我的书签
添加书签
移除书签Pods and Services
To be part of a mesh, Kubernetes pods and services must satisfy the followingrequirements:
Named service ports: Service ports must be named. The port name key/valuepairs must have the following syntax:
name: <protocol>[-<suffix>]. SeeProtocol Selection formore details.Service association: A pod must belong to at least one Kubernetesservice even if the pod does NOT expose any port.If a pod belongs to multiple Kubernetes services,the services cannot use the same port number for different protocols, forinstance HTTP and TCP.
Deployments with app and version labels: We recommend adding an explicit
applabel andversionlabel to deployments. Add the labels to thedeployment specification of pods deployed using the KubernetesDeployment.Theappandversionlabels add contextual information to the metrics andtelemetry Istio collects.The
applabel: Each deployment specification should have a distinctapplabel with a meaningful value. Theapplabel is used to addcontextual information in distributed tracing.The
versionlabel: This label indicates the version of the applicationcorresponding to the particular deployment.
Application UIDs: Ensure your pods do not run applications as a userwith the user ID (UID) value of 1337.
NET_ADMINcapability: If your cluster enforces pod security policies,pods must allow theNET_ADMINcapability. If you use the Istio CNI Plugin,this requirement no longer applies. To learn more about theNET_ADMINcapability, see Required pod capabilities, below.
Ports used by Istio
The following ports and protocols are used by Istio. Ensure that there are noTCP headless services using a TCP port used by one of Istio’s services.
| Port | Protocol | Used by | Description |
|---|---|---|---|
| 8060 | HTTP | Citadel | GRPC server |
| 8080 | HTTP | Citadel agent | SDS service monitoring |
| 9090 | HTTP | Prometheus | Prometheus |
| 9091 | HTTP | Mixer | Policy/Telemetry |
| 9876 | HTTP | Citadel, Citadel agent | ControlZ user interface |
| 9901 | GRPC | Galley | Mesh Configuration Protocol |
| 15000 | TCP | Envoy | Envoy admin port (commands/diagnostics) |
| 15001 | TCP | Envoy | Envoy Outbound |
| 15006 | TCP | Envoy | Envoy Inbound |
| 15004 | HTTP | Mixer, Pilot | Policy/Telemetry - mTLS |
| 15010 | HTTP | Pilot | Pilot service - XDS pilot - discovery |
| 15011 | TCP | Pilot | Pilot service - mTLS - Proxy - discovery |
| 15014 | HTTP | Citadel, Citadel agent, Galley, Mixer, Pilot, Sidecar Injector | Control plane monitoring |
| 15020 | HTTP | Ingress Gateway | Pilot health checks |
| 15029 | HTTP | Kiali | Kiali User Interface |
| 15030 | HTTP | Prometheus | Prometheus User Interface |
| 15031 | HTTP | Grafana | Grafana User Interface |
| 15032 | HTTP | Tracing | Tracing User Interface |
| 15443 | TLS | Ingress and Egress Gateways | SNI |
| 15090 | HTTP | Mixer | Proxy |
| 42422 | TCP | Mixer | Telemetry - Prometheus |
Required pod capabilities
If pod security policiesare enforcedin your cluster and unless you use the Istio CNI Plugin, your pods must have theNET_ADMIN capability allowed. The initialization containers of the Envoyproxies require this capability.
To check if the NET_ADMIN capability is allowed for your pods, you need to check if theirservice accountcan use a pod security policy that allows the NET_ADMIN capability.If you haven’t specified a service account in your pods’ deployment, the pods run usingthe default service account in their deployment’s namespace.
To list the capabilities for a service account, replace <your namespace> and <your service account>with your values in the following command:
$ for psp in $(kubectl get psp -o jsonpath="{range .items[*]}{@.metadata.name}{'\n'}{end}"); do if [ $(kubectl auth can-i use psp/$psp --as=system:serviceaccount:<your namespace>:<your service account>) = yes ]; then kubectl get psp/$psp --no-headers -o=custom-columns=NAME:.metadata.name,CAPS:.spec.allowedCapabilities; fi; done
For example, to check for the default service account in the default namespace, run the following command:
$ for psp in $(kubectl get psp -o jsonpath="{range .items[*]}{@.metadata.name}{'\n'}{end}"); do if [ $(kubectl auth can-i use psp/$psp --as=system:serviceaccount:default:default) = yes ]; then kubectl get psp/$psp --no-headers -o=custom-columns=NAME:.metadata.name,CAPS:.spec.allowedCapabilities; fi; done
If you see NET_ADMIN or * in the list of capabilities of one of the allowedpolicies for your service account, your pods have permission to run the Istio init containers.Otherwise, you will need to provide the permission.
See also
Install the Istio sidecar in application pods automatically using the sidecar injector webhook or manually using istioctl CLI.
Demystifying Istio's Sidecar Injection Model
De-mystify how Istio manages to plugin its data-plane components into an existing deployment.
Install Istio with the Istio CNI plugin
Install and use Istio with the Istio CNI plugin, allowing operators to deploy services with lower privilege.
Provision and manage DNS certificates in Istio.
A more secure way to manage Istio webhooks.
Customizable Install with Helm
Install and configure Istio for in-depth evaluation or production use.
