I have a GKE autpilot cluster in version 1.27.3-gke.100
and I want to install istio in it. The cluster was created without the tag --workload-policies=allow-net-admin
. How do I enable it on an existing GKE cluster?
NET_ADMIN for service meshes such as Istio: Specify --workload-policies=allow-net-admin in your cluster creation command. Available on new and upgraded existing clusters running GKE version 1.27 and later.
I believe it is the last piece of the puzzle before having a working (Istio + GKE) autopilot set-up.
In case that it might be of someone's help, here are the steps I've done so far and how I solved it, before arriving at the dead end described above.
FAIL 1: Looks like the Istio is asking to inject sidecars, but the traffic is lost. Open firewall rules
FAIL 2 (and current): New deployments are not creating anything. Looks like the ReplicaSet is failing with:
│ Warning FailedCreate 6s (x17 over 5m36s) replicaset-controller Error creating: admission webhook "warden-validating.common-webhooks.networking.gke.io" denied the request: GKE Warden rejected the request be │
│ cause it violates one or more constraints. │
│ Violations details: {"[denied by autogke-default-linux-capabilities]":["linux capability 'NET_ADMIN' on container 'istio-init' not allowed; Autopilot only allows the capabilities: 'AUDIT_WRITE,CHOWN,DAC_OVERRIDE │
│ ,FOWNER,FSETID,KILL,MKNOD,NET_BIND_SERVICE,NET_RAW,SETFCAP,SETGID,SETPCAP,SETUID,SYS_CHROOT,SYS_PTRACE'."]} │
│ Requested by user: 'system:serviceaccount:kube-system:replicaset-controller', groups: 'system:serviceaccounts,system:serviceaccounts:kube-system,system:authenticated'.
1.27.3-gke.100
. But the error persistsAfter Upgrading your GKE cluster to 1.27 run:
gcloud container clusters update CLUSTER_NAME --workload-policies=allow-net-admin
to enable the NET_ADMIN
capability needed for Istio.