Skip to content

Instantly share code, notes, and snippets.

View cdelashmutt-pivotal's full-sized avatar

Chris DeLashmutt cdelashmutt-pivotal

View GitHub Profile
@cdelashmutt-pivotal
cdelashmutt-pivotal / ISTIO 1.4 on PKS with PSPs.md
Last active December 5, 2019 23:41 — forked from svrc/ISTIO 1.4 on PKS with PSPs.md
Installing Istio 1.4 on PKS with restrictive Pod Security Policy

What does this GIST do or not do

  1. Shows you how to use Istio 1.4 on Kubernetes 1.14+ with a modicum of runtime security for your workloads.
  2. Specifically it installs Istio with CNI support, and allows the use of restrictive PodSecurityPolicies for your workloads.
  3. It is designed for VMware PKS, but doesn't require it ... (just change the CNI bin dir and excluded namespaces in values-cni.yml, also swap the ClusterRole pks-privileged and pks-restricted mentioned throughout these files with your own PSP roles).
  4. It doesn't fix the need for Istio itself to run as root, but that should be fixed in a future Istio release as it's already fixed in trunk.

Prerequisites

  1. You are logged into your cluster as a cluster admin, K8s 1.14 at least