running with user ID 0. You must enable containers running with UID 0 for Istio’s service accounts by running the command below. Make sure to replace istio-system if you are deploying Istio in another namespace:

    Now you can install Istio using the CNI instructions.

      This setup is not necessary if you are running OpenShift 4.1 or higher. If this is the case, skip to the next section.

      Webhook and certificate signing requests support must be enabled for to work. Modify the master configuration file on the master node for the cluster as follows.

      By default, the master configuration file can be found in /etc/origin/master/master-config.yaml.

      In the same directory, execute:

      2. $ oc ex config patch master-config.yaml.prepatch -p "$(cat master-config.patch)" > master-config.yaml
      3. $ master-restart api

      The Istio sidecar injected into each application pod runs with user ID 1337, which is not allowed by default in OpenShift. To allow this user ID to be used, execute the following commands. Replace <target-namespace> with the appropriate namespace.

      When removing your application, remove the permissions as follows.

      1. $ oc adm policy remove-scc-from-group privileged system:serviceaccounts:<target-namespace>

      When removing your application, remove the NetworkAttachmentDefinition as follows.