How Do I Fix Compatibility Issues Between Istio CNI and Init Containers?
Context
The Istio CNI plugin may cause network connectivity issues for init containers. When using Istio CNI, kubelet starts a pod with the following steps:
- The Istio CNI plugin sets up traffic redirection to the Istio sidecar within the pod.
- All init containers execute and complete successfully.
- The Istio sidecar starts in the pod along with the pod's other containers.
Init containers execute before the sidecar starts. This means any requests sent by init containers are redirected to the sidecar that is not started. This results in traffic loss during the init containers' execution.
Solutions
You can use any of the following methods to avoid this traffic loss:
- Set the UID of the init container to 1337 using runAsUser. 1337 is the UID used by the sidecar. The traffic sent by this UID is not captured by the Istio's iptables rule. Application container traffic is still be captured as usual.
- Set the traffic.sidecar.istio.io/excludeOutboundIPRanges annotation for the CIDR that the init container communicates with to prevent the traffic from being redirected to the sidecar.
- Set the traffic.sidecar.istio.io/excludeOutboundPorts annotation for the port that the init container uses to prevent the traffic from being redirected to the sidecar.
Use the IP/port exclusion annotations with caution because the annotations apply to both init container traffic and application container traffic. Application traffic sent to the configured IP address or port will bypass the Istio sidecar.
For details, visit https://istio.io/latest/docs/setup/additional-setup/cni/.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
