Add note about istio-cni security #16749
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -40,6 +40,10 @@ The implications of this are discussed [below](#node-compromise). | |||||||||||||
| Because this consolidates the elevated privileges required to setup networking into a single pod, rather than *every* pod, | ||||||||||||||
| this option is generally recommended. | ||||||||||||||
|
|
||||||||||||||
| #### Ambient Mode | ||||||||||||||
|
|
||||||||||||||
| In ambient mode, the Istio CNI plugin (and the associated node agent) manages mesh enrollment for pods living on its node. Due to limitations in the Kubernetes API, it is not currently possible for the CNI plugin or its node agent to prevent pods from being scheduled on the node before the CNI plugin is installed and configured. This can occur even if using node cordons + taints as described [in our upgrade documentation](/docs/ambient/upgrade/helm#cni-node-agent). In these rare cases (e.g. on node restart or new node scale out), it is possible that a pod that is labeled for mesh enrollment may come up before the CNI's traffic redirection rules are applied, meaning that policies won't be enforced until after the CNI comes up and that pod is restarted. The Istio community is working with [various](https://github.com/containernetworking/cni/pull/1052) [upstream](https://github.com/kubernetes/kubernetes/issues/130594) communities to address this limitation, but in the meantime, you can enable [owned CNI mode](https://github.com/jaellio/istio/blob/master/releasenotes/notes/55968.yaml) to mitigate these race conditions. | ||||||||||||||
|
Contributor
There was a problem hiding this comment.
Suggested change
Reformatted a little for clarity. I wouldn't have thought a pod restart was required anywhere along the way, but one is mentioned? (In the context of the node taint controller, @ilrudie told me that it was only a problem until the CNI agent claimed the pod)
Contributor
There was a problem hiding this comment. p.s. please fast-follow by documenting that owned CNI mode feature somewhere other than a relnote!
Contributor
Author
There was a problem hiding this comment. Yeah unfortunately a pod restart is required due to the nature of the bug 😓
Contributor
Author
There was a problem hiding this comment. Where should we document an env var based feature like this?
Contributor
There was a problem hiding this comment. Would we really not handle all existing pods when the CNI starts? We used to be able to do that.
Contributor
Author
There was a problem hiding this comment.
This sounds good to me - I wasn't aware/didn't fully understand the reconciliation aspect.
Contributor
There was a problem hiding this comment.
Somewhere in the ambient documentation relating to the CNI. We need to separate out the page under the "sidecar" section at some point
Contributor
There was a problem hiding this comment. @jaellio, that makes sense. I thought we did reconcile after installing the binary but if we don't then I can totally see how we'd sometimes wind up in limbo like this. Thanks for the explanation.
Contributor
There was a problem hiding this comment.
The CNI node agent upgrade section notes that the agent includes mechanisms to prevent pod scheduling issues and steps to prevent unsecured traffic leakage. We may also want to add a brief note covering this edge case.
Contributor
Author
There was a problem hiding this comment. Good call; we should definitely update that since restarts are the Wild West |
||||||||||||||
|
|
||||||||||||||
| ### Sidecar Proxies | ||||||||||||||
|
|
||||||||||||||
| Istio may [optionally](/docs/overview/dataplane-modes/) deploy a sidecar proxy next to an application. | ||||||||||||||
|
|
||||||||||||||
Uh oh!
There was an error while loading. Please reload this page.