google-kubernetes-engineistioautopilot

install istio on GKE Autopilot 1.27.3-gke.100


I have a GKE autpilot cluster in version 1.27.3-gke.100 and I want to install istio in it. The cluster was created without the tag --workload-policies=allow-net-admin. How do I enable it on an existing GKE cluster?

reference

NET_ADMIN for service meshes such as Istio: Specify --workload-policies=allow-net-admin in your cluster creation command. Available on new and upgraded existing clusters running GKE version 1.27 and later.

I believe it is the last piece of the puzzle before having a working (Istio + GKE) autopilot set-up.

In case that it might be of someone's help, here are the steps I've done so far and how I solved it, before arriving at the dead end described above.

FAIL 1: Looks like the Istio is asking to inject sidecars, but the traffic is lost. Open firewall rules

FAIL 2 (and current): New deployments are not creating anything. Looks like the ReplicaSet is failing with:

│   Warning  FailedCreate  6s (x17 over 5m36s)  replicaset-controller  Error creating: admission webhook "warden-validating.common-webhooks.networking.gke.io" denied the request: GKE Warden rejected the request be │
│ cause it violates one or more constraints.                                                                                                                                                                          │
│ Violations details: {"[denied by autogke-default-linux-capabilities]":["linux capability 'NET_ADMIN' on container 'istio-init' not allowed; Autopilot only allows the capabilities: 'AUDIT_WRITE,CHOWN,DAC_OVERRIDE │
│ ,FOWNER,FSETID,KILL,MKNOD,NET_BIND_SERVICE,NET_RAW,SETFCAP,SETGID,SETPCAP,SETUID,SYS_CHROOT,SYS_PTRACE'."]}                                                                                                         │
│ Requested by user: 'system:serviceaccount:kube-system:replicaset-controller', groups: 'system:serviceaccounts,system:serviceaccounts:kube-system,system:authenticated'.   

Solution

  • After Upgrading your GKE cluster to 1.27 run:

     gcloud container clusters update CLUSTER_NAME --workload-policies=allow-net-admin
    

    to enable the NET_ADMIN capability needed for Istio.