Istio integration

1 MINUTE READ

Calico policy integrates with Istio to allow you to write policies that enforce against application layer attributes like HTTP methods or paths as well as against cryptographically secure identities. In this lab we will enable this integration and test it out.

Install FlexVolume driver

Calico uses a FlexVolume driver to enable secure connectivity between Felix and the Dikastes container running in each pod. It mounts a shared volume into which Felix inserts a Unix Domain Socket.

On each node in the cluster, execute the following commands to install the FlexVolume driver binary.

sudo mkdir -p /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds
sudo docker run --rm \
  -v /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds:/host/driver \
  calico/pod2daemon-flexvol:v3.20.0

Verify the uds binary is present

ls -lh /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds

Result

total 5.2M
-r-xr-x--- 1 root root 5.2M Jul 25 22:31 uds

Install Istio

Follow the instructions here to enable application layer policy, install Istio, update the Istio sidecar injector and add Calico authorization services to the Istio mesh.

Add Istio namespace label to the default namespace

Application layer policy is only enforced on pods that are started with the Envoy and Dikastes sidecars. Pods that do not have these sidecars will only enforce standard Calico network policy.

You can control this on a per-namespace basis. To enable Istio and application layer policy in a namespace, add the label istio-injection=enabled.

Label the default namespace, which you will use for the tutorial.

kubectl label namespace default istio-injection=enabled

Test application layer policy

You can test application layer policy by following the Application Layer Policy tutorial.