Configuration Options - Enable Istio with Pod Security Policies - 《Rancher 2.5.7-2.5.8 Documentation》

3. Verify that the CNI is working
2. Install the CNI Plugin in the System Project

The Istio CNI plugin removes the need for each application pod to have a privileged container. For further information, see the Istio CNI Plugin docs. Please note that the .

The steps differ based on the Rancher version.

Set the PodSecurityPolicy to unrestricted
Verify that the CNI is working.

Set the PSP to unrestricted in the project where is Istio is installed, or the project where you plan to install Istio.

From the cluster view of the Cluster Manager, select Projects/Namespaces.
Find the Project: System and select the ⋮ > Edit.

2. Enable the CNI

When installing or upgrading Istio through Apps & Marketplace,

Click Components.
Check the box next to Enabled CNI.
Finish installing or upgrading Istio.

The CNI can also be enabled by editing the values.yaml:

Istio should install successfully with the CNI enabled in the cluster.

Prerequisites:

The cluster must be an RKE Kubernetes cluster.
The cluster must have been created with a default PodSecurityPolicy.

To enable pod security policy support when creating a Kubernetes cluster in the Rancher UI, go to Advanced Options. In the Pod Security Policy Support section, click Enabled. Then select a default pod security policy.

Configure the System Project Policy to allow Istio install.
Install Istio.

1. Configure the System Project Policy to allow Istio install

From the cluster view of the Cluster Manager, select Projects/Namespaces.
Find the Project: System and select the ⋮ > Edit.
Change the Pod Security Policy option to be unrestricted, then click Save.

From the main menu of the Dashboard, select Projects/Namespaces.
Choose Tools > Catalogs in the navigation bar.
Add a catalog with the following:
1. Name: istio-cni
2. Catalog URL: https://github.com/istio/cni
3. Branch: The branch that matches your current release, for example: .
From the main menu select Apps
Click Launch and select istio-cni
Update the namespace to be “kube-system”
In the answers section, click “Edit as YAML” and paste in the following, then click launch:

---
  logLevel: "info"
    - "kube-system"

3. Install Istio

Follow the primary instructions, adding a custom answer: .

After Istio has finished installing, the Apps page in System Projects should show both istio and istio-cni applications deployed successfully. Sidecar injection will now be functional.