search

Azure / AKS

Azure Kubernetes Service
https://azure.github.io/AKS/
1.95k stars 305 forks source link

[Feature]Istio addon - Install Istio with the Istio CNI plugin #4184

Open kubebn opened 5 months ago

kubebn commented 5 months ago

Is your feature request related to a problem? Please describe.

https://istio.io/latest/docs/setup/additional-setup/cni/

By default Istio injects an init container, istio-init, in pods deployed in the mesh. The istio-init container sets up the pod network traffic redirection to/from the Istio sidecar proxy. This requires the user or service-account deploying pods to the mesh to have sufficient Kubernetes RBAC permissions to deploy containers with the NET_ADMIN and NET_RAW capabilities. Requiring Istio users to have elevated Kubernetes RBAC permissions is problematic for some organizations’ security compliance. The Istio CNI plugin is a replacement for the istio-init container that performs the same networking functionality but without requiring Istio users to enable elevated Kubernetes RBAC permissions. The Istio CNI plugin identifies user application pods with sidecars requiring traffic redirection and sets this up in the Kubernetes pod lifecycle’s network setup phase, thereby removing the requirement for the NET_ADMIN and NET_RAW capabilities for users deploying pods into the Istio mesh. The Istio CNI plugin replaces the functionality provided by the istio-init container.

Describe the solution you'd like A clear and concise description of what you want to happen.

There should be an option/flag, of deploying Istio addon with CNI enabled - https://learn.microsoft.com/en-us/azure/aks/istio-deploy-addon

shashankbarsin commented 5 months ago

ACK on the ask. We are currently doing our planning for the coming sprints. Will share status and ETA soon after planning

anumalasri commented 4 months ago

This is much needed feature, due to elevated capabilities.

dhuesmann89 commented 4 weeks ago

@shashankbarsin You added this to #3806 which in turn has been moved to GA in the roadmap. How is the configuration done in Azure? I cannot find any documentation.

nshankar13 commented 3 weeks ago

@dhuesmann89 this is mentioned in the Istio roadmap - while the Istio add-on is now GA, this specific feature for Istio-CNI is still under development. We will provide an update in the coming weeks once we have a better gauge of timelines.