Istio integration

Calico policy integrates with Istio to allow you to write policies that enforce against application layer attributes like HTTP methods or paths as well as against cryptographically secure identities. In this lab we will enable this integration and test it out.

Install CSI driver

Calico uses a Container Storage Interface (CSI) driver to enable secure connectivity between Felix and the Dikastes container running in each pod. It mounts a shared volume into which Felix inserts a Unix Domain Socket.

Execute the following command to install the CSI driver.

  1. kubectl apply -f https://raw.githubusercontent.com/projectcalico/calico/v3.25.0/manifests/csi-driver.yaml

Verify the csi-node-driver pods are running.

  1. kubectl get pods -n calico-system

You should see something similar to the following:

  1. csi-node-driver-gk9mq 2/2 Running 0 2m9s
  2. csi-node-driver-jhngv 2/2 Running 0 2m9s
  3. csi-node-driver-kcqnj 2/2 Running 0 2m9s
  4. csi-node-driver-n78lx 2/2 Running 0 2m9s
  5. csi-node-driver-nrbvd 2/2 Running 0 2m9s

Install Istio

Follow the instructions here to enable application layer policy, install Istio, update the Istio sidecar injector and add Calico authorization services to the Istio mesh.

Add Istio namespace label to the default namespace

Application layer policy is only enforced on pods that are started with the Envoy and Dikastes sidecars. Pods that do not have these sidecars will only enforce standard Calico network policy.

You can control this on a per-namespace basis. To enable Istio and application layer policy in a namespace, add the label istio-injection=enabled.

Label the default namespace, which you will use for the tutorial.

  1. kubectl label namespace default istio-injection=enabled

Test application layer policy

You can test application layer policy by following the Application Layer Policy tutorial.